Hi, Sorry I am asking this question again. I am trying to setup HTTPS proxy using ssl-bump. I have followed steps mentioned in: http://wiki.squid-cache.org/ConfigExamples/Intercept/SslBumpExplicit Following are Squid setup details: Squid Cache: Version 3.5.12 Service Name: squid Ubuntu linux configure options: '--build=x86_64-linux-gnu' '--prefix=/usr' '--includedir=${prefix}/include' '--mandir=${prefix}/share/man' '--infodir=${prefix}/share/info' '--sysconfdir=/etc' '--localstatedir=/var' '--libexecdir=${prefix}/lib/squid3' '--srcdir=.' '--disable-maintainer-mode' '--disable-dependency-tracking' '--disable-silent-rules' 'BUILDCXXFLAGS=-g -O2 -fPIE -fstack-protector-strong -Wformat -Werror=format-security -Wl,-Bsymbolic-functions -fPIE -pie -Wl,-z,relro -Wl,-z,now' '--datadir=/usr/share/squid' '--sysconfdir=/etc/squid' '--libexecdir=/usr/lib/squid' '--mandir=/usr/share/man' '--enable-inline' '--disable-arch-native' '--enable-async-io=8' '--enable-storeio=ufs,aufs,diskd,rock' '--enable-removal-policies=lru,heap' '--enable-delay-pools' '--enable-cache-digests' '--enable-icap-client' '--enable-follow-x-forwarded-for' '--enable-auth-basic=DB,fake,getpwnam,LDAP,NCSA,NIS,PAM,POP3,RADIUS,SASL,SMB' '--enable-auth-digest=file,LDAP' '--enable-auth-negotiate=kerberos,wrapper' '--enable-auth-ntlm=fake,smb_lm' '--enable-external-acl-helpers=file_userip,kerberos_ldap_group,LDAP_group,session,SQL_session,unix_group,wbinfo_group' '--enable-url-rewrite-helpers=fake' '--enable-eui' '--enable-esi' '--enable-icmp' '--enable-zph-qos' '--enable-ecap' '--with-openssl' '--enable-ssl-crtd' '--disable-translation' '--with-swapdir=/var/spool/squid' '--with-logdir=/var/log/squid' '--with-pidfile=/var/run/squid.pid' '--with-filedescriptors=65536' '--with-large-files' '--with-default-user=proxy' '--enable-build-info=Ubuntu linux' '--enable-linux-netfilter' 'build_alias=x86_64-linux-gnu' 'CFLAGS=-g -O2 -fPIE -fstack-protector-strong -Wformat -Werror=format-security -Wall' 'LDFLAGS=-Wl,-Bsymbolic-functions -fPIE -pie -Wl,-z,relro -Wl,-z,now' 'CPPFLAGS=-Wdate-time -D_FORTIFY_SOURCE=2' 'CXXFLAGS=-g -O2 -fPIE -fstack-protector-strong -Wformat -Werror=format-security' Following is my squid.conf file: acl SSL_ports port 443 acl Safe_ports port 80 # http acl Safe_ports port 21 # ftp acl Safe_ports port 443 # https acl Safe_ports port 70 # gopher acl Safe_ports port 210 # wais acl Safe_ports port 1025-65535 # unregistered ports acl Safe_ports port 280 # http-mgmt acl Safe_ports port 488 # gss-http acl Safe_ports port 591 # filemaker acl Safe_ports port 777 # multiling http acl CONNECT method CONNECT acl step1 at_step SslBump1 http_access deny !Safe_ports http_access deny CONNECT !SSL_ports http_access allow localhost manager http_access deny manager http_access allow localhost http_access allow all http_port 3128 ssl-bump \ cert=/etc/squid/ssl_cert/squidCA.pem \ generate-host-certificates=on dynamic_cert_mem_cache_size=4MB https_port 3129 intercept ssl-bump generate-host-certificates=on \ dynamic_cert_mem_cache_size=4MB cert=/etc/squid/ssl_cert/squidCA.pem \ dhparams=/etc/squid/ssl_cert/dhparam.pem