Hey Michael, You will need to clear out couple things for us. First we will need one of the next ouputs or both: iptables-save iptables -L -nv And then clear out where is this proxy sittings and the network structure. It's not clear if the squid box is the router or a machine somewhere on AWS. If you wish to pass traffic from a local router to a one on AWS you will need to create a tunnel like using OpenVPN or a similar solution and to use some routing rules to pass the traffic from the local LAN to AWS without removing the original destination address. When more details on the setup will be available it will be much simpler to understand what is the root for some of the issues you are having. All The Bests, Eliezer ---- Eliezer Croitoru Linux System Administrator Mobile: +972-5-28704261 Email: eliezer@xxxxxxxxxxxx -----Original Message----- From: squid-users [mailto:squid-users-bounces@xxxxxxxxxxxxxxxxxxxxx] On Behalf Of Test User Sent: Friday, February 24, 2017 8:52 AM To: squid-users@xxxxxxxxxxxxxxxxxxxxx Subject: SSL-Bump: NAT/TPROXY lookup failed to locate original IPs Hi, Sorry I am asking this question again. I am trying to setup HTTPS proxy using ssl-bump. I have followed steps mentioned in: http://wiki.squid-cache.org/ConfigExamples/Intercept/SslBumpExplicit Following are Squid setup details: Squid Cache: Version 3.5.12 Service Name: squid Ubuntu linux configure options: '--build=x86_64-linux-gnu' '--prefix=/usr' '--includedir=${prefix}/include' '--mandir=${prefix}/share/man' '--infodir=${prefix}/share/info' '--sysconfdir=/etc' '--localstatedir=/var' '--libexecdir=${prefix}/lib/squid3' '--srcdir=.' '--disable-maintainer-mode' '--disable-dependency-tracking' '--disable-silent-rules' 'BUILDCXXFLAGS=-g -O2 -fPIE -fstack-protector-strong -Wformat -Werror=format-security -Wl,-Bsymbolic-functions -fPIE -pie -Wl,-z,relro -Wl,-z,now' '--datadir=/usr/share/squid' '--sysconfdir=/etc/squid' '--libexecdir=/usr/lib/squid' '--mandir=/usr/share/man' '--enable-inline' '--disable-arch-native' '--enable-async-io=8' '--enable-storeio=ufs,aufs,diskd,rock' '--enable-removal-policies=lru,heap' '--enable-delay-pools' '--enable-cache-digests' '--enable-icap-client' '--enable-follow-x-forwarded-for' '--enable-auth-basic=DB,fake,getpwnam,LDAP,NCSA,NIS,PAM,POP3,RADIUS,SASL,SMB' '--enable-auth-digest=file,LDAP' '--enable-auth-negotiate=kerberos,wrapper' '--enable-auth-ntlm=fake,smb_lm' '--enable-external-acl-helpers=file_userip,kerberos_ldap_group,LDAP_group,session,SQL_session,unix_group,wbinfo_group' '--enable-url-rewrite-helpers=fake' '--enable-eui' '--enable-esi' '--enable-icmp' '--enable-zph-qos' '--enable-ecap' '--with-openssl' '--enable-ssl-crtd' '--disable-translation' '--with-swapdir=/var/spool/squid' '--with-logdir=/var/log/squid' '--with-pidfile=/var/run/squid.pid' '--with-filedescriptors=65536' '--with-large-files' '--with-default-user=proxy' '--enable-build-info=Ubuntu linux' '--enable-linux-netfilter' 'build_alias=x86_64-linux-gnu' 'CFLAGS=-g -O2 -fPIE -fstack-protector-strong -Wformat -Werror=format-security -Wall' 'LDFLAGS=-Wl,-Bsymbolic-functions -fPIE -pie -Wl,-z,relro -Wl,-z,now' 'CPPFLAGS=-Wdate-time -D_FORTIFY_SOURCE=2' 'CXXFLAGS=-g -O2 -fPIE -fstack-protector-strong -Wformat -Werror=format-security' Following is my squid.conf file: acl SSL_ports port 443 acl Safe_ports port 80 # http acl Safe_ports port 21 # ftp acl Safe_ports port 443 # https acl Safe_ports