|
Hello Strudel,
Please remove the 'ssl_bump client-first all' directive from your squid.conf because the 'include "/opt/qlproxy/etc/squid/squid.acl"' already contains 'ssl_bump server-first all' (or should contain).
This file is generated from Web UI of Diladele when you click the "enable ssh filteiring for all sites" settings. By default though it is set to 'off' to comply with legal regulations in some countries.
It would also be nice if you could post the contents of it either here or in private e-mail to me not to pollute the overall discussion.
Best regards, Rafael Akchurin Diladele B.V.
From: squid-users <squid-users-bounces@xxxxxxxxxxxxxxxxxxxxx> on behalf of apfelstrudel <apfelstrudel@xxxxx>
Sent: Thursday, October 16, 2014 10:13 AM To: squid-users@xxxxxxxxxxxxxxx Subject: ssl-bump doesn't decrypt https traffic - please help Hello.
I am trying to get ssl-bump to decrypt https traffic transparently so that I could filter out adult videos from youtube and to globally enforce google safesearch on my network with diladele web safety. I also want to run dansguardian to filter http. I
managed to pass https traffic transparently to squid but ssl-bump doesn't decrypt it. In logs I can see the https websites but in an encrypted form of website's.ip.address:port (45.231.21.56:443 for example) instead of https url (like https://youtube.com).
That means that traffic is still encrypted and because of that, diladele can't filter https. The squid is installed on an eee pc netbook with fedora 20 installed. This machine is also my router and a network gateway. 172.16.34.254 is the ip on which the netbook
"sees" the internal network, which consists of: 1 tp-link router directly connected to the eee. Thas router is connected wirelessly (Wi-Fi antenna) to the second TP-Link router (bridge) in my house. The bridge router is then connected by an ethernet cable
to another router to which my devices finally (phone, tablet, pc, printer) connect. So in summary: My device (PC, tablet, phone) ----> Router (Netgear) ----> TP-Link Bridge Router ------> Router (TP-Link) ----> Network gateway/router (eee pc running fedora
20) with squid installed. With the current configuration dansguardian works (http), diladele web safety works (only http) and the https traffic is passed transparently through squid, but not decrypted:
172.16.34.253 TCP_MISS/301 848 GET http://pl-pl.facebook.com/ - HIER_DIRECT/31.13.93.97 text/html
172.16.34.254 TCP_MISS/200 50622 CONNECT 2.22.52.26:443 - HIER_DIRECT/2.22.52.26 - <----- this should be https://pl-pl.facebook.com but ssl-bump doesn't decrypt traffic. The IP addresses on the beginning of each line are different because http requests go from dansguardian internally. The https requests go directly from my internal network.
Here's my squid.conf:
acl localnet src 10.0.0.0/8 # RFC1918 possible internal network acl localnet src 172.16.0.0/12 # RFC1918 possible internal network acl localnet src 192.168.0.0/16 # RFC1918 possible internal network acl localnet src fc00::/7 # RFC 4193 local private network range acl localnet src fe80::/10 # RFC 4291 link-local (directly plugged) machines acl to_localhost dst 127.0.0.1/8 acl SSL_ports port 443 acl Safe_ports port 80 # http acl Safe_ports port 21 # ftp acl Safe_ports port 443 # https acl Safe_ports port 70 # gopher acl Safe_ports port 210 # wais acl Safe_ports port 1025-65535 # unregistered ports acl Safe_ports port 280 # http-mgmt acl Safe_ports port 488 # gss-http acl Safe_ports port 591 # filemaker acl Safe_ports port 777 # multiling http acl CONNECT method CONNECT # Deny requests to certain unsafe ports http_access deny !Safe_ports # Deny CONNECT to other than secure SSL ports http_access deny CONNECT !SSL_ports # Only allow cachemgr access from localhost http_access allow localhost manager http_access deny manager http_access allow localnet
