|
Your firewall rules seems off. 192.168.1.32
is your client, as i seen in the
log. But your showing 10.3.141.0/24 so.. Try/look at this. Change interfaces where needed offcourse. iptables
-p tcp \ --dport 80 -j REDIRECT --to-port 3128 -m comment
--comment "Squid-Intercept 80->3128" iptables
-p tcp \ --dport 443 -j REDIRECT --to-ports 3129 -m comment
--comment "Squid-Intercept 443->3129" iptables
-o INTERNET_INTERFACE \ -j MASQUERADE -m comment --comment "IP-Masq allow
internet"
Louis ________________________________________ Van: squid-users [mailto:squid-users-bounces@xxxxxxxxxxxxxxxxxxxxx]
Namens jean francois hasson Verzonden: zondag 3 januari 2021 19:15 Aan: squid-users@xxxxxxxxxxxxxxxxxxxxx Onderwerp: Re: Setting up a transparent http and https
proxy server using squid 4.6 Hi, After reading more information on this kind of error I captured a few
transactions with Wireshark running on the raspberry pi hosting squid 4.6 and
opensll 1.1.1d. I captured some transactions when trying to access ebay.fr
which is currently not successful with the setup I have with the error of
inappropriate fallback mentioned below. I am not familiar with TLS transactions so I will try to present a high
level view of the transactions between the raspberry pi and the ebay.fr server.
I hope you can guide me as to what I should focus on to understand, if
possible, the issue I have. A bird's eye view of the transactions from Wireshark over time is : 23 0.175795327
192.168.1.32
192.168.1.1
DNS 71 Standard query
0x057e A www.ebay.fr 24 0.214678299
192.168.1.1
192.168.1.32
DNS 165 Standard query response
0x057e A www.ebay.fr CNAME slot11847.ebay.com.edgekey.net CNAME
e11847.g.akamaiedge.net A 23.57.6.166 25 0.301067317
192.168.1.32
23.57.6.166
TCP 74 53934 → 443
[SYN] Seq=0 Win=64240 Len=0 MSS=1460 SACK_PERM=1 TSval=365186690 TSecr=0 WS=128 26 0.302488046
192.168.1.32
23.57.6.166
TCP 74 53936 → 443
[SYN] Seq=0 Win=64240 Len=0 MSS=1460 SACK_PERM=1 TSval=365186691 TSecr=0 WS=128 27 0.328959454
23.57.6.166
192.168.1.32
TCP 74 443 → 53934
[SYN, ACK] Seq=0 Ack=1 Win=65160 Len=0 MSS=1460 SACK_PERM=1 TSval=3470404062
TSecr=365186690 WS=128 28 0.329115340
192.168.1.32
23.57.6.166
TCP 66 53934 → 443
[ACK] Seq=1 Ack=1 Win=64256 Len=0 TSval=365186718 TSecr=3470404062 29 0.329752684
192.168.1.32
23.57.6.166
TLSv1.2 583 Client Hello 30 0.330530288
23.57.6.166
192.168.1.32
TCP 74 443 → 53936
[SYN, ACK] Seq=0 Ack=1 Win=65160 Len=0 MSS=1460 SACK_PERM=1 TSval=3470404064
TSecr=365186691 WS=128 31 0.330644819
192.168.1.32
23.57.6.166
TCP 66 53936 → 443
[ACK] Seq=1 Ack=1 Win=64256 Len=0 TSval=365186719 TSecr=3470404064 32 0.331192579
192.168.1.32
23.57.6.166
TLSv1.2 583 Client Hello 35 0.351054404
192.168.1.32
192.168.1.98
TCP 54 5900 → 49903
[ACK] Seq=14256 Ack=97 Win=501 Len=0 36 0.363323884
23.57.6.166
192.168.1.32
TCP 66 443 → 53934
[ACK] Seq=1 Ack=518 Win=64768 Len=0 TSval=3470404096 TSecr=365186719 37 0.364291801 23.57.6.166
