Search squid archive

Bridge/Tproxy: https dns

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Hello,

I'm trying to setup a Squid server simple as possible just to review the web use in office using the last stable version 3.5.7.

I setup the bridge with 2 NIC, br0 with IP 192.168.0.5 and I had disable IPv6 on boot in my Slackware Current (Fri Aug 14 2015) server.

The script on the boot for Tproxy, routing, IPTables and EBTables:
echo 50 > /proc/sys/vm/swappiness
echo 60 > /proc/sys/net/ipv4/tcp_keepalive_time
echo 10 > /proc/sys/net/ipv4/tcp_keepalive_intvl
echo 6 > /proc/sys/net/ipv4/tcp_keepalive_probes
ip -f inet rule add fwmark 1 lookup 100
ip -f inet route add local default dev lo table 100
echo 1 > /proc/sys/net/ipv4/ip_forward
echo 0 > /proc/sys/net/ipv4/conf/default/rp_filter
echo 0 > /proc/sys/net/ipv4/conf/all/rp_filter
echo 0 > /proc/sys/net/ipv4/conf/eth0/rp_filter
iptables -t mangle -N DIVERT
iptables -t mangle -A DIVERT -j MARK --set-mark 1
iptables -t mangle -A DIVERT -j ACCEPT
iptables  -t mangle -A PREROUTING -p tcp -m socket -j DIVERT
iptables  -t mangle -A PREROUTING -p tcp ! --destination 192.168.0.5 --dport 80 -j TPROXY --tproxy-mark 0x1/0x1 --on-port 3129
iptables  -t mangle -A PREROUTING -p tcp ! --destination 192.168.0.5 --dport 443 -j TPROXY --tproxy-mark 0x1/0x1 --on-port 3130
CLIENT_IFACE=eth1
INET_IFACE=eth0
ebtables -t broute -A BROUTING \
        -i $CLIENT_IFACE -p ipv4 --ip-proto tcp --ip-dport 80 \
        -j redirect --redirect-target DROP
ebtables -t broute -A BROUTING \
        -i $INET_IFACE -p ipv4 --ip-proto tcp --ip-sport 80 \
        -j redirect --redirect-target DROP
ebtables -t broute -A BROUTING \
        -i $CLIENT_IFACE -p ipv4 --ip-proto tcp --ip-dport 443 \
        -j redirect --redirect-target DROP

I compiled squid from source:
./configure \
  --prefix=/usr \
  --libdir=/usr/lib64 \
  --libexecdir=/usr/lib64/squid \
  --sysconfdir=/etc/squid \
  --localstatedir=/var/log/squid \
  --sharedstatedir=/var/lib \
  --datadir=/usr/share/squid \
  --with-pidfile=/var/run/squid \
  --mandir=/usr/man \
  --with-logdir=/var/log/squid \
  --enable-silent-rules \
  --enable-dependency-tracking \
  --with-openssl=/usr/include/openssl/ \
  --enable-ssl \
  --enable-ssl-crtd \
  --enable-icmp \
  --enable-delay-pools \
  --enable-useragent-log \
  --enable-esi \
  --enable-follow-x-forwarded-for \
  --enable-linux-netfilter \
  --enable-forward-log \
  --enable-poll \
  --enable-referer-log \
  --with-default-user=squid \
  --enable-auto-locale \
  --disable-ipv6 \
  --build=X86_64-slackware-linux

Generating the certificate:
# openssl genrsa -out squid.key 2048
# openssl req -new -key squid.key -out squid.csr
# openssl x509 -req -days 3650 -in squid.csr -signkey squid.key -out squid.crt
# cat squid.key squid.crt > squid.pem

My squid.conf:
acl localnet src 192.168.0.0/16
acl localhost src 192.168.0.5/32
acl SSL_ports port 443
acl Safe_ports port 80
acl Safe_ports port 443
acl CONNECT method CONNECT
acl ssl-bump_port myportname 3130
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
http_access allow localhost manager
http_access allow localnet
http_access deny all
http_reply_access allow all
icp_access allow all
tcp_outgoing_address 85.138.204.43
dns_v4_first on
pinger_enable off
http_port 3128
http_port 3129 tproxy
https_port 3130 ssl-bump tproxy generate-host-certificates=off cert=/etc/squid/ssl/squid.pem cafile=/etc/squid/ssl/squid.pem
always_direct allow ssl-bump_port
ssl_bump none all
dns_nameservers 8.8.8.8 8.8.4.4
access_log daemon:/var/log/squid/access.log squid
cache deny all
pid_filename /var/run/squid/squid.pid
coredump_dir /var/log/squid/cache/squid
visible_hostname myservername.domain.local