port 70 # gopher acl Safe_ports port 210 # wais acl Safe_ports port 1025-65535 # unregistered ports acl Safe_ports port 280 # http-mgmt acl Safe_ports port 488 # gss-http acl Safe_ports port 591 # filemaker acl Safe_ports port 777 # multiling http acl CONNECT method CONNECT acl step1 at_step SslBump1 http_access deny !Safe_ports http_access deny CONNECT !SSL_ports http_access allow localhost manager http_access deny manager http_access allow localhost http_access allow all http_port 3128 ssl-bump \ cert=/etc/squid/ssl_cert/squidCA.pem \ generate-host-certificates=on dynamic_cert_mem_cache_size=4MB https_port 3129 intercept ssl-bump generate-host-certificates=on \ dynamic_cert_mem_cache_size=4MB cert=/etc/squid/ssl_cert/squidCA.pem \ dhparams=/etc/squid/ssl_cert/dhparam.pem sslproxy_options NO_SSLv2,NO_SSLv3,SINGLE_DH_USE sslproxy_cipher EECDH+ECDSA+AESGCM:EECDH+aRSA+AESGCM:EECDH+ECDSA+SHA384:EECDH+ECDSA+SHA256:EECDH+aRSA+SHA384:EECDH+aRSA+SHA256:EECDH+aRSA+RC4:EECDH:EDH+aRSA:!RC4:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!SRP:!DSS sslcrtd_program /usr/lib/squid/ssl_crtd -s /var/spool/squid3_ssldb -M 4MB debug_options ALL,1 3,5 4,5 11,5 17,5 23,5 46,5 78,5 rotate=1 coredump_dir /var/spool/squid refresh_pattern ^ftp: 1440 20% 10080 refresh_pattern ^gopher: 1440 0% 1440 refresh_pattern -i (/cgi-bin/|\?) 0 0% 0 refresh_pattern (Release|Packages(.gz)*)$ 0 20% 2880 refresh_pattern . 0 20% 4320 I get no errors while starting Squid. Following are the logs when Squid starts: 2017/02/23 09:59:53 kid1| Set Current Directory to /var/spool/squid 2017/02/23 09:59:53 kid1| Starting Squid Cache version 3.5.12 for x86_64-pc-linux-gnu... 2017/02/23 09:59:53 kid1| Service Name: squid 2017/02/23 09:59:53 kid1| Process ID 26236 2017/02/23 09:59:53 kid1| Process Roles: worker 2017/02/23 09:59:53 kid1| With 65535 file descriptors available 2017/02/23 09:59:53 kid1| Initializing IP Cache... 2017/02/23 09:59:53.756 kid1| 78,2| dns_internal.cc(1525) dnsInit: idnsInit: attempt open DNS socket to: [::] 2017/02/23 09:59:53.756 kid1| 78,2| dns_internal.cc(1534) dnsInit: idnsInit: attempt open DNS socket to: 0.0.0.0 2017/02/23 09:59:53.756 kid1| DNS Socket created at [::], FD 6 2017/02/23 09:59:53.756 kid1| DNS Socket created at 0.0.0.0, FD 7 2017/02/23 09:59:53.756 kid1| Adding nameserver 172.31.0.2 from /etc/resolv.conf 2017/02/23 09:59:53.756 kid1| 78,3| dns_internal.cc(321) idnsAddNameserver: idnsAddNameserver: Added nameserver #0 (172.31.0.2:53) 2017/02/23 09:59:53.756 kid1| Adding domain ap-south-1.compute.internal from /etc/resolv.conf 2017/02/23 09:59:53.756 kid1| 78,3| dns_internal.cc(350) idnsAddPathComponent: idnsAddPathComponent: Added domain #0: ap-south-1.compute.internal 2017/02/23 09:59:53.756 kid1| helperOpenServers: Starting 5/32 'ssl_crtd' processes 2017/02/23 09:59:53.775 kid1| 46,2| Format.cc(64) parse: got definition '%>a/%>A %un %>rm myip=%la myport=%lp' 2017/02/23 09:59:53.775 kid1| 46,5| Token.cc(380) parse: scan for possible Misc token 2017/02/23 09:59:53.775 kid1| 46,5| Token.cc(384) parse: scan for possible 2C token 2017/02/23 09:59:53.775 kid1| 46,5| Token.cc(389) parse: scan for possible 1C token 2017/02/23 09:59:53.775 kid1| 46,5| Token.cc(380) parse: scan for possible Misc token 2017/02/23 09:59:53.775 kid1| 46,5| Token.cc(384) parse: scan for possible 2C token 2017/02/23 09:59:53.775 kid1| 46,5| Token.cc(389) parse: scan for possible 1C token 2017/02/23 