Hello!
I'm facing an issue regarding bypass authentication in some domains. I was following the official wiki here and it worked, but every HTTPS request (CONNECT method) that belongs to the exception that I've made receives a SSL error (ssl_error_rx_record_too_long). Below, the squid.conf content, squid version and telemetry content.
# squid -v
Squid Cache: Version 4.6
Service Name: squid
Debian linux
configure options: '--build=x86_64-linux-gnu' '--prefix=/usr' '--includedir=${prefix}/include' '--mandir=${prefix}/share/man' '--infodir=${prefix}/share/info
' '--sysconfdir=/etc' '--localstatedir=/var' '--libexecdir=${prefix}/lib/squid' '--srcdir=.' '--disable-maintainer-mode' '--disable-dependency-tracking' '--di
sable-silent-rules' 'BUILDCXXFLAGS=-g -O2 -fdebug-prefix-map=/build/squid-4.6=. -fstack-protector-strong -Wformat -Werror=format-security -Wdate-time -D_FORTI
FY_SOURCE=2 -Wl,-z,relro -Wl,-z,now -Wl,--as-needed -latomic' 'BUILDCXX=x86_64-linux-gnu-g++' '--with-build-environment=default' '--enable-build-info=Debian l
inux' '--datadir=/usr/share/squid' '--sysconfdir=/etc/squid' '--libexecdir=/usr/lib/squid' '--mandir=/usr/share/man' '--enable-inline' '--disable-arch-native'
'--enable-async-io=8' '--enable-storeio=ufs,aufs,diskd,rock' '--enable-removal-policies=lru,heap' '--enable-delay-pools' '--enable-cache-digests' '--enable-i
cap-client' '--enable-follow-x-forwarded-for' '--enable-auth-basic=DB,fake,getpwnam,LDAP,NCSA,NIS,PAM,POP3,RADIUS,SASL,SMB' '--enable-auth-digest=file,LDAP' '
--enable-auth-negotiate=kerberos,wrapper' '--enable-auth-ntlm=fake,SMB_LM' '--enable-external-acl-helpers=file_userip,kerberos_ldap_group,LDAP_group,session,S
QL_session,time_quota,unix_group,wbinfo_group' '--enable-security-cert-validators=fake' '--enable-storeid-rewrite-helpers=file' '--enable-url-rewrite-helpers=
fake' '--enable-eui' '--enable-esi' '--enable-icmp' '--enable-zph-qos' '--enable-ecap' '--disable-translation' '--with-swapdir=/var/spool/squid' '--with-logdi
r=/var/log/squid' '--with-pidfile=/var/run/squid.pid' '--with-filedescriptors=65536' '--with-large-files' '--with-default-user=proxy' '--with-gnutls' '--enabl
e-linux-netfilter' 'build_alias=x86_64-linux-gnu' 'CC=x86_64-linux-gnu-gcc' 'CFLAGS=-g -O2 -fdebug-prefix-map=/build/squid-4.6=. -fstack-protector-strong -Wfo
rmat -Werror=format-security -Wall' 'LDFLAGS=-Wl,-z,relro -Wl,-z,now -Wl,--as-needed -latomic' 'CPPFLAGS=-Wdate-time -D_FORTIFY_SOURCE=2' 'CXX=x86_64-linux-gn
u-g++' 'CXXFLAGS=-g -O2 -fdebug-prefix-map=/build/squid-4.6=. -fstack-protector-strong -Wformat -Werror=format-security'
Squid Cache: Version 4.6
Service Name: squid
Debian linux
configure options: '--build=x86_64-linux-gnu' '--prefix=/usr' '--includedir=${prefix}/include' '--mandir=${prefix}/share/man' '--infodir=${prefix}/share/info
' '--sysconfdir=/etc' '--localstatedir=/var' '--libexecdir=${prefix}/lib/squid' '--srcdir=.' '--disable-maintainer-mode' '--disable-dependency-tracking' '--di
sable-silent-rules' 'BUILDCXXFLAGS=-g -O2 -fdebug-prefix-map=/build/squid-4.6=. -fstack-protector-strong -Wformat -Werror=format-security -Wdate-time -D_FORTI
FY_SOURCE=2 -Wl,-z,relro -Wl,-z,now -Wl,--as-needed -latomic' 'BUILDCXX=x86_64-linux-gnu-g++' '--with-build-environment=default' '--enable-build-info=Debian l