192.168.1.32
TLSv1.2 1514 Server Hello 38 0.364347270
192.168.1.32
23.57.6.166
TCP 66 53934 → 443
[ACK] Seq=518 Ack=1449 Win=64128 Len=0 TSval=365186753 TSecr=3470404096 39 0.365482999
23.57.6.166
192.168.1.32
TCP 1514 443 → 53934 [PSH, ACK]
Seq=1449 Ack=518 Win=64768 Len=1448 TSval=3470404096 TSecr=365186719 [TCP
segment of a reassembled PDU] 40 0.365535030
192.168.1.32
23.57.6.166
TCP 66 53934 → 443
[ACK] Seq=518 Ack=2897 Win=64128 Len=0 TSval=365186754 TSecr=3470404096 41 0.366217999
23.57.6.166
192.168.1.32
TCP 1266 443 → 53934 [PSH, ACK]
Seq=2897 Ack=518 Win=64768 Len=1200 TSval=3470404096 TSecr=365186719 [TCP
segment of a reassembled PDU] 42 0.366279041
192.168.1.32
23.57.6.166
TCP 66 53934 → 443
[ACK] Seq=518 Ack=4097 Win=64128 Len=0 TSval=365186755 TSecr=3470404096 43 0.366321697 23.57.6.166
192.168.1.32
TCP 74 [TCP
Retransmission] 443 → 53936 [SYN, ACK] Seq=0 Ack=1 Win=65160 Len=0
MSS=1460 SACK_PERM=1 TSval=3470404096 TSecr=365186691 WS=128 44 0.366410135
192.168.1.32
23.57.6.166 TCP
66 [TCP Dup ACK 31#1] 53936 → 443 [ACK] Seq=518
Ack=1 Win=64256 Len=0 TSval=365186755 TSecr=3470404064 45 0.366709770
23.57.6.166
192.168.1.32
TLSv1.2 991 Certificate, Certificate Status, Server Key
Exchange, Server Hello Done 46 0.366754978
192.168.1.32
23.57.6.166
TCP 66 53934 → 443
[ACK] Seq=518 Ack=5022 Win=64128 Len=0 TSval=365186756 TSecr=3470404097 47 0.369138676
23.57.6.166
192.168.1.32
TCP 66 443 → 53936
[ACK] Seq=1 Ack=518 Win=64768 Len=0 TSval=3470404102 TSecr=365186720 48 0.370432739
23.57.6.166
192.168.1.32
TLSv1.2 1514 Server Hello 49 0.370506906
192.168.1.32
23.57.6.166
TCP 66 53936 → 443
[ACK] Seq=518 Ack=1449 Win=64128 Len=0 TSval=365186759 TSecr=3470404102 50 0.371401125
23.57.6.166
192.168.1.32
TCP 1514 443 → 53936 [PSH, ACK]
Seq=1449 Ack=518 Win=64768 Len=1448 TSval=3470404102 TSecr=365186720 [TCP
segment of a reassembled PDU] 51 0.371449250
192.168.1.32 23.57.6.166
TCP 66 53936 → 443
[ACK] Seq=518 Ack=2897 Win=64128 Len=0 TSval=365186760 TSecr=3470404102 52 0.372385968
23.57.6.166
192.168.1.32
TCP 1266 443 → 53936 [PSH, ACK]
Seq=2897 Ack=518 Win=64768 Len=1200 TSval=3470404102 TSecr=365186720 [TCP
segment of a reassembled PDU] 53 0.372438156
192.168.1.32
23.57.6.166
TCP 66 53936 → 443
[ACK] Seq=518 Ack=4097 Win=64128 Len=0 TSval=365186761 TSecr=3470404102 54 0.372859562
23.57.6.166
192.168.1.32
TLSv1.2 991 Certificate, Certificate Status, Server Key
Exchange, Server Hello Done 55 0.372905395
192.168.1.32
23.57.6.166
TCP 66 53936 → 443
[ACK] Seq=518 Ack=5022 Win=64128 Len=0 TSval=365186762 TSecr=3470404103 56 0.374064614
192.168.1.32
23.57.6.166
TCP 66 53934 → 443
[FIN, ACK] Seq=518 Ack=5022 Win=64128 Len=0 TSval=365186763 TSecr=3470404097 57 0.382856646 192.168.1.32
23.57.6.166
TCP 66 53936 → 443
[FIN, ACK] Seq=518 Ack=5022 Win=64128 Len=0 TSval=365186772 TSecr=3470404103 58 0.387044251
192.168.1.32
23.57.6.166
TCP 74 53938 → 443