09:59:53.775 kid1| 46,5| Token.cc(380) parse: scan for possible Misc token 2017/02/23 09:59:53.775 kid1| 46,5| Token.cc(384) parse: scan for possible 2C token 2017/02/23 09:59:53.775 kid1| 46,5| Token.cc(380) parse: scan for possible Misc token 2017/02/23 09:59:53.775 kid1| 46,5| Token.cc(384) parse: scan for possible 2C token 2017/02/23 09:59:53.775 kid1| 46,5| Token.cc(380) parse: scan for possible Misc token 2017/02/23 09:59:53.775 kid1| 46,5| Token.cc(384) parse: scan for possible 2C token 2017/02/23 09:59:53.775 kid1| 46,5| Token.cc(380) parse: scan for possible Misc token 2017/02/23 09:59:53.775 kid1| 46,5| Token.cc(384) parse: scan for possible 2C token 2017/02/23 09:59:53.775 kid1| 46,2| Format.cc(64) parse: got definition '%>a/%>A %un %>rm myip=%la myport=%lp' 2017/02/23 09:59:53.775 kid1| 46,5| Token.cc(380) parse: scan for possible Misc token 2017/02/23 09:59:53.775 kid1| 46,5| Token.cc(384) parse: scan for possible 2C token 2017/02/23 09:59:53.775 kid1| 46,5| Token.cc(389) parse: scan for possible 1C token 2017/02/23 09:59:53.775 kid1| 46,5| Token.cc(380) parse: scan for possible Misc token 2017/02/23 09:59:53.775 kid1| 46,5| Token.cc(384) parse: scan for possible 2C token 2017/02/23 09:59:53.775 kid1| 46,5| Token.cc(389) parse: scan for possible 1C token 2017/02/23 09:59:53.775 kid1| 46,5| Token.cc(380) parse: scan for possible Misc token 2017/02/23 09:59:53.775 kid1| 46,5| Token.cc(384) parse: scan for possible 2C token 2017/02/23 09:59:53.775 kid1| 46,5| Token.cc(380) parse: scan for possible Misc token 2017/02/23 09:59:53.775 kid1| 46,5| Token.cc(384) parse: scan for possible 2C token 2017/02/23 09:59:53.775 kid1| 46,5| Token.cc(380) parse: scan for possible Misc token 2017/02/23 09:59:53.775 kid1| 46,5| Token.cc(384) parse: scan for possible 2C token 2017/02/23 09:59:53.775 kid1| 46,5| Token.cc(380) parse: scan for possible Misc token 2017/02/23 09:59:53.775 kid1| 46,5| Token.cc(384) parse: scan for possible 2C token 2017/02/23 09:59:53.775 kid1| Logfile: opening log daemon:/var/log/squid/access.log 2017/02/23 09:59:53.775 kid1| Logfile Daemon: opening log /var/log/squid/access.log 2017/02/23 09:59:53.779 kid1| 23,5| url.cc(43) urlInitialize: urlInitialize: Initializing... 2017/02/23 09:59:53.779 kid1| Local cache digest enabled; rebuild/rewrite every 3600/3600 sec 2017/02/23 09:59:53.779 kid1| Store logging disabled 2017/02/23 09:59:53.779 kid1| Swap maxSize 0 + 262144 KB, estimated 20164 objects 2017/02/23 09:59:53.779 kid1| Target number of buckets: 1008 2017/02/23 09:59:53.779 kid1| Using 8192 Store buckets 2017/02/23 09:59:53.779 kid1| Max Mem size: 262144 KB 2017/02/23 09:59:53.779 kid1| Max Swap size: 0 KB 2017/02/23 09:59:53.779 kid1| Using Least Load store dir selection 2017/02/23 09:59:53.779 kid1| Set Current Directory to /var/spool/squid 2017/02/23 09:59:53.785 kid1| 23,3| url.cc(357) urlParse: urlParse: Split URL 'http://ip-172-31-25-235:3128/squid-internal-static/icons/silk/image.png' into proto='http', host='ip-172-31-25-235', port='3128', path='/squid-internal-static/icons/silk/image.png' 2017/02/23 09:59:53.785 kid1| 23,3| url.cc(357) urlParse: urlParse: Split URL 'http://ip-172-31-25-235:3128/squid-internal-static/icons/silk/page_white_text.png' into proto='http', host='ip-172-31-25-235', port='3128', path='/squid-internal-static/icons/silk/page_white_text.png' ****several urlParse logs like above. Removing them to shorten the email. Further logs below...