http_access allow localhost # And finally deny all other access to this proxy http_access allow all http_access allow CONNECT http_access allow to_localhost include "/opt/qlproxy/etc/squid/squid.acl" # Squid normally listens to port 3128 # Dansguardian's port: http_port 3125 # HTTPS ports, required by diladele web safety: http_port 3126 intercept https_port 3127 transparent ssl-bump generate-host-certificates=on dynamic_cert_mem_cache_size=4MB cert=/opt/qlproxy/etc/myca.pem http_port 3128 ssl-bump generate-host-certificates=on dynamic_cert_mem_cache_size=4MB cert=/opt/qlproxy/etc/myca.pem always_direct allow all ssl_bump client-first all #ceritiface storage manager sslcrtd_program /usr/lib/squid/ssl_crtd -s /var/spool/squid_ssldb -M 4MB # Uncomment and adjust the following to add a disk cache directory. #cache_dir ufs /var/spool/squid 100 16 256 # Leave coredumps in the first cache dir coredump_dir /var/spool/squid refresh_pattern ^ftp: 1440 20% 1008 refresh_pattern ^gopher: 1440 0% 1440
refresh_pattern -i (/cgi-bin/|\?) 0 0% 0 refresh_pattern . 0 20% 4320 # Squid-Diladele integration: icap_enable on icap_preview_enable on icap_preview_size 4096 icap_persistent_connections on icap_send_client_ip on icap_send_client_username on icap_client_username_header X-Client-Username icap_service qlproxy1 reqmod_precache bypass=0 icap://127.0.0.1:1344/reqmod icap_service qlproxy2 respmod_precache bypass=0 icap://127.0.0.1:1344/respmod acl qlproxy_icap_edomains dstdomain "/opt/qlproxy/etc/squid/icap_exclusions_domains.conf" acl qlproxy_icap_etypes rep_mime_type "/opt/qlproxy/etc/squid/icap_exclusions_contenttypes.conf" adaptation_access qlproxy1 deny qlproxy_icap_edomains adaptation_access qlproxy2 deny qlproxy_icap_edomains adaptation_access qlproxy2 deny qlproxy_icap_etypes adaptation_access qlproxy1 allow all adaptation_access qlproxy2 allow all #squid shutdown faster
shutdown_lifetime 3 seconds -------------------------------------------------- And here are my iptables:
*filter
:INPUT DROP [0:0] :FORWARD ACCEPT [0:0] :OUTPUT ACCEPT [0:0] -A INPUT -p icmp -j ACCEPT -A INPUT -i lo -j ACCEPT # ssh -A INPUT -p tcp -m tcp --dport 22 -j ACCEPT # dansguardian -A INPUT -i p33p1 -p tcp --dport 8080 -j ACCEPT # squid https -A INPUT -i p33p1 -p tcp --dport 3128 -j ACCEPT # 3127 - for intercepted https traffic for Squid -A INPUT -i p33p1 -p tcp --dport 3127 -j ACCEPT # squid - allow the redirected trafiic from port 443 to 3128 -A INPUT -m mark --mark 1 -j DROP # squid - block direct connections to port 3128 -A INPUT -i p33p1 -p tcp --dport 3128 -j REJECT # connected streams -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT #-A INPUT -j LOG --log-prefix "DROPPED_INPUT: " COMMIT *nat :OUTPUT ACCEPT [0:0] :PREROUTING ACCEPT [0:0] :POSTROUTING ACCEPT [0:0] # all queries go to opendsns familyshield: -A PREROUTING -p udp -i p33p1 --dport 53 -j DNAT --to-destination 208.67.222.123:53 # redirection of internal network's http traffic to dansguardian: -A PREROUTING -p tcp -m tcp -i p33p1 -s 172.16.34.254/32 --dport 80 -j REDIRECT --to-ports 8080 # https redirection to squid -A PREROUTING -p tcp -m tcp -i p33p1 -s 172.16.34.254/32 --dport 443 -j REDIRECT --to-ports 3127
#NAT
-A POSTROUTING -s 172.16.34.252/30 -j MASQUERADE COMMIT *mangle :INPUT ACCEPT [0:0] :FORWARD ACCEPT [0:0] :OUTPUT ACCEPT [0:0] :POSTROUTING ACCEPT [0:0] :PREROUTING ACCEPT [0:0] -A PREROUTING -p tcp -m tcp -i p33p1 --dport 3128 -j MARK --set-mark 1 -A PREROUTING -p tcp --dport 80 -s 127.0.0.1 -j ACCEPT -A PREROUTING -p tcp --dport 80 -s 172.16.34.253 -j ACCEPT COMMIT # Completed I also tried running squid with the squid -d 10 command but no errors were found:
2014/10/16 10:08:46 kid1| HTCP Disabled.
2014/10/16 10:08:46 kid1| Squid plugin modules loaded: 0 2014/10/16 10:08:46 kid1| Adaptation support is on 2014/10/16 10:08:46 kid1| Accepting HTTP Socket connections at local=[::]:3125 remote=[::] FD 21 flags=9 2014/10/16 10:08:46 kid1| Accepting NAT intercepted HTTP Socket connections at local=0.0.0.0:3126 remote=[::] FD 22 flags=41 2014/10/16 10:08:46 kid1| Accepting SSL bumped HTTP Socket connections at local=[::]:3128 remote=[::] FD 23 flags=9 2014/10/16 10:08:46 kid1| Accepting NAT intercepted SSL bumped HTTPS Socket connections at local=0.0.0.0:3127 remote=[::] FD 24 flags=41 2014/10/16 10:08:47 kid1| storeLateRelease: released 0 objects How can I get squid to decrypt https traffic with this configuration? Any help will be much appreciated.
|
_______________________________________________ squid-users mailing list squid-users@xxxxxxxxxxxxxxxxxxxxx http://lists.squid-cache.org/listinfo/squid-users