[SYN] Seq=0 Win=64240 Len=0 MSS=1460 SACK_PERM=1 TSval=365186776 TSecr=0 WS=128 59 0.401877325
192.168.1.32
23.57.6.166
TCP 74 53940 → 443
[SYN] Seq=0 Win=64240 Len=0 MSS=1460 SACK_PERM=1 TSval=365186791 TSecr=0 WS=128 60 0.402472117
23.57.6.166
192.168.1.32
TCP 66 443 → 53934
[FIN, ACK] Seq=5022 Ack=519 Win=64768 Len=0 TSval=3470404136 TSecr=365186763 61 0.402574981
192.168.1.32
23.57.6.166
TCP 66 53934 → 443
[ACK] Seq=519 Ack=5023 Win=64128 Len=0 TSval=365186791 TSecr=3470404136 62 0.410122326
23.57.6.166
192.168.1.32
TCP 66 443 → 53936
[FIN, ACK] Seq=5022 Ack=519 Win=64768 Len=0 TSval=3470404143 TSecr=365186772 63 0.410185971 192.168.1.32
23.57.6.166
TCP 66 53936 → 443
[ACK] Seq=519 Ack=5023 Win=64128 Len=0 TSval=365186799 TSecr=3470404143 64 0.415533941
23.57.6.166
192.168.1.32
TCP 74 443 → 53938
[SYN, ACK] Seq=0 Ack=1 Win=65160 Len=0 MSS=1460 SACK_PERM=1 TSval=3470404148
TSecr=365186776 WS=128 65 0.415615607
192.168.1.32
23.57.6.166
TCP 66 53938 → 443
[ACK] Seq=1 Ack=1 Win=64256 Len=0 TSval=365186804 TSecr=3470404148 66 0.416199514
192.168.1.32
23.57.6.166
TLSv1.2 583 Client Hello 67 0.429629098
23.57.6.166
192.168.1.32
TCP 74 443 → 53940
[SYN, ACK] Seq=0 Ack=1 Win=65160 Len=0 MSS=1460 SACK_PERM=1 TSval=3470404163
TSecr=365186791 WS=128 68 0.429722796
192.168.1.32
23.57.6.166
TCP 66 53940 → 443
[ACK] Seq=1 Ack=1 Win=64256 Len=0 TSval=365186819 TSecr=3470404163 69 0.430195036
192.168.1.32
23.57.6.166 TLSv1.2
583 Client Hello 70 0.449937225
23.57.6.166
192.168.1.32
TCP 66 443 → 53938
[ACK] Seq=1 Ack=518 Win=64768 Len=0 TSval=3470404182 TSecr=365186805 71 0.451000037
23.57.6.166
192.168.1.32
TLSv1.2 1514 Server Hello 72 0.451064100
192.168.1.32
23.57.6.166
TCP 66 53938 → 443
[ACK] Seq=518 Ack=1449 Win=64128 Len=0 TSval=365186840 TSecr=3470404183 73 0.451980194
23.57.6.166
192.168.1.32
TCP 1514 443 → 53938 [PSH, ACK]
Seq=1449 Ack=518 Win=64768 Len=1448 TSval=3470404183 TSecr=365186805 [TCP
segment of a reassembled PDU] 74 0.452031756
192.168.1.32
23.57.6.166
TCP 66 53938 → 443
[ACK] Seq=518 Ack=2897 Win=64128 Len=0 TSval=365186841 TSecr=3470404183 75 0.452935767
23.57.6.166
192.168.1.32
TCP 1266 443 → 53938 [PSH, ACK]
Seq=2897 Ack=518 Win=64768 Len=1200 TSval=3470404183 TSecr=365186805 [TCP
segment of a reassembled PDU] 76 0.452991027
192.168.1.32
23.57.6.166
TCP 66 53938 → 443
[ACK] Seq=518 Ack=4097 Win=64128 Len=0 TSval=365186842 TSecr=3470404183 77 0.453443475
23.57.6.166
192.168.1.32 TLSv1.2
991 Certificate, Certificate Status, Server Key Exchange,
Server Hello Done 78 0.453498215
192.168.1.32
23.57.6.166
TCP 66 53938 → 443
[ACK] Seq=518 Ack=5022 Win=64128 Len=0 TSval=365186842 TSecr=3470404184 79 0.461625715
192.168.1.32
23.57.6.166
TCP 66 53938 → 443
[FIN, ACK] Seq=518 Ack=5022 Win=64128 Len=0 TSval=365186850 TSecr=3470404184 80 0.463463320
23.57.6.166
192.168.1.32
TCP 66 443 → 53940
[ACK] Seq=1 Ack=518 Win=64768 Len=0 TSval=3470404196 TSecr=365186819 81 0.464344413
23.57.6.166
192.168.1.32
TLSv1.2 1514 Server Hello 82 0.464433476