inux' '--datadir=/usr/share/squid' '--sysconfdir=/etc/squid' '--libexecdir=/usr/lib/squid' '--mandir=/usr/share/man' '--enable-inline' '--disable-arch-native'
'--enable-async-io=8' '--enable-storeio=ufs,aufs,diskd,rock' '--enable-removal-policies=lru,heap' '--enable-delay-pools' '--enable-cache-digests' '--enable-i
cap-client' '--enable-follow-x-forwarded-for' '--enable-auth-basic=DB,fake,getpwnam,LDAP,NCSA,NIS,PAM,POP3,RADIUS,SASL,SMB' '--enable-auth-digest=file,LDAP' '
--enable-auth-negotiate=kerberos,wrapper' '--enable-auth-ntlm=fake,SMB_LM' '--enable-external-acl-helpers=file_userip,kerberos_ldap_group,LDAP_group,session,S
QL_session,time_quota,unix_group,wbinfo_group' '--enable-security-cert-validators=fake' '--enable-storeid-rewrite-helpers=file' '--enable-url-rewrite-helpers=
fake' '--enable-eui' '--enable-esi' '--enable-icmp' '--enable-zph-qos' '--enable-ecap' '--disable-translation' '--with-swapdir=/var/spool/squid' '--with-logdi
r=/var/log/squid' '--with-pidfile=/var/run/squid.pid' '--with-filedescriptors=65536' '--with-large-files' '--with-default-user=proxy' '--with-gnutls' '--enabl
e-linux-netfilter' 'build_alias=x86_64-linux-gnu' 'CC=x86_64-linux-gnu-gcc' 'CFLAGS=-g -O2 -fdebug-prefix-map=/build/squid-4.6=. -fstack-protector-strong -Wfo
rmat -Werror=format-security -Wall' 'LDFLAGS=-Wl,-z,relro -Wl,-z,now -Wl,--as-needed -latomic' 'CPPFLAGS=-Wdate-time -D_FORTIFY_SOURCE=2' 'CXX=x86_64-linux-gn
u-g++' 'CXXFLAGS=-g -O2 -fdebug-prefix-map=/build/squid-4.6=. -fstack-protector-strong -Wformat -Werror=format-security'
# cat /etc/squid/squid.conf
auth_param ntlm program /usr/bin/ntlm_auth --helper-protocol=squid-2.5-ntlmssp --domain=DOMAIN
auth_param ntlm children 500
auth_param ntlm keep_alive on
auth_param basic program /usr/lib/squid/basic_ldap_auth -b ou=users,dc=mydomain,dc=com,dc=br -h 10.100.0.1 -p 389 -s sub -v 3 -f "uid=%s"
auth_param basic children 1000
auth_param basic realm Proxy Server ldap
auth_param basic credentialsttl 2 hours
auth_param basic casesensitive off
acl CONNECT method CONNECT
acl password proxy_auth REQUIRED
acl telemetry dstdomain "/etc/squid/exceptions/telemetry"
acl http proto http
acl port_443 port 443
acl port_80 port 80
http_access allow CONNECT port_443 telemetry
http_access allow http port_80 telemetry
http_access allow http port_80 password
http_access allow CONNECT port_443 password
http_access deny all
http_port 3128
acl hasRequest has request
access_log syslog:local4.warning squid hasRequest
visible_hostname proxy.mydomain.com.br
error_directory /usr/share/squid/errors/pt-br
cache_peer 127.0.0.1 parent 8080 0 login=*:password no-digest no-netdb-exchange
always_direct deny all
never_direct allow all
max_filedesc 65535
auth_param ntlm program /usr/bin/ntlm_auth --helper-protocol=squid-2.5-ntlmssp --domain=DOMAIN
auth_param ntlm children 500
auth_param ntlm keep_alive on
auth_param basic program /usr/lib/squid/basic_ldap_auth -b ou=users,dc=mydomain,dc=com,dc=br -h 10.100.0.1 -p 389 -s sub -v 3 -f "uid=%s"
auth_param basic children 1000
auth_param basic realm Proxy Server ldap
auth_param basic credentialsttl 2 hours
auth_param basic casesensitive off
acl CONNECT method CONNECT
acl password proxy_auth REQUIRED
