Problem to configure squid for HTTPS website (HSTS or others certificate problems)

[Raph Ghost <raphghost22@xxxxxxxxxxx>]

Hi users :)

What I want to do: I have a dedicated server and I want to make it as a transparent adblocker through a VPN. So I have installed and configured OpenVPN and route my traffic from the VPN tun into the squid proxy.

What is the problem: Websites based on http work great but those based on httpS doesn't work at all. 

I have already tried two squid configurations and look for that problem in the user mail list history but I can't find any workaround that works.

My compilation options (squid 3.5.15 -with-openssl is enabled):

'--build=x86_64-linux-gnu' '--prefix=/usr' '--includedir=${prefix}/include' '--mandir=${prefix}/share/man' '--infodir=${prefix}/share/info' '--sysconfdir=/etc' '--localstatedir=/var' '--libexecdir=${prefix}/lib/squid3' '--srcdir=.' '--disable-maintainer-mode' '--disable-dependency-tracking' '--disable-silent-rules' 'BUILDCXXFLAGS=-g -O2 -fPIE -fstack-protector-strong -Wformat -Werror=format-security -fPIE -pie -Wl,-z,relro -Wl,-z,now' '--datadir=/usr/share/squid' '--sysconfdir=/etc/squid' '--libexecdir=/usr/lib/squid' '--mandir=/usr/share/man' '--enable-inline' '--disable-arch-native' '--enable-async-io=8' '--enable-storeio=ufs,aufs,diskd,rock' '--enable-removal-policies=lru,heap' '--enable-delay-pools' '--enable-cache-digests' '--enable-icap-client' '--enable-follow-x-forwarded-for' '--enable-auth-basic=DB,fake,getpwnam,LDAP,NCSA,NIS,PAM,POP3,RADIUS,SASL,SMB' '--enable-auth-digest=file,LDAP' '--enable-auth-negotiate=kerberos,wrapper' '--enable-auth-ntlm=fake,smb_lm' '--enable-external-acl-helpers=file_userip,kerberos_ldap_group,LDAP_group,session,SQL_session,unix_group,wbinfo_group' '--enable-url-rewrite-helpers=fake' '--enable-eui' '--enable-esi' '--enable-icmp' '--enable-zph-qos' '--enable-ecap' '--disable-translation' '--with-openssl=/etc/ssl' '--enable-ssl-crtd' '--with-swapdir=/var/spool/squid' '--with-logdir=/var/log/squid' '--with-pidfile=/var/run/squid.pid' '--with-filedescriptors=65536' '--with-large-files' '--with-default-user=proxy' '--enable-build-info= linux' '--enable-linux-netfilter' 'build_alias=x86_64-linux-gnu' 'CFLAGS=-g -O2 -fPIE -fstack-protector-strong -Wformat -Werror=format-security -Wall' 'LDFLAGS=-fPIE -pie -Wl,-z,relro -Wl,-z,now' 'CPPFLAGS=-Wdate-time -D_FORTIFY_SOURCE=2' 'CXXFLAGS=-g -O2 -fPIE -fstack-protector-strong -Wformat -Werror=format-security'

My iptable conf (port 22: my ssh server/ input port 443: my OpenVPN server):

-P INPUT DROP

-P FORWARD DROP

-P OUTPUT DROP

-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT

-A INPUT -i lo -j ACCEPT

-A INPUT -p tcp -m tcp --dport 22 -j ACCEPT

-A INPUT -p tcp -m tcp --dport 53 -j ACCEPT

-A INPUT -p udp -m udp --dport 53 -j ACCEPT

-A INPUT -i eth0 -p tcp -m state --state NEW -m tcp --dport 443 -j ACCEPT

-A INPUT -i tun0 -j ACCEPT

-A FORWARD -i tun0 -j ACCEPT

-A FORWARD -o tun0 -j ACCEPT

-A FORWARD -i tun0 -o eth0 -m state --state RELATED,ESTABLISHED -j ACCEPT

-A FORWARD -i eth0 -o tun0 -m state --state RELATED,ESTABLISHED -j ACCEPT

-A OUTPUT -m state --state RELATED,ESTABLISHED -j ACCEPT

-A OUTPUT -o lo -j ACCEPT

-A OUTPUT -p tcp -m tcp --dport 22 -j ACCEPT

-A OUTPUT -p tcp -m tcp --dport 53 -j ACCEPT

-A OUTPUT -p udp -m udp --dport 53 -j ACCEPT

-A OUTPUT -p tcp -m tcp --dport 80 -j ACCEPT

-A OUTPUT -p udp -m udp --dport 123 -j ACCEPT

-A OUTPUT -o tun0 -j ACCEPT

-A OUTPUT -p icmp -j ACCEPT

My iptable conf (nat table):

-P PREROUTING ACCEPT

-P INPUT ACCEPT

-P OUTPUT ACCEPT

-P POSTROUTING ACCEPT

-A PREROUTING -s 10.8.0.0/24 -p tcp -m tcp --dport 80 -j REDIRECT --to-ports 3129

-A PREROUTING -s 10.8.0.0/24 -p tcp -m tcp --dport 443 -j REDIRECT --to-ports 3130

-A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE

This iptables configuration works great to route vpn input trafic into squid.