192.168.1.32
23.57.6.166
TCP 66 53940 → 443
[ACK] Seq=518 Ack=1449 Win=64128 Len=0 TSval=365186853 TSecr=3470404197 83 0.465538632
23.57.6.166
192.168.1.32
TCP 1514 443 → 53940 [PSH, ACK]
Seq=1449 Ack=518 Win=64768 Len=1448 TSval=3470404197 TSecr=365186819 [TCP
segment of a reassembled PDU] 84 0.465628789
192.168.1.32
23.57.6.166
TCP 66 53940 → 443
[ACK] Seq=518 Ack=2897 Win=64128 Len=0 TSval=365186854 TSecr=3470404197 85 0.466298945
23.57.6.166 192.168.1.32
TCP 1266 443 → 53940 [PSH, ACK]
Seq=2897 Ack=518 Win=64768 Len=1200 TSval=3470404197 TSecr=365186819 [TCP
segment of a reassembled PDU] 86 0.466437851
192.168.1.32
23.57.6.166
TCP 66 53940 → 443
[ACK] Seq=518 Ack=4097 Win=64128 Len=0 TSval=365186855 TSecr=3470404197 87 0.467042591
23.57.6.166
192.168.1.32
TLSv1.2 991 Certificate, Certificate Status, Server Key
Exchange, Server Hello Done 88 0.467190976 192.168.1.32
23.57.6.166
TCP 66 53940 → 443
[ACK] Seq=518 Ack=5022 Win=64128 Len=0 TSval=365186856 TSecr=3470404197 I start my description with a Client Hello step from the raspberry pi
to the ebay.fr server : No.
Time Source
Destination
Protocol Length Info 29 0.329752684
192.168.1.32
23.57.6.166
TLSv1.2 583 Client Hello ... Transport Layer Security TLSv1.2 Record Layer: Handshake Protocol: Client
Hello Content Type: Handshake (22) Version: TLS 1.0 (0x0301) Length: 512 Handshake Protocol: Client
Hello
Handshake Type: Client Hello (1)
Length: 508
Version: TLS 1.2 (0x0303) Then, there is another Client Hello step which seems quite similar to
the previous one : No.
Time
Source
Destination
Protocol Length Info 32 0.331192579
192.168.1.32
23.57.6.166
TLSv1.2 583 Client Hello ... Transport Layer Security TLSv1.2 Record Layer: Handshake Protocol: Client
Hello Content Type: Handshake (22) Version: TLS 1.0 (0x0301) Length: 512 Handshake Protocol: Client
Hello
Handshake Type: Client Hello (1)
Length: 508
Version: TLS 1.2 (0x0303) Then a Server Hello : No.
Time
Source
Destination
Protocol Length Info 37 0.364291801
23.57.6.166
192.168.1.32
TLSv1.2 1514 Server Hello ... Transport Layer Security TLSv1.2 Record Layer: Handshake Protocol: Server
Hello Content Type: Handshake (22) Version: TLS 1.2 (0x0303) Length: 78 Handshake Protocol: Server
Hello
Handshake Type: Server Hello (2)
Length: 74
Version: TLS 1.2 (0x0303)
Random: 08f25b54bfe62d98736a4e5e8cc5a3f4ab97c040c1a892a26110e4d704b2fd9e
GMT Unix Time: Oct 4, 1974 08:40:20.000000000 Paris, Madrid (heure
d’été)
Random Bytes: bfe62d98736a4e5e8cc5a3f4ab97c040c1a892a26110e4d704b2fd9e
Session ID Length: 0
Cipher Suite: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (0xc02f) ... So it seems the server found a common cipher with the client. I am not
sure then what to look for. Frames 43 and 44 are detected by Wireshark as
retransmissions but I am not sure it is a problem. I noticed frame 45 which is about the Certificate, Certificate Status,
Server Key Exchange and Server Hello Done No.