In general the configuration (squid.conf) it's working but has some incomplete behaviors as shows in log files.

access.log (I know this is Facebook but there are no dns resolusion in https, just IP):
1439811492.625   2377 192.168.0.102 TCP_TUNNEL/200 3574 CONNECT 31.13.90.2:443 - ORIGINAL_DST/31.13.90.2 -

cache.log:
HTTP/1.1 200 OK
Accept-Ranges: bytes
Cache-Control: max-age=504747
Content-Type: application/ocsp-response
Date: Mon, 17 Aug 2015 11:38:03 GMT
ETag: "55d15943-1d7"
Expires: Sun, 23 Aug 2015 23:38:03 GMT
Last-Modified: Mon, 17 Aug 2015 03:47:15 GMT
Server: ECS (mad/439C)
X-Cache: HIT
Content-Length: 471
X-Cache: MISS from squidhead2.skywalker.local
Via: 1.1 squidhead2.skywalker.local (squid/3.5.7)
Connection: keep-alive
----------
2015/08/17 12:38:09.067 kid1| store.cc(955) checkCachable: StoreEntry::checkCachable: NO: not cachable
2015/08/17 12:38:09.067 kid1| store.cc(955) checkCachable: StoreEntry::checkCachable: NO: not cachable
2015/08/17 12:38:09.067 kid1| store.cc(955) checkCachable: StoreEntry::checkCachable: NO: not cachable
2015/08/17 12:38:10.248 kid1| TcpAcceptor.cc(222) doAccept: New connection on FD 12
2015/08/17 12:38:10.248 kid1| TcpAcceptor.cc(297) acceptNext: connection on local=0.0.0.0:3130 remote=[::] FD 12 flags=25
2015/08/17 12:38:10.248 kid1| client_side.cc(3890) httpsSslBumpAccessCheckDone: sslBump not needed for local=31.13.90.2:443 remote=192.168.0.102 FD 50 flags=17
2015/08/17 12:38:10.248 kid1| client_side.cc(2337) parseHttpRequest: HTTP Client local=31.13.90.2:443 remote=192.168.0.102 FD 50 flags=17
2015/08/17 12:38:10.248 kid1| client_side.cc(2338) parseHttpRequest: HTTP Client REQUEST:
---------
CONNECT 31.13.90.2:443 HTTP/1.1
Host: 31.13.90.2:443
---------
2015/08/17 12:38:10.248 kid1| client_side_request.cc(741) clientAccessCheckDone: The request CONNECT 31.13.90.2:443 is ALLOWED; last ACL checked: localnet
2015/08/17 12:38:10.248 kid1| client_side_request.cc(717) clientAccessCheck2: No adapted_http_access configuration. default: ALLOW
2015/08/17 12:38:10.248 kid1| client_side_request.cc(741) clientAccessCheckDone: The request CONNECT 31.13.90.2:443 is ALLOWED; last ACL checked: localnet
2015/08/17 12:38:10.248 kid1| peer_select.cc(280) peerSelectDnsPaths: Found sources for '31.13.90.2:443'
2015/08/17 12:38:10.248 kid1| peer_select.cc(281) peerSelectDnsPaths:   always_direct = ALLOWED
2015/08/17 12:38:10.248 kid1| peer_select.cc(282) peerSelectDnsPaths:    never_direct = DENIED
2015/08/17 12:38:10.248 kid1| peer_select.cc(288) peerSelectDnsPaths:    ORIGINAL_DST = local=192.168.0.102 remote=31.13.90.2:443 flags=25
2015/08/17 12:38:10.248 kid1| peer_select.cc(295) peerSelectDnsPaths:        timedout = 0
2015/08/17 12:38:12.621 kid1| client_side.cc(815) swanSong: local=31.13.90.2:443 remote=192.168.0.102 flags=17
2015/08/17 12:38:12.625 kid1| client_side.cc(815) swanSong: local=31.13.90.2:443 remote=192.168.0.102 flags=17


The logs with http (port 80) has the name resolution of navigation.