1st squid conf I've tried (based on this tutorial http://monblog.system-linux.net/blog/2013/03/23/mettre-en-oeuvre-squid-transparent-https-sous-debian/ and others):

#

# Recommended minimum configuration:

#

# Example rule allowing access from your local networks.

# Adapt to list your (internal) IP networks from where browsing

# should be allowed

acl localnet src 10.8.0.0/24 # RFC1918 possible internal network

acl localnet src fc00::/7       # RFC 4193 local private network range

acl localnet src fe80::/10      # RFC 4291 link-local (directly plugged) machines

acl SSL_ports port 443

acl Safe_ports port 80 # http

acl Safe_ports port 21 # ftp

acl Safe_ports port 443 # https

acl Safe_ports port 70 # gopher

acl Safe_ports port 210 # wais

acl Safe_ports port 1025-65535 # unregistered ports

acl Safe_ports port 280 # http-mgmt

acl Safe_ports port 488 # gss-http

acl Safe_ports port 591 # filemaker

acl Safe_ports port 777 # multiling http

acl CONNECT method CONNECT

#

# Recommended minimum Access Permission configuration:

#

# Deny requests to certain unsafe ports

http_access deny !Safe_ports

# Deny CONNECT to other than secure SSL ports

http_access deny CONNECT !SSL_ports

# Only allow cachemgr access from localhost

http_access allow localhost manager

http_access deny manager

# We strongly recommend the following be uncommented to protect innocent

# web applications running on the proxy server who think the only

# one who can access services on "localhost" is a local user

#http_access deny to_localhost

#

# INSERT YOUR OWN RULE(S) HERE TO ALLOW ACCESS FROM YOUR CLIENTS

#

# Example rule allowing access from your local networks.

# Adapt localnet in the ACL section to list your (internal) IP networks

# from where browsing should be allowed

http_access allow localnet

http_access allow localhost

# And finally deny all other access to this proxy

http_access deny all

# Squid normally listens to port 3128

http_port 10.8.0.1:3128

http_port 10.8.0.1:3129 transparent

https_port 10.8.0.1:3130 intercept ssl-bump key=/etc/squid/ssl_cert2/key.key cert=/etc/squid/ssl_cert2/cert.pem

# Uncomment and adjust the following to add a disk cache directory.

#cache_dir ufs /var/spool/squid 100 16 256

# Leave coredumps in the first cache dir

coredump_dir /var/spool/squid

#

# Add any of your own refresh_pattern entries above these.

#

refresh_pattern ^ftp: 1440 20% 10080

refresh_pattern ^gopher: 1440 0% 1440

refresh_pattern -i (/cgi-bin/|\?) 0 0% 0

refresh_pattern . 0 20% 4320

2nd conf I have tried (based on many tutorials and the official squid wiki especially to configure Ssl Bump/Peek and Slice function):

#

# Recommended minimum configuration:

#

# Example rule allowing access from your local networks.

# Adapt to list your (internal) IP networks from where browsing

# should be allowed

acl localnet src 10.8.0.0/24 # RFC1918 possible internal network

acl localnet src fc00::/7       # RFC 4193 local private network range

acl localnet src fe80::/10      # RFC 4291 link-local (directly plugged) machines

