Re: site opens only without ssl bump

Alex Rousskov <rousskov@xxxxxxxxxxxxxxxxxxxxxxx> · Thu, 3 Nov 2022 14:25:24 -0400

On 11/3/22 10:17, Majed Zouhairy wrote:
here is the log:

1667471160.808     77 192.168.2.5 NONE_NONE/200 0 CONNECT ckko.nl:443 - HIER_NONE/- -

i added the following line to squid:

logformat squid %ts.%03tu %6tr %>a %Ss/%03>Hs %<st %rm %ru %[un %Sh/%<a 
%mt %err_code/%err_detail

Please do not redefine built-in formats like "squid". As you can see, 
your adjustment had no effect -- the log records do not end with -/- (or 
better). Follow the xsquid sketch (that I shared earlier) instead.

with either

ssl_bump peek all
ssl_bump splice all

or

ssl_bump peek tls_s1_connect
ssl_bump splice all

it still does not work.

Interesting. How about just:

  ssl_bump splice all

... which should splice the TCP connections before any TLS work begins.

Alex.

On 11/3/22 16:05, Alex Rousskov wrote:
On 11/3/22 05:43, Majed Zouhairy wrote:

i have 2 proxies, one with ssl bump and one without, there is a 
internal site that opens only on the no ssl bump proxy.

on the ssl bump proxy it displays:

What does Squid say in access.log for this problematic request? Please 
configure Squid to log %err_code/%err_detail before answering this 
question. For example:

logformat xsquid ...your regular %codes... %err_code/%err_detail
access_log ... xsquid

Does the site works if you temporary replace your ssl_bump rules with:

ssl_bump peek all
ssl_bump splice all

Does the site works if you temporary replace your ssl_bump rules with:

ssl_bump peek tls_s1_connect
ssl_bump splice all

Alex.

Не удается получить доступ к сайтуВеб-страница по адресу (i was 
unable to gain access to website:) 
https://test-auth.ias.ckko.nl/oauth/authorize?response_type=code&client_id=agoh1xHNNwaLZ65uspARyhYj7V8GTWla&state=guest&authentication=usbtoken&redirect_uri=https%3A%2F%2Fais.skko.by%2Foauth2%2Fcallback, 
возможно, временно недоступна или постоянно перемещена по новому 
адресу. (it is possible that it can not bbe reached or it has been 
permanently relocated to a new address)
ERR_TUNNEL_CONNECTION_FAILED

the site needs special configurations to run:
it needs a local proxy to run, avtunproxy.nl
in the internet explorer settings:
the second box in the proxy settings needs to be checked called the 
"use the scenario for automatic configuration"
in it, the proxy address is plugged
http://127.0.0.1:10224/proxy.pac

my bump settings are as follows:

acl     tls_s1_connect        at_step SslBump1
acl     tls_s2_client_hello     at_step SslBump2
acl     tls_s3_server_hello     at_step SslBump3

# define acls for sites that must not be actively bumped

acl     tls_allowed_hsts        ssl::server_name .akamaihd.net
acl     tls_allowed_hsts        ssl::server_name .proxy.ckko.nl
acl     tls_server_is_bank         ssl::server_name 
"/usr/local/ufdbguard/blacklists/finance/domains.squidsplice"
acl     tls_to_splice     any-of     tls_allowed_hsts tls_server_is_bank

# TLS/SSL bumping steps

ssl_bump         peek                tls_s1_connect         # peek at 
TLS/SSL connect data
ssl_bump         splice                 tls_to_splice        # splice 
some: no active bump
ssl_bump         stare                 all                    # 
stare(peek) at server
                                                         # properties 
of the webserver
ssl_bump         bump

contents of the 
/usr/local/ufdbguard/blacklists/finance/domains.squidsplice file:

.ckko.nl
.ias.ckko.nl
.test-auth.ias.ckko.nl
.config.avtunproxy.nl
.rand.avtunproxy.nl
.avast.nl
.dev.avast.nl
.ncis.nl
.cdn.nlpost.nl

those are all the sites that are logged in on the non ssl bump proxy 
when ias.ckko.nl is accessed

despite all this configuration, the site does not open. in ufdbguard 
every site from the user is a pass.

in avtunproxy log :

