|
Hi Alex,
okay, I think I understand a little more.
I am trying to get the old server-first method working with new peek and splice but without success.
I have built a RPM package with latest 3.5.11 source based on http://www1.ngtech.co.il/repo/centos/6/SRPMS/squid-3.5.9-1.el6.src.rpm
Squid is configured with SSL bump similar to the configuration suggested by Sebastian.
In my view it's a good idea to give a detailed description of my setup with real IPs and hostnames:
1. Client machine
OS: CentOS 6.6 x86_64
IP: 10.0.0.2/24 (internal network)
Default Gateway: 10.0.0.1 (= Squid machine)
2. Squid machine
OS: CentOS 6.6 x86_64
IP 1: 10.0.0.1/24 (internal network)
IP 2: 172.31.1.15/24 (outgoing interface, behind a router)
# iptables -L -n -t nat
Chain PREROUTING (policy ACCEPT)
target prot opt source destination
DNAT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:80 to:10.0.0.1:3129
DNAT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:443 to:10.0.0.1:3443
Chain POSTROUTING (policy ACCEPT)
target prot opt source destination
MASQUERADE all -- 0.0.0.0/0 0.0.0.0/0
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
# squid -v
Squid Cache: Version 3.5.11
Service Name: squid
configure options: '--build=x86_64-redhat-linux-gnu' '--host=x86_64-redhat-linux-gnu' '--target=x86_64-redhat-linux-gnu' '--program-prefix=' '--prefix=/usr' '--exec-prefix=/usr' '--bindir=/usr/bin' '--sbindir=/usr/sbin'
'--sysconfdir=/etc' '--datadir=/usr/share' '--includedir=/usr/include' '--libdir=/usr/lib64' '--libexecdir=/usr/libexec' '--sharedstatedir=/var/lib' '--mandir=/usr/share/man' '--infodir=/usr/share/info' '--exec_prefix=/usr' '--libexecdir=/usr/lib64/squid'
'--localstatedir=/var' '--datadir=/usr/share/squid' '--sysconfdir=/etc/squid' '--with-logdir=$(localstatedir)/log/squid' '--with-pidfile=$(localstatedir)/run/squid.pid' '--disable-dependency-tracking' '--enable-follow-x-forwarded-for' '--enable-auth' '--enable-auth-basic=DB,LDAP,NCSA,NIS,PAM,POP3,RADIUS,SASL,SMB,getpwnam'
'--enable-auth-ntlm=smb_lm,fake' '--enable-auth-digest=file,LDAP' '--enable-auth-negotiate=kerberos,wrapper' '--enable-external-acl-helpers=wbinfo_group,kerberos_ldap_group' '--enable-cache-digests' '--enable-cachemgr-hostname=localhost' '--enable-delay-pools'
'--enable-epoll' '--enable-icap-client' '--enable-ident-lookups' '--enable-linux-netfilter' '--enable-removal-policies=heap,lru' '--enable-snmp' '--enable-storeio=aufs,diskd,ufs,rock' '--enable-wccpv2' '--enable-esi' '--enable-ssl-crtd' '--enable-icmp' '--with-aio'
'--with-default-user=squid' '--with-filedescriptors=16384' '--with-dl' '--with-openssl' '--with-pthreads' '--with-included-ltdl' '--disable-arch-native' '--without-nettle' 'build_alias=x86_64-redhat-linux-gnu' 'host_alias=x86_64-redhat-linux-gnu' 'target_alias=x86_64-redhat-linux-gnu'
'CFLAGS=-O2 -g -pipe -Wall -Wp,-D_FORTIFY_SOURCE=2 -fexceptions -fstack-protector --param=ssp-buffer-size=4 -m64 -mtune=generic' 'CXXFLAGS=-O2 -g -pipe -Wall -Wp,-D_FORTIFY_SOURCE=2 -fexceptions -fstack-protector --param=ssp-buffer-size=4 -m64 -mtune=generic
-fPIC' 'PKG_CONFIG_PATH=/usr/lib64/pkgconfig:/usr/share/pkgconfig' --enable-ltdl-convenience
# Squid configruation file
# Rules allowing access from your local networks
acl localnet src 10.0.0.0/8
# RFC1918 possible internal network
acl localnet src 172.16.0.0/12
# RFC1918 possible internal network
acl localnet src 192.168.0.0/16
# RFC1918 possible internal network
acl localnet src fc00::/7 # RFC 4193 local private network range
acl localnet src fe80::/10 # RFC 4291 link-local (directly plugged) machines