acl SSL_ports port 443

acl Safe_ports port 80 # http

acl Safe_ports port 21 # ftp

acl Safe_ports port 443 # https

acl Safe_ports port 70 # gopher

acl Safe_ports port 210 # wais

acl Safe_ports port 1025-65535 # unregistered ports

acl Safe_ports port 280 # http-mgmt

acl Safe_ports port 488 # gss-http

acl Safe_ports port 591 # filemaker

acl Safe_ports port 777 # multiling http

acl CONNECT method CONNECT

#

# Recommended minimum Access Permission configuration:

#

# Deny requests to certain unsafe ports

http_access deny !Safe_ports

# Deny CONNECT to other than secure SSL ports

http_access deny CONNECT !SSL_ports

# Only allow cachemgr access from localhost

http_access allow localhost manager

http_access deny manager

# We strongly recommend the following be uncommented to protect innocent

# web applications running on the proxy server who think the only

# one who can access services on "localhost" is a local user

#http_access deny to_localhost

#

# INSERT YOUR OWN RULE(S) HERE TO ALLOW ACCESS FROM YOUR CLIENTS

#

# Example rule allowing access from your local networks.

# Adapt localnet in the ACL section to list your (internal) IP networks

# from where browsing should be allowed

http_access allow localnet

http_access allow localhost

# And finally deny all other access to this proxy

http_access deny all

always_direct allow all 

sslproxy_cert_error allow all

sslproxy_cafile /etc/ssl/certs/ca-certificates.crt

sslcrtd_program /usr/lib/squid/ssl_crtd -s /var/lib/ssl_db -M 4MB

# Squid normally listens to port 3128

http_port 10.8.0.1:3128

http_port 10.8.0.1:3129 transparent

https_port 10.8.0.1:3130 intercept ssl-bump generate-host-certificates=on dynamic_cert_mem_cache_size=6MB cert=/etc/squid/ssl_cert/myCA.pem

acl step1 at_step SslBump1

acl step2 at_step SslBump2

acl step3 at_step SslBump3

ssl_bump peek step1 all

ssl_bump stare step2

ssl_bump bump step3

# Uncomment and adjust the following to add a disk cache directory.

#cache_dir ufs /var/spool/squid 100 16 256

# Leave coredumps in the first cache dir

coredump_dir /var/spool/squid

#

# Add any of your own refresh_pattern entries above these.

#

refresh_pattern ^ftp: 1440 20% 10080

refresh_pattern ^gopher: 1440 0% 1440

refresh_pattern -i (/cgi-bin/|\?) 0 0% 0

refresh_pattern . 0 20% 4320

Unfortunately none of these conf work.

With the first conf:

If i try to connect to https://openclassrooms.com/ for example I get a warning about that the certificate is not trust. I can overpass this warning (by clicking on "continue on this website (dangerous)") but after few seconds I get an error generated by squid:

"L'erreur suivante s'est produite en essayant d'accéder à l'URL : https://openclassrooms.com/

La connexion 190.93.240.239 a échouée.

Le système a retourné : (110) Connection timed out   < ----- Important line

L'hôte distant ou le réseau sont peut-être défaillant. Veuillez renouveler votre requête.

Votre administrateur proxy est webmaster."

In access.log I get:

1459756883.952     42 10.8.0.6 TCP_MISS/200 565 GET http://www.google-analytics.com/__utm.gif? - ORIGINAL_DST/216.58.214.78 image/gif

1459756885.636     14 10.8.0.6 TCP_MISS/204 262 GET http://www.gstatic.com/generate_204 - ORIGINAL_DST/216.58.214.67 -

1459756890.842     17 10.8.0.6 TCP_MISS/302 505 GET http://openclassrooms.com/ - ORIGINAL_DST/190.93.240.239 -

1459756891.129     14 10.8.0.6 TCP_MISS/204 262 GET http://www.gstatic.com/generate_204 - ORIGINAL_DST/216.58.214.67 -

1459756961.902  60814 10.8.0.6 TCP_MISS/503 4850 GET https://openclassrooms.com/ - ORIGINAL_DST/190.93.240.239 text/html

In cache.log there is nothing especial.

When I try to connect to https://www.google.fr I get a warning (from my browser, here Chrome) but I can't overpass it (due to HSTS technologie).

With the second conf (which is supposed to dynamically generate certificate from the original certificate to overpass HSTS - at least this I did think but it doesn't work):

Both of google or openclassroom websites generate the same result:

On browser I get a ERR_TIMED_OUT.

In access.log:

1459755020.622  59785 10.8.0.6 TAG_NONE/200 0 CONNECT 46.228.47.114:443 - ORIGINAL_DST/46.228.47.114 -

1459755043.645  60448 10.8.0.6 TAG_NONE/200 0 CONNECT 46.228.47.115:443 - ORIGINAL_DST/46.228.47.115 -

1459755045.000  60058 10.8.0.6 TAG_NONE/200 0 CONNECT 216.58.211.106:443 - ORIGINAL_DST/216.58.211.106 -

In store.log I get SOMETIMES (rarely) this:

2016/04/01 11:43:05| Pinger exiting.