I disabled pinger because give some error:
2015/08/17 12:49:55.918 kid1| Pinger socket opened on FD 20
2015/08/17 12:49:55.920 kid1| IcmpSquid.cc(90) SendEcho: to 127.0.0.1, opcode 1, len 9
2015/08/17 12:49:55.920 kid1| cache_manager.cc(67) registerProfile: skipped duplicate profile: netdb
2015/08/17 12:49:55.920 kid1| cache_manager.cc(67) registerProfile: skipped duplicate profile: asndb
2015/08/17 12:49:55.920 kid1| cache_manager.cc(67) registerProfile: skipped duplicate profile: carp
2015/08/17 12:49:55.920 kid1| cache_manager.cc(67) registerProfile: skipped duplicate profile: userhash
2015/08/17 12:49:55.920 kid1| cache_manager.cc(67) registerProfile: skipped duplicate profile: sourcehash
2015/08/17 12:49:55.920 kid1| cache_manager.cc(67) registerProfile: skipped duplicate profile: server_list
2015/08/17 12:49:55| pinger: Initialising ICMP pinger ...
2015/08/17 12:49:55|  icmp_sock: (1) Operation not permitted
2015/08/17 12:49:55| pinger: Unable to start ICMP pinger.
2015/08/17 12:49:55| FATAL: pinger: Unable to open any ICMP sockets.