sslproxy_options NO_SSLv2,NO_SSLv3,SINGLE_DH_USE sslproxy_cipher EECDH+ECDSA+AESGCM:EECDH+aRSA+AESGCM:EECDH+ECDSA+SHA384:EECDH+ECDSA+SHA256:EECDH+aRSA+SHA384:EECDH+aRSA+SHA256:EECDH+aRSA+RC4:EECDH:EDH+aRSA:!RC4:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!SRP:!DSS sslcrtd_program /usr/lib/squid/ssl_crtd -s /var/spool/squid3_ssldb -M 4MB debug_options ALL,1 3,5 4,5 11,5 17,5 23,5 46,5 78,5 rotate=1 coredump_dir /var/spool/squid refresh_pattern ^ftp: 1440 20% 10080 refresh_pattern ^gopher: 1440 0% 1440 refresh_pattern -i (/cgi-bin/|\?) 0 0% 0 refresh_pattern (Release|Packages(.gz)*)$ 0 20% 2880 refresh_pattern . 0 20% 4320 I get no errors while starting Squid. Following are the logs when Squid starts: 2017/02/23 09:59:53 kid1| Set Current Directory to /var/spool/squid 2017/02/23 09:59:53 kid1| Starting Squid Cache version 3.5.12 for x86_64-pc-linux-gnu... 2017/02/23 09:59:53 kid1| Service Name: squid 2017/02/23 09:59:53 kid1| Process ID 26236 2017/02/23 09:59:53 kid1| Process Roles: worker 2017/02/23 09:59:53 kid1| With 65535 file descriptors available 2017/02/23 09:59:53 kid1| Initializing IP Cache... 2017/02/23 09:59:53.756 kid1| 78,2| dns_internal.cc(1525) dnsInit: idnsInit: attempt open DNS socket to: [::] 2017/02/23 09:59:53.756 kid1| 78,2| dns_internal.cc(1534) dnsInit: idnsInit: attempt open DNS socket to: 0.0.0.0 2017/02/23 09:59:53.756 kid1| DNS Socket created at [::], FD 6 2017/02/23 09:59:53.756 kid1| DNS Socket created at 0.0.0.0, FD 7 2017/02/23 09:59:53.756 kid1| Adding nameserver 172.31.0.2 from /etc/resolv.conf 2017/02/23 09:59:53.756 kid1| 78,3| dns_internal.cc(321) idnsAddNameserver: idnsAddNameserver: Added nameserver #0 (172.31.0.2:53) 2017/02/23 09:59:53.756 kid1| Adding domain ap-south-1.compute.internal from /etc/resolv.conf 2017/02/23 09:59:53.756 kid1| 78,3| dns_internal.cc(350) idnsAddPathComponent: idnsAddPathComponent: Added domain #0: ap-south-1.compute.internal 2017/02/23 09:59:53.756 kid1| helperOpenServers: Starting 5/32 'ssl_crtd' processes 2017/02/23 09:59:53.775 kid1| 46,2| Format.cc(64) parse: got definition '%>a/%>A %un %>rm myip=%la myport=%lp' 2017/02/23 09:59:53.775 kid1| 46,5| Token.cc(380) parse: scan for possible Misc token 2017/02/23 09:59:53.775 kid1| 46,5| Token.cc(384) parse: scan for possible 2C token 2017/02/23 09:59:53.775 kid1| 46,5| Token.cc(389) parse: scan for possible 1C token 2017/02/23 09:59:53.775 kid1| 46,5| Token.cc(380) parse: scan for possible Misc token 2017/02/23 09:59:53.775 kid1| 46,5| Token.cc(384) parse: scan for possible 2C token 2017/02/23 09:59:53.775 kid1| 46,5| Token.cc(389) parse: scan for possible 1C token 2017/02/23 09:59:53.775 kid1| 46,5| Token.cc(380) parse: scan for possible Misc token 2017/02/23 09:59:53.775 kid1| 46,5| Token.cc(384) parse: scan for possible 2C token 2017/02/23 09:59:53.775 kid1| 46,5| Token.cc(380) parse: scan for possible Misc token 2017/02/23 09:59:53.775 kid1| 46,5| Token.cc(384) parse: scan for possible 2C token 2017/02/23 09:59:53.775 kid1| 46,5| Token.cc(380) parse: scan for possible Misc token 2017/02/23 09:59:53.775 kid1| 46,5| Token.cc(384) parse: scan for possible 2C token 2017/02/23 09:59:53.775 kid1| 46,5| Token.cc(380) parse: scan for possible Misc token 2017/02/23 09:59:53.775 kid1| 46,5| Token.cc(384) parse: scan for possible 2C token 2017/02/23 09:59:53.775 kid1| 46,2| Format.cc(64) parse: got definition '%>a/%>A %un %>rm myip=%la myport=%lp' 2017/02/23 09:59:53.775 kid1| 46,5| Token.cc(380) parse: scan for possible Misc token 2017/02/23 09:59:53.775 kid1| 46,5| Token.cc(384) parse: scan for possible 2C token 2017/02/23 09:59:53.775 kid1| 46,5| Token.cc(389) parse: scan for possible 1C token 2017/02/23 09:59:53.775 kid1| 46,5| Token.cc(380) parse: scan for possible Misc token 2017/02/23 09:59:53.775 kid1| 46,5| Token.cc(384) parse: scan for possible 2C token 2017/02/23 09:59:53.775 kid1| 46,5| Token.cc(389) parse: scan for possible 1C token 2017/02/23 09:59:53.775 kid1| 46,5| Token.cc(380) parse: scan for possible Misc token 2017/02/23 09:59:53.775 kid1| 46,5| Token.cc(384) parse: scan for possible 2C token 2017/02/23 09:59:53.775 kid1| 46,5| Token.cc(380) parse: scan for possible Misc token 2017/02/23 09:59:53.775 kid1| 46,5| Token.cc(384) parse: scan for possible 2C token 2017/02/23 09:59:53.775 kid1| 46,5| Token.cc(380) parse: scan for possible Misc token 2017/02/23 09:59:53.775 kid1| 46,5| Token.cc(384) parse: scan for possible 2C token 2017/02/23 09:59:53.775 kid1| 46,5| Token.cc(380) parse: scan for possible Misc token 2017/02/23 09:59:53.775 kid1| 46,5| Token.cc(384) parse: scan for possible 2C token 2017/02/23 09:59:53.775 kid1| Logfile: opening log daemon:/var/log/squid/access.log 2017/02/23 09:59:53.775 kid1| Logfile Daemon: opening log /var/log/squid/access.log 2017/02/23 09:59:53.779 kid1| 23,5| url.cc(43) urlInitialize: urlInitialize: Initializing... 2017/02/23 09:59:53.779 kid1| Local cache digest enabled; rebuild/rewrite every 3600/3600 sec 2017/02/23 09:59:53.779 kid1| Store logging disabled 2017/02/23 09:59:53.779 kid1| Swap maxSize 0 + 262144 KB, estimated 20164 objects 2017/02/23 09:59:53.779 kid1| Target number of buckets: 1008 2017/02/23 09:59:53.779 kid1| Using 8192 Store buckets 2017/02/23 09:59:53.779 kid1| Max Mem size: 262144 KB 2017/02/23 09:59:53.779 kid1| Max Swap size: 0 KB 2017/02/23 09:59:53.779 kid1| Using Least Load store dir selection 2017/02/23 09:59:53.779 kid1| Set Current Directory to /var/spool/squid 2017/02/23 09:59:53.785 kid1| 23,3| url.cc(357) urlParse: urlParse: Split URL 'http://ip-172-31-25-235:3128/squid-internal-static/icons/silk/image.png' into proto='http', host='ip-172-31-25-235', port='3128', path='/squid-internal-static/icons/silk/image.png' 2017/02/23 09:59:53.785 kid1| 23,3| url.cc(357) urlParse: urlParse: Split URL 'http://ip-172-31-25-235:3128/squid-internal-static/icons/silk/page_white_text.png' into proto='http', host='ip-172-31-25-235', port='3128', path='/squid-internal-static/icons/silk/page_white_text.png' ****several urlParse logs like above. Removing them to shorten the email. Further logs below...**** 2017/02/23 09:59:53.815 kid1| Finished loading MIME types and icons. 2017/02/23 09:59:53.815 kid1| HTCP Disabled. 