On 8/02/2017 4:04 a.m., Dante F. B. Colò wrote: > Hi Leonardo, > > Thanks for your reply,I tried SSL Bump under client-first and > server-first modes both didn't work, Squid version is 3.4.14 running > under OpenBSD 5.6 and 5.7 test boxes, i also increased verbosity log to > 9 of the URL Parsing debug section to see if shows something useful , i > 'll post here my squid.conf and debug output from cache.log, if you > have some suggestion tell me please. > > 2016/12/06 19:32:39.446 kid1| src/cache_manager.cc(89) registerProfile: > skipped duplicate profile: asndb > 2016/12/06 19:32:39.446 kid1| src/cache_manager.cc(89) registerProfile: > skipped duplicate profile: carp > 2016/12/06 19:32:39.446 kid1| src/cache_manager.cc(89) registerProfile: > skipped duplicate profile: userhash > 2016/12/06 19:32:39.446 kid1| src/cache_manager.cc(89) registerProfile: > skipped duplicate profile: sourcehash > 2016/12/06 19:32:39.446 kid1| src/cache_manager.cc(89) registerProfile: > skipped duplicate profile: server_list > 2016/12/06 19:32:39.446 kid1| Finished loading MIME types and icons. > 2016/12/06 19:32:39.469 kid1| src/base/AsyncCallQueue.cc(51) fireNext: > entering clientListenerConnectionOpened(local=172.17.198.19:3128 > remote=[::] FD 18 flags=9, err=0, HTTP Socket port=0x8b3fb9ff418) > 2016/12/06 19:32:39.470 kid1| src/base/AsyncCall.cc(30) make: make call > clientListenerConnectionOpened [call27542] > 2016/12/06 19:32:39.470 kid1| Accepting SSL bumped HTTP Socket > connections at local=172.17.198.19:3128 remote=[::] FD 18 flags=9 > 2016/12/06 19:32:39.470 kid1| src/base/AsyncCallQueue.cc(53) fireNext: > leaving clientListenerConnectionOpened(local=172.17.198.19:3128 > remote=[::] FD 18 flags=9, err=0, HTTP Socket port=0x8b3fb9ff418) > 2016/12/06 19:33:05.727 kid1| src/comm/TcpAcceptor.cc(220) doAccept: New > connection on FD 18 > 2016/12/06 19:33:05.727 kid1| src/comm/TcpAcceptor.cc(295) acceptNext: > connection on local=172.17.198.19:3128 remote=[::] FD 18 flags=9 > 2016/12/06 19:33:05.727 kid1| src/client_side.cc(2407) parseHttpRequest: > HTTP Client local=172.17.198.19:3128 remote=172.17.200.11:50974 FD 9 > flags=1 > 2016/12/06 19:33:05.727 kid1| src/client_side.cc(2408) parseHttpRequest: > HTTP Client REQUEST: > --------- > CONNECT www.sans.org:443 HTTP/1.1 > User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.11; rv:45.0) > Gecko/20100101 Firefox/45.0 > Proxy-Connection: keep-alive > Connection: keep-alive > Host: www.sans.org:443 > Proxy-Authorization: Basic amVjYS50YXR1OjEyMzQ= > > > ---------- ... > 2016/12/06 19:33:05.762 kid1| src/auth/User.cc(342) addIp: user > 'jeca.tatu' has been seen at a new IP address (172.17.200.11:50974) ... the "password" ACL works. ... the "jeca.tatu" ACL is redundant. > 2016/12/06 19:33:05.763 kid1| src/client_side_request.cc(759) > clientAccessCheckDone: The request CONNECT www.sans.org:443 is DENIED; > last ACL checked: all ... the "restrito" ACL does not match "www.sans.org:443". ... the "deny all" blocks this CONNECT request. > 2016/12/06 19:33:05.764 kid1| src/client_side.cc(785) setAuth: Adding > connection-auth to local=172.17.198.19:3128 remote=172.17.200.11:50974 > FD 9 flags=1 from SSL-bumped CONNECT ... Squid then goes on a bumps the request. But only so that it can deliver the error message in a way which browsers will display. > 2016/12/06 19:33:05.767 kid1| src/client_side.cc(3562) > clientNegotiateSSL: clientNegotiateSSL: Session 0x8b414f73400 reused on > FD 9 (172.17.200.11:50974) ... > 2016/12/06 19:33:05.769 kid1| src/client_side.cc(1460) > sendStartOfMessage: HTTP Client REPLY: > --------- > HTTP/1.1 403 Forbidden > Server: squid/3.4.12 > Mime-Version: 1.0 > Date: Tue, 06 Dec 2016 21:33:05 GMT > Content-Type: text/html > Content-Length: 3342 > X-Squid-Error: ERR_ACCESS_DENIED 0 > Vary: Accept-Language > Content-Language: en > X-Cache: MISS from openbsd57vm01 > Via: 1.1 openbsd57vm01 (squid/3.4.12) > Connection: close > > ################################################################# > > my squid.conf > ... > acl password proxy_auth REQUIRED > acl jeca.tatu proxy_auth jeca.tatu > acl restrito url_regex -i "/etc/squid/acl/restrito" > http_access allow password jeca.tatu restrito > http_access deny all > > http_port 172.17.198.19:3128 ssl-bump generate-host-certificates=on > dynamic_cert_mem_cache_size=8MB key=/etc/squid/pki/test.private > cert=/etc/squid/pki/test.cert > acl BadSite ssl_error SQUID_X509_V_ERR_DOMAIN_MISMATCH > always_direct allow all You dont need that "always_direct allow all". It was a workaround for a 3.1 bug which is long since fixed. > ssl_bump client-first all > sslproxy_cert_error allow all > sslproxy_cert_error allow BadSite > sslproxy_flags DONT_VERIFY_PEER Remove the "allow all" and DONT_VERIFY_PEER lines. They are very bad, partiularly for testing. You *want* to see what problems are when debugging. Amos _______________________________________________ squid-users mailing list squid-users@xxxxxxxxxxxxxxxxxxxxx http://lists.squid-cache.org/listinfo/squid-users