Time
Source
Destination
Protocol Length Info 45 0.366709770
23.57.6.166
192.168.1.32
TLSv1.2 991 Certificate, Certificate Status, Server Key
Exchange, Server Hello Done Transport Layer Security TLSv1.2 Record Layer: Handshake Protocol:
Certificate Content Type: Handshake (22) Version: TLS 1.2 (0x0303) Length: 4102 Handshake Protocol:
Certificate
Handshake Type: Certificate (11) ... Transport Layer Security TLSv1.2 Record Layer: Handshake Protocol:
Certificate Status Content Type: Handshake (22) Version: TLS 1.2 (0x0303) Length: 479 Handshake Protocol:
Certificate Status
Handshake Type: Certificate Status (22)
Length: 475
Certificate Status Type: OCSP (1) OCSP
Response Length: 471 OCSP
Response ... TLSv1.2 Record Layer: Handshake Protocol: Server Key
Exchange Content Type: Handshake (22) Version: TLS 1.2 (0x0303) Length: 333 Handshake Protocol: Server
Key Exchange
Handshake Type: Server Key Exchange (12)
Length: 329 EC
Diffie-Hellman Server Params ... TLSv1.2 Record Layer: Handshake Protocol: Server
Hello Done Content Type: Handshake (22) Version: TLS 1.2 (0x0303) Length: 4 Handshake Protocol: Server
Hello Done
Handshake Type: Server Hello Done (14)
Length: 0 ... I noticed there is a mention of Diffie-Hellman which may require some
attention but I am not sure. I am sorry for all this information but I really look forward to
knowing more and managing to sort this issue out. Is there anything in this
information that is relevant to understanding the issue I have ? Where should I
focus ? Best regards, JF Le 02/01/2021 à 11:26, jean francois hasson a écrit : Hi, Thank you Amos Jeffries and Antony Stone. It seems the configuration I
have provides the functionality of filtering I am looking for. There is a strange behavior I can see when accessing some legitimate
sites which I see traces of in cache.log : 2021/01/02 10:55:48 kid1| helperOpenServers: Starting 1/20 'squidGuard'
processes 2021/01/02 10:57:31 kid1| ERROR: negotiating TLS on FD 39:
error:1407743E:SSL routines:SSL23_GET_SERVER_HELLO:tlsv1 alert inappropriate
fallback (1/-1/0) 2021/01/02 10:57:31 kid1| Error negotiating SSL connection on FD 38:
error:00000001:lib(0):func(0):reason(1) (1/-1) 2021/01/02 10:57:32 kid1| ERROR: negotiating TLS on FD 38:
error:1407743E:SSL routines:SSL23_GET_SERVER_HELLO:tlsv1 alert inappropriate
fallback (1/-1/0) 2021/01/02 10:57:32 kid1| Error negotiating SSL connection on FD 35:
error:00000001:lib(0):func(0):reason(1) (1/-1) 2021/01/02 10:57:40 kid1| Starting new redirector helpers... 2021/01/02 10:57:40 kid1| helperOpenServers: Starting 1/20 'squidGuard'
processes 2021/01/02 10:58:09 kid1| ERROR: negotiating TLS on FD 51:
error:1407743E:SSL routines:SSL23_GET_SERVER_HELLO:tlsv1 alert inappropriate
fallback (1/-1/0) 2021/01/02 10:58:09 kid1| Error negotiating SSL connection on FD 40:
error:00000001:lib(0):func(0):reason(1) (1/-1) 2021/01/02 10:58:10 kid1| ERROR: negotiating TLS on FD 51:
error:1407743E:SSL routines:SSL23_GET_SERVER_HELLO:tlsv1 alert inappropriate
fallback (1/-1/0) 2021/01/02 10:58:10 kid1| Error negotiating SSL connection on FD 40:
error:00000001:lib(0):func(0):reason(1) (1/-1) I noticed other users of squid encountered similar issues but I did not
find a clear answer to the issue. Is there a problem with my setup ? I am not
sure to be able to solve it on my own ! Any help would be appreciated. Best regards, JF Hasson Le 31/12/2020 à 10:14, Antony Stone a écrit : On Thursday 31 December 2020 at 10:10:11, jean francois hasson wrote: If I set up on a device connected to the access point a proxy manually ie 10.3.141.1 on port 8080, I can access the internet. If I put the following rules for iptables to use in files rules.v4 : *nat -A PREROUTING -i eth0 -p tcp -m tcp --dport 80 -j DNAT --to-destination 10.3.141.1:3128 -A PREROUTING -i eth0 -p tcp -m tcp --dport 80 -j REDIRECT --to-ports
3128 -A PREROUTING -i eth0 -p tcp -m tcp --dport 443 -j DNAT
--to-destination 10.3.141.1:3129 -A PREROUTING -i eth0 -p tcp -m tcp --dport 443 -j REDIRECT --to-ports
3129 -A POSTROUTING -s 10.3.141.0/24 -o eth0 -j MASQUERADE Try removing the DNAT rules above. You should be using REDIRECT for
intercept mode to work correctly. Antony. _______________________________________________ squid-users mailing list squid-users@xxxxxxxxxxxxxxxxxxxxx http://lists.squid-cache.org/listinfo/squid-users |
_______________________________________________ squid-users mailing list squid-users@xxxxxxxxxxxxxxxxxxxxx http://lists.squid-cache.org/listinfo/squid-users