This is my cache.log after reload squid:
2015/08/17 12:51:26| Set Current Directory to /var/log/squid/cache/squid
2015/08/17 12:51:27 kid1| Reconfiguring Squid Cache (version 3.5.7)...
2015/08/17 12:51:27 kid1| Closing HTTP port 0.0.0.0:3128
2015/08/17 12:51:27 kid1| Closing HTTP port 0.0.0.0:3129
2015/08/17 12:51:27 kid1| Closing HTTPS port 0.0.0.0:3130
2015/08/17 12:51:27 kid1| Closing Pinger socket on FD 20
2015/08/17 12:51:27.320 kid1| Gadgets.cc(99) authenticateReset: Reset authentication State.
2015/08/17 12:51:27.320 kid1| Logfile: closing log daemon:/var/log/squid/access.log
2015/08/17 12:51:27.320 kid1| Logfile Daemon: closing log daemon:/var/log/squid/access.log
2015/08/17 12:51:27.320 kid1| Startup: Initializing Authentication Schemes ...
2015/08/17 12:51:27.320 kid1| Startup: Initialized Authentication Scheme 'basic'
2015/08/17 12:51:27.320 kid1| Startup: Initialized Authentication Scheme 'digest'
2015/08/17 12:51:27.320 kid1| Startup: Initialized Authentication Scheme 'negotiate'
2015/08/17 12:51:27.320 kid1| Startup: Initialized Authentication Scheme 'ntlm'
2015/08/17 12:51:27.320 kid1| Startup: Initialized Authentication.
2015/08/17 12:51:27.320 kid1| RegexData.cc(303) aclParseRegexList: aclParseRegexList: new Regex line or file
2015/08/17 12:51:27.320 kid1| RegexData.cc(194) compileOptimisedREs: compileOptimisedREs: -i
2015/08/17 12:51:27.320 kid1| RegexData.cc(218) compileOptimisedREs: compileOptimisedREs: adding RE '^cache_object://'
2015/08/17 12:51:27.320 kid1| RegexData.cc(208) compileOptimisedREs: compileOptimisedREs: +i
2015/08/17 12:51:27.320 kid1| RegexData.cc(153) compileRE: compileRE: compiled '(^cache_object://)' with flags 11
2015/08/17 12:51:27.320 kid1| RegexData.cc(218) compileOptimisedREs: compileOptimisedREs: adding RE '^https?://[^/]+/squid-internal-mgr/'
2015/08/17 12:51:27.320 kid1| RegexData.cc(153) compileRE: compileRE: compiled '(^https?://[^/]+/squid-internal-mgr/)' with flags 9
2015/08/17 12:51:27.320 kid1| RegexData.cc(261) compileOptimisedREs: compileOptimisedREs: 2 REs are optimised into one RE.
2015/08/17 12:51:27.320 kid1| Processing Configuration File: /etc/squid/squid.conf (depth 0)
2015/08/17 12:51:27.320 kid1| Disabling Authentication on port 0.0.0.0:3129 (TPROXY enabled)
2015/08/17 12:51:27.320 kid1| Disabling Authentication on port 0.0.0.0:3130 (TPROXY enabled)
2015/08/17 12:51:27.320 kid1| Initializing https proxy context
2015/08/17 12:51:27.320 kid1| Initializing https_port 0.0.0.0:3130 SSL context
2015/08/17 12:51:27.320 kid1| Using certificate in /etc/squid/ssl/squid.pem
2015/08/17 12:51:27.330 kid1| cache_manager.cc(67) registerProfile: skipped duplicate profile: config
2015/08/17 12:51:27.330 kid1| main.cc(803) mainReconfigureFinish: running RegisteredRunner::syncConfig
2015/08/17 12:51:27.331 kid1| errorpage.cc(312) tryLoadTemplate: wildcard fallback errors not coded yet.
2015/08/17 12:51:27.331 kid1| Logfile: opening log daemon:/var/log/squid/access.log
2015/08/17 12:51:27.331 kid1| Logfile Daemon: opening log /var/log/squid/access.log
2015/08/17 12:51:27.331 kid1| Squid plugin modules loaded: 0
2015/08/17 12:51:27.331 kid1| Adaptation support is off.
2015/08/17 12:51:27.332 kid1| Config.cc(211) FinalizeEach: Initialized 0 message adaptation services
2015/08/17 12:51:27.332 kid1| Config.cc(211) FinalizeEach: Initialized 0 message adaptation service groups
2015/08/17 12:51:27.332 kid1| Config.cc(211) FinalizeEach: Initialized 0 message adaptation access rules
2015/08/17 12:51:27.332 kid1| cache_manager.cc(67) registerProfile: skipped duplicate profile: store_log_tags
2015/08/17 12:51:27.332 kid1| Store logging disabled
2015/08/17 12:51:27.332 kid1| dns_internal.cc(1534) dnsInit: idnsInit: attempt open DNS socket to: 0.0.0.0
2015/08/17 12:51:27.332 kid1| DNS Socket created at 0.0.0.0, FD 11
2015/08/17 12:51:27.332 kid1| Adding nameserver 8.8.8.8 from squid.conf
2015/08/17 12:51:27.332 kid1| Adding nameserver 8.8.4.4 from squid.conf
2015/08/17 12:51:27.332 kid1| cache_manager.cc(67) registerProfile: skipped duplicate profile: idns
2015/08/17 12:51:27.332 kid1| Format.cc(64) parse: got definition '%>a/%>A %un %>rm myip=%la myport=%lp'
2015/08/17 12:51:27.332 kid1| Format.cc(64) parse: got definition '%>a/%>A %un %>rm myip=%la myport=%lp'
2015/08/17 12:51:27.332 kid1| cache_manager.cc(67) registerProfile: skipped duplicate profile: external_acl
