Search squid archive

Re: Trusted CA Certificate with ssl_bump

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Hi Alex, and all others

No I have set it for multiple domains, and it works really fine. Again many thanks.

But I have a new demand:

Within one of the sites, where squid handles the https connexion then communicate with internal VM through http, there is one (at least, maybe we will find others), I don't kmow why, but the dev want them http only.

When I come to the menu to this page, the app returns a http:// link to squid. Squid encrypts and send a https:// to the browser., but then when the user hit the link, somme of the components of the page should stay http://, and there the browser detects a https page with http components embeded, and block them.

Is there a way to tell squid to let http some link?

My domain is domain.tld:

the browser ask for https://domain.tld

squid decrypt, recognize this domain, according to acl goes to the VM1, in http:// mode, not crypted.

The site on VM1, return a page in http:// mode, with all links as http too, and squid send it back crypted to the browser with all links embeded in https://

I want a special link on the page http://domain.tld/special/ to stay http.

How I can instruct squid to leave it as it is, but all others?

Thanks

Patrick


Le 17/11/2016 à 20:11, Patrick Chemla a écrit :

Hi Alex, sorry for disturbing, but it works with

https_port 5.39.105.241:443 accel defaultsite=www.semplixxxx.com cert=/etc/squid/ssl/semplixxxx.com.crt key=/etc/squid/ssl/semplixxxx.com.key

Many, many, many Thanks for valuable help.

Patrick
Le 17/11/2016 à 19:48, Patrick Chemla a écrit :
Hi Alex,

I followed the

http://wiki.squid-cache.org/SquidFaq/ReverseProxy

I am getting errors when trying to connect. What could it be?

This is the config: Is there something bad there?

======================================
debug_options   ALL,1  33,2 28,9

http_port 5.39.105.241:443 accel defaultsite=www.semplixxxx.com cert=/etc/squid/ssl/semplixxxx.com.crt key=/etc/squid/ssl/semplixxxx.com.key

cache_peer 172.16.16.83 parent 80 0 no-query originserver login=PASS sourcehash weight=80 connect-timeout=3 connect-fail-limit=3 standby=5 name=SEMP1 cache_peer 172.16.17.83 parent 80 0 no-query originserver login=PASS sourcehash weight=80 connect-timeout=3 connect-fail-limit=3 standby=5 name=SEMP2

acl w3_semplixxxx dstdomain .semplixxxx.com
cache_peer_access SEMP1 allow w3_semplixxxx
cache_peer_access SEMP1 deny all

http_access allow w3_semplixxxx

=====================================

$ wget https://www.semplixxxx.com
--2016-11-17 19:34:49--  https://www.semplixxxx.com/
Résolution de www.semplitech.com (www.semplixxxx.com)… xxx.xxx.xxx.xxx
Connexion à www.semplitech.com (www.semplixxxx.com)|xxx.xxx.xxx.xxx|:443… connecté. OpenSSL: error:140770FC:SSL routines:SSL23_GET_SERVER_HELLO:unknown protocol
Incapable d'établir une connexion SSL.

Same error with the browser
=========================================
THis is what I have in access_log file:
- ccc.ccc.ccc.ccc - - - [17/Nov/2016:18:34:49 +0100] "NONE error:invalid-request - HTTP/1.1" 400 4468 "-" "-" TAG_NONE:HIER_NONE - ccc.ccc.ccc.ccc - - - [17/Nov/2016:18:35:30 +0100] "NONE error:invalid-request - HTTP/1.1" 400 4468 "-" "-" TAG_NONE:HIER_NONE