acl SSL_ports port 443
acl Safe_ports port 80
# http
acl Safe_ports port 21
# ftp
acl Safe_ports port 443
# https
acl Safe_ports port 70
# gopher
acl Safe_ports port 210
# wais
acl Safe_ports port 1025-65535
# unregistered ports
acl Safe_ports port 280
# http-mgmt
acl Safe_ports port 488
# gss-http
acl Safe_ports port 591
# filemaker
acl Safe_ports port 777
# multiling http
acl CONNECT method CONNECT
# SSL Bump
acl step1 at_step SslBump1
acl MYSITE ssl::server_name school.bettermarks.com
ssl_bump peek step1
ssl_bump bump MYSITE
ssl_bump splice all
# Deny requests to certain unsafe ports
http_access deny !Safe_ports
# Deny CONNECT to other than secure SSL ports
http_access deny CONNECT !SSL_ports
# Only allow cachemgr access from localhost
http_access allow localhost manager
http_access deny manager
# Only allow purge from localhast (squidclient -m PURGE <object-url>
acl Purge method PURGE
http_access allow localhost Purge
http_access deny Purge
# Allow access from your local networks
http_access allow localnet
http_access allow localhost
# And finally deny all other access to this proxy
http_access deny all
# Squid normally listens to port 3128
http_port 3128
http_port 10.0.0.1:3129 intercept
https_port 10.0.0.1:3443 intercept ssl-bump cert=/etc/squid/certs/bettermarks.com-chain.crt key=/etc/squid/certs/bettermarks.com-unsecure.key
## Memory only caching
# Cache memory size (default: 256 MB)
cache_mem 512 MB
# Max object size in memory (default: 512 KB)
maximum_object_size_in_memory 2 MB
# Uncomment and adjust the following to add a disk cache directory.
#cache_dir ufs /var/spool/squid 100 16 256
# Leave coredumps in the first cache dir
coredump_dir /var/spool/squid
## Refresh patterns
# BM static
refresh_pattern -i ^https:\/\/(school|cdn)\.bettermarks\.com\/static\/.*? 1440 100% 1440
# BM dynamic
refresh_pattern -i ^https:\/\/school\.bettermarks\.com\/.*? 0 0% 0
# default
refresh_pattern ^ftp:
1440
20% 10080
refresh_pattern ^gopher:
1440 0%
1440
refresh_pattern -i (/cgi-bin/|\?) 0
0% 0
refresh_pattern .
0
20% 4320
# Cache log
debug_options ALL,1 33,5 83,5 89,5
My first goal is to replace the old working server-first bumping method:
# SSL Bump
acl MYSITE dst 212.45.105.89
ssl_bump server-first MYSITE
ssl_bump none all
with the new peek and splice method:
# SSL Bump
acl step1 at_step SslBump1
acl MYSITE ssl::server_name school.bettermarks.com
ssl_bump peek step1
ssl_bump bump MYSITE
ssl_bump splice all
The hostname school.bettermarks.com has the dedicated IP address 212.45.105.89 and points to a F5 loadbalancer
that terminates SSL for *.bettermarks.com using the same certificate as Squid.
I have called the following command on the client machine:
# curl -v https://school.bettermarks.com/<path-to-file> -o /dev/null
* About to connect() to school.bettermarks.com port 443 (#0)
* Trying 212.45.105.89... connected
* Connected to school.bettermarks.com (212.45.105.89) port 443 (#0)
* Initializing NSS with certpath: sql:/etc/pki/nssdb
* CAfile: /etc/pki/tls/certs/ca-bundle.crt
CApath: none
The command have failed after a while with:
* NSS error -5938
* Closing connection #0
* SSL connect error
Squid's access.log:
1447179870.180 172 10.0.0.2 TAG_NONE/200 0 CONNECT 212.45.105.89:443 - ORIGINAL_DST/212.45.105.89 -
More information follows in my next post (to not exceed the maximum post size).
Am Dienstag, den 10.11.2015, 08:49 -0700 schrieb Alex Rousskov:
|
_______________________________________________ squid-users mailing list squid-users@xxxxxxxxxxxxxxxxxxxxx http://lists.squid-cache.org/listinfo/squid-users