2022/11/03 12:22:17.087001 |INF| [UPDATER] [TrustFirmware] fetching 
https://ckko.nl/upload/certificates/8.crl
2022/11/03 12:28:34.634001 |ERR| [rid=ab7a9b1c9f39fb3e] 
[addr=127.0.0.1:10523] [PROXY parent=proxy.ckko.nl:8080] HTTP 500 - EOF
2022/11/03 12:28:34.635001 |INF| [rid=ab7a9b1c9f39fb3e] 
[addr=127.0.0.1:10523] [PROXY parent=proxy.ckko.nl:8080] CONNECT 
test-oauth.ais.ckko.nl:443 -- 500 -- 14.000000 ms
2022/11/03 12:28:34.663001 |ERR| [rid=47fba344ff078bcf] 
[addr=127.0.0.1:10526] [PROXY parent=proxy.ckko.nl:8080] HTTP 500 - 
read tcp 192.168.2.5:10527->10.0.0.18:8080: wsarecv: An existing 
connection was forcibly closed by the remote host.
2022/11/03 12:28:34.664001 |INF| [rid=47fba344ff078bcf] 
[addr=127.0.0.1:10526] [PROXY parent=proxy.ckko.nl:8080] CONNECT 
test-oauth.ais.ckko.nl:443 -- 500 -- 17.000000 ms
2022/11/03 12:28:35.723001 |ERR| [rid=3f5ccf39ef0ae021] 
[addr=127.0.0.1:10529] [PROXY parent=proxy.ckko.nl:8080] HTTP 500 - EOF
2022/11/03 12:28:35.723001 |INF| [rid=3f5ccf39ef0ae021] 
[addr=127.0.0.1:10529] [PROXY parent=proxy.ckko.nl:8080] CONNECT 
test-oauth.ais.ckko.nl:443 -- 500 -- 19.000000 ms
2022/11/03 12:28:35.748001 |ERR| [rid=c48d84308d001f59] 
[addr=127.0.0.1:10531] [PROXY parent=proxy.ckko.nl:8080] HTTP 500 - EOF
2022/11/03 12:28:35.748001 |INF| [rid=c48d84308d001f59] 
[addr=127.0.0.1:10531] [PROXY parent=proxy.ckko.nl:8080] CONNECT 
test-oauth.ais.ckko.nl:443 -- 500 -- 12.000000 ms
2022/11/03 12:28:35.752001 |ERR| [rid=d181037283b2a34a] 
[addr=127.0.0.1:10532] [PROXY parent=proxy.ckko.nl:8080] HTTP 500 - EOF
2022/11/03 12:28:35.752001 |INF| [rid=d181037283b2a34a] 
[addr=127.0.0.1:10532] [PROXY parent=proxy.ckko.nl:8080] CONNECT 
test-oauth.ais.ckko.nl:443 -- 500 -- 15.000000 ms
2022/11/03 12:28:40.775001 |ERR| [rid=27f00eecdbe53178] 
[addr=127.0.0.1:10537] [PROXY parent=proxy.ckko.nl:8080] HTTP 500 - 
read tcp 192.168.2.5:10538->10.0.0.18:8080: wsarecv: An existing 
connection was forcibly closed by the remote host.
2022/11/03 12:28:40.775001 |INF| [rid=27f00eecdbe53178] 
[addr=127.0.0.1:10537] [PROXY parent=proxy.ckko.nl:8080] CONNECT 
test-oauth.ais.ckko.nl:443 -- 500 -- 19.000000 ms
2022/11/03 12:28:40.815001 |ERR| [rid=79611bea389d7c9c] 
[addr=127.0.0.1:10539] [PROXY parent=proxy.ckko.nl:8080] HTTP 500 - EOF
2022/11/03 12:28:40.816001 |INF| [rid=79611bea389d7c9c] 
[addr=127.0.0.1:10539] [PROXY parent=proxy.ckko.nl:8080] CONNECT 
test-oauth.ais.ckko.nl:443 -- 500 -- 14.000000 ms
2022/11/03 12:28:42.188001 |INF| [rid=7a104242baf9a559] 
[addr=127.0.0.1:10541] GET /static/jquery.js - HTTP 200 - OK
2022/11/03 12:28:42.190001 |INF| [rid=27a7baff0fe5d70e] 
[addr=127.0.0.1:10542] GET /static/bootstrap.js - HTTP 200 - OK
2022/11/03 12:28:42.192001 |INF| [rid=dbddaaa3f7759903] 
[addr=127.0.0.1:10459] GET /static/bootstrap.css - HTTP 200 - OK
2022/11/03 12:28:42.287001 |INF| [rid=7e81e98ea9c70d3f] 
[addr=127.0.0.1:10544] GET /api/v2/log

what is the solution?
_______________________________________________
squid-users mailing list
squid-users@xxxxxxxxxxxxxxxxxxxxx
http://lists.squid-cache.org/listinfo/squid-users

_______________________________________________
squid-users mailing list
squid-users@xxxxxxxxxxxxxxxxxxxxx
http://lists.squid-cache.org/listinfo/squid-users
_______________________________________________
squid-users mailing list
squid-users@xxxxxxxxxxxxxxxxxxxxx
http://lists.squid-cache.org/listinfo/squid-users

_______________________________________________
squid-users mailing list
squid-users@xxxxxxxxxxxxxxxxxxxxx
http://lists.squid-cache.org/listinfo/squid-users