===========================================
This is what I have in cache.log:
2016/11/17 18:35:28.724 kid1| 28,4| FilledChecklist.cc(66) ~ACLFilledChecklist: ACLFilledChecklist destroyed 0x78737acd2520 2016/11/17 18:35:28.725 kid1| 28,4| Checklist.cc(197) ~ACLChecklist: ACLChecklist::~ACLChecklist: destroyed 0x78737acd2520 2016/11/17 18:35:30.752 kid1| 28,4| Eui48.cc(178) lookup: id=0xf55ca8ed404 query ARP table 2016/11/17 18:35:30.752 kid1| 28,4| Eui48.cc(222) lookup: id=0xf55ca8ed404 query ARP on each interface (480 found) 2016/11/17 18:35:30.752 kid1| 28,4| Eui48.cc(228) lookup: id=0xf55ca8ed404 found interface lo 2016/11/17 18:35:30.753 kid1| 28,4| Eui48.cc(228) lookup: id=0xf55ca8ed404 found interface eth2 2016/11/17 18:35:30.753 kid1| 28,4| Eui48.cc(237) lookup: id=0xf55ca8ed404 looking up ARP address for ccc.ccc.ccc.ccc on eth2 2016/11/17 18:35:30.753 kid1| 28,4| Eui48.cc(228) lookup: id=0xf55ca8ed404 found interface eth2:1 2016/11/17 18:35:30.753 kid1| 28,4| Eui48.cc(228) lookup: id=0xf55ca8ed404 found interface eth2:2 2016/11/17 18:35:30.753 kid1| 28,4| Eui48.cc(228) lookup: id=0xf55ca8ed404 found interface eth2:3 2016/11/17 18:35:30.753 kid1| 28,4| Eui48.cc(228) lookup: id=0xf55ca8ed404 found interface eth2:4 2016/11/17 18:35:30.753 kid1| 28,4| Eui48.cc(228) lookup: id=0xf55ca8ed404 found interface eth2:5 2016/11/17 18:35:30.753 kid1| 28,4| Eui48.cc(228) lookup: id=0xf55ca8ed404 found interface eth2:6 2016/11/17 18:35:30.753 kid1| 28,4| Eui48.cc(228) lookup: id=0xf55ca8ed404 found interface eth2:7 2016/11/17 18:35:30.753 kid1| 28,4| Eui48.cc(228) lookup: id=0xf55ca8ed404 found interface eth2:8 2016/11/17 18:35:30.753 kid1| 28,4| Eui48.cc(228) lookup: id=0xf55ca8ed404 found interface eth3 2016/11/17 18:35:30.753 kid1| 28,4| Eui48.cc(237) lookup: id=0xf55ca8ed404 looking up ARP address for ccc.ccc.ccc.ccc on eth3 2016/11/17 18:35:30.753 kid1| 28,4| Eui48.cc(228) lookup: id=0xf55ca8ed404 found interface virbr0 2016/11/17 18:35:30.753 kid1| 28,4| Eui48.cc(237) lookup: id=0xf55ca8ed404 looking up ARP address for ccc.ccc.ccc.ccc on virbr0 2016/11/17 18:35:30.753 kid1| 28,3| Eui48.cc(520) lookup: id=0xf55ca8ed404 ccc.ccc.ccc.ccc NOT found 2016/11/17 18:35:30.753 kid1| 28,4| FilledChecklist.cc(66) ~ACLFilledChecklist: ACLFilledChecklist destroyed 0x78737acd2660 2016/11/17 18:35:30.753 kid1| 28,4| Checklist.cc(197) ~ACLChecklist: ACLChecklist::~ACLChecklist: destroyed 0x78737acd2660 2016/11/17 18:35:30.753 kid1| 33,2| client_side.cc(2583) clientProcessRequest: clientProcessRequest: Invalid Request 2016/11/17 18:35:30.753 kid1| 33,2| client_side.cc(816) swanSong: local=5.39.105.241:443 remote=ccc.ccc.ccc.ccc:48745 flags=1 2016/11/17 18:35:30.753 kid1| 28,3| Checklist.cc(70) preCheck: 0x78737acd23c0 checking fast ACLs 2016/11/17 18:35:30.753 kid1| 28,5| Acl.cc(138) matches: checking access_log daemon:/var/log/squid/access.log 2016/11/17 18:35:30.753 kid1| 28,5| Acl.cc(138) matches: checking (access_log daemon:/var/log/squid/access.log line) 2016/11/17 18:35:30.753 kid1| 28,3| Acl.cc(158) matches: checked: (access_log daemon:/var/log/squid/access.log line) = 1 2016/11/17 18:35:30.753 kid1| 28,3| Acl.cc(158) matches: checked: access_log daemon:/var/log/squid/access.log = 1 2016/11/17 18:35:30.753 kid1| 28,3| Checklist.cc(63) markFinished: 0x78737acd23c0 answer ALLOWED for match 2016/11/17 18:35:30.754 kid1| 28,4| FilledChecklist.cc(66) ~ACLFilledChecklist: ACLFilledChecklist destroyed 0x78737acd23c0 2016/11/17 18:35:30.754 kid1| 28,4| Checklist.cc(197) ~ACLChecklist: ACLChecklist::~ACLChecklist: destroyed 0x78737acd23c0 2016/11/17 18:36:15.609 kid1| 28,4| FilledChecklist.cc(66) ~ACLFilledChecklist: ACLFilledChecklist destroyed 0x78737acd2520 2016/11/17 18:36:15.609 kid1| 28,4| Checklist.cc(197) ~ACLChecklist: ACLChecklist::~ACLChecklist: destroyed 0x78737acd2520

Thanks for help
Patrick

Le 16/11/2016 à 20:16, Patrick Chemla a écrit :
Many Thanks Alex. I will try in the next hours and let you if I am successful.