**** 2017/02/23 09:59:53.815 kid1| Finished loading MIME types and icons. 2017/02/23 09:59:53.815 kid1| HTCP Disabled. 2017/02/23 09:59:53.815 kid1| Pinger socket opened on FD 25 2017/02/23 09:59:53.815 kid1| Squid plugin modules loaded: 0 2017/02/23 09:59:53.815 kid1| Adaptation support is off. 2017/02/23 09:59:53.815 kid1| Accepting SSL bumped HTTP Socket connections at local=[::]:3128 remote=[::] FD 22 flags=9 2017/02/23 09:59:53.815 kid1| Accepting NAT intercepted SSL bumped HTTPS Socket connections at local=[::]:3129 remote=[::] FD 23 flags=41 2017/02/23 09:59:53| pinger: Initialising ICMP pinger ... 2017/02/23 09:59:53| pinger: ICMP socket opened. 2017/02/23 09:59:53| pinger: ICMPv6 socket opened 2017/02/23 09:59:54 kid1| storeLateRelease: released 0 objects I tested this setup by providing proxy details to Firefox. Firefox was able to show HTTP websites but when I tried to open an HTTPS website I got following error: 2017/02/23 11:00:50 kid1| ERROR: NF getsockopt(ORIGINAL_DST) failed on local=172.31.25.235:3129 remote=182.72.78.122:50655 FD 7 flags=33: (92) Protocol not available 2017/02/23 11:00:50 kid1| ERROR: NAT/TPROXY lookup failed to locate original IPs on local=172.31.25.235:3129 remote=182.72.78.122:50655 FD 7 flags=33 2017/02/23 11:00:50 kid1| ERROR: NF getsockopt(ORIGINAL_DST) failed on local=172.31.25.235:3129 remote=182.72.78.122:50656 FD 7 flags=33: (92) Protocol not available 2017/02/23 11:00:50 kid1| ERROR: NAT/TPROXY lookup failed to locate original IPs on local=172.31.25.235:3129 remote=182.72.78.122:50656 FD 7 flags=33 2017/02/23 11:00:50 kid1| ERROR: NF getsockopt(ORIGINAL_DST) failed on local=172.31.25.235:3129 remote=182.72.78.122:50657 FD 7 flags=33: (92) Protocol not available 2017/02/23 11:00:50 kid1| ERROR: NAT/TPROXY lookup failed to locate original IPs on local=172.31.25.235:3129 remote=182.72.78.122:50657 FD 7 flags=33 I googled this error and found this mail thread which had similar problems: http://squid-web-proxy-cache.1019090.n4.nabble.com/NAT-TPROXY-lookup-failed-to-locate-original-IPs-td4675464.html I found this link from the above thread. I modified the steps for HTTPS from the below link: http://wiki.squid-cache.org/ConfigExamples/Intercept/LinuxDnat Now my sysctl.conf is: net.ipv4.conf.all.rp_filter=0 net.ipv4.ip_forward = 1 net.ipv4.conf.default.rp_filter = 0 net.ipv4.conf.default.accept_source_route = 0 My iptables -t nat -L result: Chain PREROUTING (policy ACCEPT) target prot opt source destination ACCEPT tcp -- ec2-35-154-101-8.ap-south-1.compute.amazonaws.com anywhere tcp dpt:https DNAT tcp -- anywhere anywhere tcp dpt:https to:35.154.101.8:3129 Chain INPUT (policy ACCEPT) target prot opt source destination Chain OUTPUT (policy ACCEPT) target prot opt source destination Chain POSTROUTING (policy ACCEPT) target prot opt source destination MASQUERADE all -- anywhere anywhere Once this was done, I tried to hit HTTPS website from Firefox and now I get connection timeout error. Nothing shows in syslog, access.log or cache.log. Could you please help me resolve this. Thanks, Michael _______________________________________________ squid-users mailing list squid-users@xxxxxxxxxxxxxxxxxxxxx http://lists.squid-cache.org/listinfo/squid-users _______________________________________________ squid-users mailing list squid-users@xxxxxxxxxxxxxxxxxxxxx http://lists.squid-cache.org/listinfo/squid-users