2016/04/01 11:46:02 kid1| Error negotiating SSL connection on FD 27: Closed by client

2016/04/01 11:46:09 kid1| Error negotiating SSL connection on FD 36: Closed by client

2016/04/01 11:46:16 kid1| Error negotiating SSL connection on FD 30: Closed by client

2016/04/01 11:46:23 kid1| Error negotiating SSL connection on FD 38: error:14076102:SSL routines:SSL23_GET_CLIENT_HELLO:unsupported protocol (1/-1)

2016/04/01 11:46:31 kid1| Error negotiating SSL connection on FD 18: error:14076102:SSL routines:SSL23_GET_CLIENT_HELLO:unsupported protocol (1/-1)

2016/04/01 11:46:38 kid1| Error negotiating SSL connection on FD 43: error:14076102:SSL routines:SSL23_GET_CLIENT_HELLO:unsupported protocol (1/-1)

2016/04/01 11:46:46 kid1| Error negotiating SSL connection on FD 10: error:14076102:SSL routines:SSL23_GET_CLIENT_HELLO:unsupported protocol (1/-1)

2016/04/01 11:46:54 kid1| Error negotiating SSL connection on FD 33: error:14076102:SSL routines:SSL23_GET_CLIENT_HELLO:unsupported protocol (1/-1)

2016/04/01 11:47:32 kid1| Error negotiating SSL connection on FD 14: error:14076102:SSL routines:SSL23_GET_CLIENT_HELLO:unsupported protocol (1/-1)

2016/04/01 11:47:40 kid1| Error negotiating SSL connection on FD 28: error:14076102:SSL routines:SSL23_GET_CLIENT_HELLO:unsupported protocol (1/-1)

2016/04/01 11:47:48 kid1| Error negotiating SSL connection on FD 10: error:14076102:SSL routines:SSL23_GET_CLIENT_HELLO:unsupported protocol (1/-1)

2016/04/01 11:47:55 kid1| Error negotiating SSL connection on FD 16: error:14076102:SSL routines:SSL23_GET_CLIENT_HELLO:unsupported protocol (1/-1)

2016/04/01 11:48:03 kid1| Error negotiating SSL connection on FD 27: error:14076102:SSL routines:SSL23_GET_CLIENT_HELLO:unsupported protocol (1/-1)

2016/04/01 11:48:54 kid1| Error negotiating SSL connection on FD 10: error:14076102:SSL routines:SSL23_GET_CLIENT_HELLO:unsupported protocol (1/-1)

2016/04/01 11:49:01 kid1| Error negotiating SSL connection on FD 14: error:14076102:SSL routines:SSL23_GET_CLIENT_HELLO:unsupported protocol (1/-1)

2016/04/01 11:49:08 kid1| Error negotiating SSL connection on FD 18: error:14076102:SSL routines:SSL23_GET_CLIENT_HELLO:unsupported protocol (1/-1)

2016/04/01 11:49:15 kid1| Error negotiating SSL connection on FD 28: error:14076102:SSL routines:SSL23_GET_CLIENT_HELLO:unsupported protocol (1/-1)

2016/04/01 11:49:24 kid1| Error negotiating SSL connection on FD 36: error:14076102:SSL routines:SSL23_GET_CLIENT_HELLO:unsupported protocol (1/-1)

2016/04/01 11:49:31 kid1| Error negotiating SSL connection on FD 38: Closed by client

2016/04/01 11:49:38 kid1| Error negotiating SSL connection on FD 40: Closed by client

2016/04/01 11:49:45 kid1| Error negotiating SSL connection on FD 53: Closed by client

2016/04/01 11:49:53 kid1| Error negotiating SSL connection on FD 59: error:14076102:SSL routines:SSL23_GET_CLIENT_HELLO:unsupported protocol (1/-1)

2016/04/01 12:22:55 kid1| Logfile: opening log stdio:/var/log/squid/netdb.state

2016/04/01 12:22:55 kid1| Logfile: closing log stdio:/var/log/squid/netdb.state

2016/04/01 12:22:55 kid1| NETDB state saved; 4 entries, 0 msec

2016/04/01 13:04:35 kid1| Logfile: opening log stdio:/var/log/squid/netdb.state

2016/04/01 13:04:35 kid1| Logfile: closing log stdio:/var/log/squid/netdb.state

2016/04/01 13:04:35 kid1| NETDB state saved; 4 entries, 0 msec

2016/04/01 13:54:40 kid1| Logfile: opening log stdio:/var/log/squid/netdb.state

2016/04/01 13:54:40 kid1| Logfile: closing log stdio:/var/log/squid/netdb.state

Whatever configuration that I used I have import certificate into my browser correctly.

Can you help me ??

Thanks in advance and sorry if my English is not perfect. I can send you any other informations that you would need.

Best regards,

Raph

_______________________________________________
squid-users mailing list
squid-users@xxxxxxxxxxxxxxxxxxxxx
http://lists.squid-cache.org/listinfo/squid-users