Patrick


Le 16/11/2016 à 20:04, Alex Crow a écrit :

On 16/11/16 17:33, Patrick Chemla wrote:
Thanks for your answers, I am not doing anything illegal, I am trying to
build a performant platform.

I have a big server running about 10 different websites.

I have on this server virtual machines, each specialized for one-some
websites, and squid help me to send the traffic to the destination
website on the internal VM according to the URL.

Some VMs are paired, so squid will loadbalance the traffic on group of
VMs according to the URL/acls.

All this works in HTTP, thanks to Amos advices few weeks ago.

Now, I need to set SSL traffic, and because the domains are different I need to use different IPs:443 to be able to use different certificates.

I tried many times in the past to make squid working in SSL and never
succeed because of so many options, and this question: Does the traffic
between squid and the backend should be SSL? If yes, it's OK for me.
nothing illegal.

The second question: How to set up the SSL link on squid getting the SSL request and sending to the backend. Actually the backend can handle SSL
traffic, it's OK for me if I find the way to make squid handle the
traffic, according to the acls. squid must decrypt the request, compute
the acls, then re-crypt to send to the backend.

The reason I asked not to reencrypt is because of performances. All this
is on the same server, from the host to the VMs and decrypt, the
reencrypt, then decrypt will be ressources consumming. But I can do it
like that.

Now, do you have any Howto, clear, that will help? I found many on
Google and not any gave me the solution working.

The other question is about Trusted Certificates. We have on the
websites trusted certificates. Should we use the same on the squid?

Thanks for appeciate help

Patrick


You are using a reverse proxy/web accelerator setup. Nothing you do
there will be illegal if you're using it for your own servers! You
should be able to use HTTP to the backend and just offer HTTPS from
squid. This will avoid loading the backend with encryption cycles. You
don't need any certificate generation as AFAIK you already have all the
certs you need.

See:

http://wiki.squid-cache.org/SquidFaq/ReverseProxy

for starters. You can adapt the wildcard example; if you have specific
certs for each domain, just listen on a different IP for each domain and set up multiple https_port with a different listening IP for each site.
If you have a wildcard cert, ie *.mydomain.com, follow it directly.

Here's a couple more:

http://wiki.univention.com/index.php?title=Cool_Solution_-_Squid_as_Reverse_SSL_Proxy

(I found the above with a simple google for "squid reverse ssl proxy".
Google is your friend here... )

http://www.squid-cache.org/Doc/config/https_port/

That's as far as my knowledge goes on reverse in Squid, at my site we
use nginx.But AFAIK if you're doing what I think you're doing that
should be enough. Squid does have a lot of config parameters, but then
so does any other fully capable proxy server. Just focus on the parts
you need for your role and it will be much easier. Specifically ignore
bump/peek+splice, it's just for forward proxy.

Alex
_______________________________________________
squid-users mailing list
squid-users@xxxxxxxxxxxxxxxxxxxxx
http://lists.squid-cache.org/listinfo/squid-users

_______________________________________________
squid-users mailing list
squid-users@xxxxxxxxxxxxxxxxxxxxx
http://lists.squid-cache.org/listinfo/squid-users

_______________________________________________
squid-users mailing list
squid-users@xxxxxxxxxxxxxxxxxxxxx
http://lists.squid-cache.org/listinfo/squid-users

_______________________________________________
squid-users mailing list
squid-users@xxxxxxxxxxxxxxxxxxxxx
http://lists.squid-cache.org/listinfo/squid-users

_______________________________________________
squid-users mailing list
squid-users@xxxxxxxxxxxxxxxxxxxxx
http://lists.squid-cache.org/listinfo/squid-users




[Index of Archives]     [Linux Audio Users]     [Samba]     [Big List of Linux Books]     [Linux USB]     [Yosemite News]

  Powered by Linux