acl telemetry dstdomain "/etc/squid/exceptions/telemetry"
acl http proto http
acl port_443 port 443
acl port_80 port 80
http_access allow CONNECT port_443 telemetry
http_access allow http port_80 telemetry
http_access allow http port_80 password
http_access allow CONNECT port_443 password
http_access deny all
http_port 3128
acl hasRequest has request
access_log syslog:local4.warning squid hasRequest
visible_hostname proxy.mydomain.com.br
error_directory /usr/share/squid/errors/pt-br
cache_peer 127.0.0.1 parent 8080 0 login=*:password no-digest no-netdb-exchange
always_direct deny all
never_direct allow all
max_filedesc 65535
# cat /etc/squid/exceptions/telemetry
.data.microsoft.com
.telemetry.microsoft.com
.data.microsoft.com
.telemetry.microsoft.com
Below, the test accessing https://watson.telemetry.microsoft.com with curl:
$ curl --proxy http://myserver:3128 -vk https://watson.telemetry.microsoft.com/
* Trying 10.100.1.13:3128...
* TCP_NODELAY set
* Connected to myserver (10.100.1.13) port 3128 (#0)
* allocate connect buffer!
* Establish HTTP proxy tunnel to watson.telemetry.microsoft.com:443
> CONNECT watson.telemetry.microsoft.com:443 HTTP/1.1
> Host: watson.telemetry.microsoft.com:443
> User-Agent: curl/7.68.0
> Proxy-Connection: Keep-Alive
>
< HTTP/1.1 200 Connection established
<
* Proxy replied 200 to CONNECT request
* CONNECT phase completed!
* ALPN, offering h2
* ALPN, offering http/1.1
* successfully set certificate verify locations:
* CAfile: /etc/ssl/certs/ca-certificates.crt
CApath: /etc/ssl/certs
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
* CONNECT phase completed!
* CONNECT phase completed!
* error:1408F10B:SSL routines:ssl3_get_record:wrong version number
* Closing connection 0
curl: (35) error:1408F10B:SSL routines:ssl3_get_record:wrong version number
* Trying 10.100.1.13:3128...
* TCP_NODELAY set
* Connected to myserver (10.100.1.13) port 3128 (#0)
* allocate connect buffer!
* Establish HTTP proxy tunnel to watson.telemetry.microsoft.com:443
> CONNECT watson.telemetry.microsoft.com:443 HTTP/1.1
> Host: watson.telemetry.microsoft.com:443
> User-Agent: curl/7.68.0
> Proxy-Connection: Keep-Alive
>
< HTTP/1.1 200 Connection established
<
* Proxy replied 200 to CONNECT request
* CONNECT phase completed!
* ALPN, offering h2
* ALPN, offering http/1.1
* successfully set certificate verify locations:
* CAfile: /etc/ssl/certs/ca-certificates.crt
CApath: /etc/ssl/certs
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
* CONNECT phase completed!
* CONNECT phase completed!
* error:1408F10B:SSL routines:ssl3_get_record:wrong version number
* Closing connection 0
curl: (35) error:1408F10B:SSL routines:ssl3_get_record:wrong version number
With browser (Chrome):
Thanks,
--
Renato Carneiro Pacheco
Renato Carneiro Pacheco
Security Analyst
http://www.facebook.com/renatocarneirop
"Não acredite no que eu digo, pois é a minha experiência e não a sua. Experimente, indague e busque." - Osho Rajneesh
"Não acredite no que eu digo, pois é a minha experiência e não a sua. Experimente, indague e busque." - Osho Rajneesh
_______________________________________________ squid-users mailing list squid-users@xxxxxxxxxxxxxxxxxxxxx http://lists.squid-cache.org/listinfo/squid-users