2017/02/23 09:59:53.815 kid1| Pinger socket opened on FD 25 2017/02/23 09:59:53.815 kid1| Squid plugin modules loaded: 0 2017/02/23 09:59:53.815 kid1| Adaptation support is off. 2017/02/23 09:59:53.815 kid1| Accepting SSL bumped HTTP Socket connections at local=[::]:3128 remote=[::] FD 22 flags=9 2017/02/23 09:59:53.815 kid1| Accepting NAT intercepted SSL bumped HTTPS Socket connections at local=[::]:3129 remote=[::] FD 23 flags=41 2017/02/23 09:59:53| pinger: Initialising ICMP pinger ... 2017/02/23 09:59:53| pinger: ICMP socket opened. 2017/02/23 09:59:53| pinger: ICMPv6 socket opened 2017/02/23 09:59:54 kid1| storeLateRelease: released 0 objects I tested this setup by providing proxy details to Firefox. Firefox was able to show HTTP websites but when I tried to open an HTTPS website I got following error: 2017/02/23 11:00:50 kid1| ERROR: NF getsockopt(ORIGINAL_DST) failed on local=172.31.25.235:3129 remote=182.72.78.122:50655 FD 7 flags=33: (92) Protocol not available 2017/02/23 11:00:50 kid1| ERROR: NAT/TPROXY lookup failed to locate original IPs on local=172.31.25.235:3129 remote=182.72.78.122:50655 FD 7 flags=33 2017/02/23 11:00:50 kid1| ERROR: NF getsockopt(ORIGINAL_DST) failed on local=172.31.25.235:3129 remote=182.72.78.122:50656 FD 7 flags=33: (92) Protocol not available 2017/02/23 11:00:50 kid1| ERROR: NAT/TPROXY lookup failed to locate original IPs on local=172.31.25.235:3129 remote=182.72.78.122:50656 FD 7 flags=33 2017/02/23 11:00:50 kid1| ERROR: NF getsockopt(ORIGINAL_DST) failed on local=172.31.25.235:3129 remote=182.72.78.122:50657 FD 7 flags=33: (92) Protocol not available 2017/02/23 11:00:50 kid1| ERROR: NAT/TPROXY lookup failed to locate original IPs on local=172.31.25.235:3129 remote=182.72.78.122:50657 FD 7 flags=33 I googled this error and found this mail thread which had similar problems: http://squid-web-proxy-cache.1019090.n4.nabble.com/NAT-TPROXY-lookup-failed-to-locate-original-IPs-td4675464.html I found this link from the above thread. I modified the steps for HTTPS from the below link: http://wiki.squid-cache.org/ConfigExamples/Intercept/LinuxDnat Now my sysctl.conf is: net.ipv4.conf.all.rp_filter=0 net.ipv4.ip_forward = 1 net.ipv4.conf.default.rp_filter = 0 net.ipv4.conf.default.accept_source_route = 0 My iptables -t nat -L result: Chain PREROUTING (policy ACCEPT) target prot opt source destination ACCEPT tcp -- ec2-35-154-101-8.ap-south-1.compute.amazonaws.com anywhere tcp dpt:https DNAT tcp -- anywhere anywhere tcp dpt:https to:35.154.101.8:3129 Chain INPUT (policy ACCEPT) target prot opt source destination Chain OUTPUT (policy ACCEPT) target prot opt source destination Chain POSTROUTING (policy ACCEPT) target prot opt source destination MASQUERADE all -- anywhere anywhere Once this was done, I tried to hit HTTPS website from Firefox and now I get connection timeout error. Nothing shows in syslog, access.log or cache.log. Could you please help me resolve this. Thanks, Michael _______________________________________________ squid-users mailing list squid-users@xxxxxxxxxxxxxxxxxxxxx http://lists.squid-cache.org/listinfo/squid-users