2015/08/17 12:51:27.332 kid1| wccp.cc(112) wccpConnectionOpen: WCCPv1 disabled.
2015/08/17 12:51:27.332 kid1| wccp2.cc(960) wccp2ConnectionOpen: WCCPv2 Disabled. No IPv4 Router(s) configured.
2015/08/17 12:51:27.332 kid1| AsyncCall.cc(26) AsyncCall: The AsyncCall clientListenerConnectionOpened constructed, this=0x2a0ea40 [call62031]
2015/08/17 12:51:27.333 kid1| AsyncCall.cc(93) ScheduleCall: StartListening.cc(59) will call clientListenerConnectionOpened(local=0.0.0.0:3128 remote=[::] FD 12 flags=9, err=0, HTTP Socket port=0x2a0eaa0) [call62031]
2015/08/17 12:51:27.333 kid1| AsyncCall.cc(26) AsyncCall: The AsyncCall clientListenerConnectionOpened constructed, this=0x2a0eb50 [call62033]
2015/08/17 12:51:27.333 kid1| AsyncCall.cc(93) ScheduleCall: StartListening.cc(59) will call clientListenerConnectionOpened(local=0.0.0.0:3129 remote=[::] FD 16 flags=25, err=0, HTTP Socket port=0x2a0ebb0) [call62033]
2015/08/17 12:51:27.333 kid1| AsyncCall.cc(26) AsyncCall: The AsyncCall clientListenerConnectionOpened constructed, this=0x2a0ec60 [call62035]
2015/08/17 12:51:27.333 kid1| AsyncCall.cc(93) ScheduleCall: StartListening.cc(59) will call clientListenerConnectionOpened(local=0.0.0.0:3130 remote=[::] FD 20 flags=25, err=0, HTTPS Socket port=0x2a0ecc0) [call62035]
2015/08/17 12:51:27.333 kid1| HTCP Disabled.
2015/08/17 12:51:27.333 kid1| cache_manager.cc(67) registerProfile: skipped duplicate profile: netdb
2015/08/17 12:51:27.333 kid1| cache_manager.cc(67) registerProfile: skipped duplicate profile: asndb
2015/08/17 12:51:27.333 kid1| cache_manager.cc(67) registerProfile: skipped duplicate profile: carp
2015/08/17 12:51:27.333 kid1| cache_manager.cc(67) registerProfile: skipped duplicate profile: userhash
2015/08/17 12:51:27.333 kid1| cache_manager.cc(67) registerProfile: skipped duplicate profile: sourcehash
2015/08/17 12:51:27.333 kid1| cache_manager.cc(67) registerProfile: skipped duplicate profile: server_list
2015/08/17 12:51:27.333 kid1| Finished loading MIME types and icons.
2015/08/17 12:51:27.343 kid1| AsyncCallQueue.cc(55) fireNext: entering clientListenerConnectionOpened(local=0.0.0.0:3128 remote=[::] FD 12 flags=9, err=0, HTTP Socket port=0x2a0eaa0)
2015/08/17 12:51:27.343 kid1| AsyncCall.cc(38) make: make call clientListenerConnectionOpened [call62031]
2015/08/17 12:51:27.343 kid1| Accepting HTTP Socket connections at local=0.0.0.0:3128 remote=[::] FD 12 flags=9
2015/08/17 12:51:27.343 kid1| AsyncCallQueue.cc(57) fireNext: leaving clientListenerConnectionOpened(local=0.0.0.0:3128 remote=[::] FD 12 flags=9, err=0, HTTP Socket port=0x2a0eaa0)
2015/08/17 12:51:27.343 kid1| AsyncCallQueue.cc(55) fireNext: entering clientListenerConnectionOpened(local=0.0.0.0:3129 remote=[::] FD 16 flags=25, err=0, HTTP Socket port=0x2a0ebb0)
2015/08/17 12:51:27.343 kid1| AsyncCall.cc(38) make: make call clientListenerConnectionOpened [call62033]
2015/08/17 12:51:27.343 kid1| Accepting TPROXY intercepted HTTP Socket connections at local=0.0.0.0:3129 remote=[::] FD 16 flags=25
2015/08/17 12:51:27.343 kid1| AsyncCallQueue.cc(57) fireNext: leaving clientListenerConnectionOpened(local=0.0.0.0:3129 remote=[::] FD 16 flags=25, err=0, HTTP Socket port=0x2a0ebb0)
2015/08/17 12:51:27.343 kid1| AsyncCallQueue.cc(55) fireNext: entering clientListenerConnectionOpened(local=0.0.0.0:3130 remote=[::] FD 20 flags=25, err=0, HTTPS Socket port=0x2a0ecc0)
2015/08/17 12:51:27.343 kid1| AsyncCall.cc(38) make: make call clientListenerConnectionOpened [call62035]
2015/08/17 12:51:27.343 kid1| Accepting TPROXY intercepted SSL bumped HTTPS Socket connections at local=0.0.0.0:3130 remote=[::] FD 20 flags=25
2015/08/17 12:51:27.343 kid1| AsyncCallQueue.cc(57) fireNext: leaving clientListenerConnectionOpened(local=0.0.0.0:3130 remote=[::] FD 20 flags=25, err=0, HTTPS Socket port=0x2a0ecc0)

Do I have to setup local DNS server? the internal DNS of squid can't handle https in Tproxy? 
What's missing to have name resolution in https traffic as its showed in http traffic?

Thanks for your time helping me.
_______________________________________________
squid-users mailing list
squid-users@xxxxxxxxxxxxxxxxxxxxx
http://lists.squid-cache.org/listinfo/squid-users

[Index of Archives]     [Linux Audio Users]     [Samba]     [Big List of Linux Books]     [Linux USB]     [Yosemite News]

  Powered by Linux