Search squid archive

SSL Virtual Hosting Problem

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

Hello everyone,
i'm trying to use squid as a TLS virtual hosting proxy on a system with a public IP in front of several internal systems running TLS web servers.
I would like to proxy the incoming connections to the appropriate backend servers based on the hostname using SNI.
I'm using the following config to just try this with 1 backend to test with and fail already 

Here the config:

http_port 3128
debug_options ALL,2
pinger_enable off
shutdown_lifetime 1 second
https_port 0.0.0.0:443 tproxy ssl-bump tls-cert=/root/dummy.pem
acl tlspls ssl::server_name_regex -i test\.regify\.com
cache_peer test.de.regify.com parent 443 0 proxy-only originserver no-digest no-netdb-exchange name=test 
ssl_bump peek all
ssl_bump splice all
http_access allow all
cache_peer_access test allow all


Starting squid gives me the following:
2023/11/28 11:13:21.919| 1,2| main.cc(1619) SquidMain: Doing post-config initialization 2023/11/28 11:13:21.919| 1,2| main.cc(1621) SquidMain: running RegisteredRunner::finalizeConfig 
2023/11/28 11:13:21.919| Created PID file (/run/squid.pid)
2023/11/28 11:13:21.921| 1,2| main.cc(1453) StartUsingConfig: running RegisteredRunner::claimMemoryNeeds 2023/11/28 11:13:21.921| 1,2| main.cc(1454) StartUsingConfig: running RegisteredRunner::useConfig 2023/11/28 11:13:21.988 kid1| 1,2| main.cc(1619) SquidMain: Doing post-config initialization 2023/11/28 11:13:21.988 kid1| 1,2| main.cc(1621) SquidMain: running RegisteredRunner::finalizeConfig 2023/11/28 11:13:21.988 kid1| 1,2| main.cc(1453) StartUsingConfig: running RegisteredRunner::claimMemoryNeeds 2023/11/28 11:13:21.988 kid1| 1,2| main.cc(1454) StartUsingConfig: running RegisteredRunner::useConfig 
2023/11/28 11:13:21.988 kid1| Current Directory is /
2023/11/28 11:13:21.988 kid1| Creating missing swap directories
2023/11/28 11:13:21.988 kid1| No cache_dir stores are configured.
2023/11/28 11:13:21.992| 1,2| main.cc(2051) watch_child: running RegisteredRunner::finishShutdown 
2023/11/28 11:13:21.992| Removing PID file (/run/squid.pid)
2023/11/28 11:13:22.063| 1,2| main.cc(1619) SquidMain: Doing post-config initialization 2023/11/28 11:13:22.063| 1,2| main.cc(1621) SquidMain: running RegisteredRunner::finalizeConfig 
2023/11/28 11:13:22.063| Created PID file (/run/squid.pid)
2023/11/28 11:13:22.066| 1,2| main.cc(1453) StartUsingConfig: running RegisteredRunner::claimMemoryNeeds 2023/11/28 11:13:22.066| 1,2| main.cc(1454) StartUsingConfig: running RegisteredRunner::useConfig 2023/11/28 11:13:22.131 kid1| 1,2| main.cc(1619) SquidMain: Doing post-config initialization 2023/11/28 11:13:22.132 kid1| 1,2| main.cc(1621) SquidMain: running RegisteredRunner::finalizeConfig 2023/11/28 11:13:22.132 kid1| 1,2| main.cc(1453) StartUsingConfig: running RegisteredRunner::claimMemoryNeeds 2023/11/28 11:13:22.132 kid1| 1,2| main.cc(1454) StartUsingConfig: running RegisteredRunner::useConfig 
2023/11/28 11:13:22.132 kid1| Current Directory is /
2023/11/28 11:13:22.132 kid1| Starting Squid Cache version 4.13 for x86_64-pc-linux-gnu... 
2023/11/28 11:13:22.132 kid1| Service Name: squid
2023/11/28 11:13:22.132 kid1| Process ID 2863502
2023/11/28 11:13:22.132 kid1| Process Roles: worker
2023/11/28 11:13:22.132 kid1| With 1024 file descriptors available
2023/11/28 11:13:22.132 kid1| Initializing IP Cache...
2023/11/28 11:13:22.135 kid1| 78,2| dns_internal.cc(1570) Init: idnsInit: attempt open DNS socket to: 0.0.0.0 
2023/11/28 11:13:22.135 kid1| DNS Socket created at 0.0.0.0, FD 5
2023/11/28 11:13:22.135 kid1| Adding domain de.regify.com from /etc/resolv.conf 2023/11/28 11:13:22.135 kid1| Adding nameserver 192.168.1.1 from /etc/resolv.conf 2023/11/28 11:13:22.135 kid1| helperOpenServers: Starting 5/32 'security_file_certgen' processes 2023/11/28 11:13:22.164 kid1| 46,2| Format.cc(71) parse: got definition '%>a/%>A %un %>rm myip=%la myport=%lp' 2023/11/28 11:13:22.165 kid1| 46,2| Format.cc(71) parse: got definition '%>a/%>A %un %>rm myip=%la myport=%lp' 2023/11/28 11:13:22.165 kid1| Logfile: opening log daemon:/var/log/squid/access.log 2023/11/28 11:13:22.165 kid1| Logfile Daemon: opening log /var/log/squid/access.log 2023/11/28 11:13:22.194 kid1| 71,2| store_digest.cc(96) storeDigestCalcCap: have: 0, want 0 entries; limits: [1, 0] 2023/11/28 11:13:22.194 kid1| 70,2| CacheDigest.cc(46) init: capacity: 1 entries, bpe: ; size: 1 bytes 2023/11/28 11:13:22.194 kid1| Local cache digest enabled; rebuild/rewrite every 3600/3600 sec 
2023/11/28 11:13:22.194 kid1| Store logging disabled
2023/11/28 11:13:22.194 kid1| Swap maxSize 0 + 262144 KB, estimated 20164 objects 
2023/11/28 11:13:22.194 kid1| Target number of buckets: 1008
2023/11/28 11:13:22.194 kid1| Using 8192 Store buckets
2023/11/28 11:13:22.194 kid1| Max Mem  size: 262144 KB
2023/11/28 11:13:22.194 kid1| Max Swap size: 0 KB
2023/11/28 11:13:22.194 kid1| Using Least Load store dir selection
2023/11/28 11:13:22.194 kid1| Current Directory is /
2023/11/28 11:13:22.194 kid1| Finished loading MIME types and icons.
2023/11/28 11:13:22.332 kid1| 80,2| wccp.cc(113) wccpConnectionOpen: WCCPv1 disabled. 2023/11/28 11:13:22.332 kid1| 80,2| wccp2.cc(959) wccp2ConnectionOpen: WCCPv2 Disabled. No IPv4 Router(s) configured. 2023/11/28 11:13:22.332 kid1| 33,2| AsyncCall.cc(25) AsyncCall: The AsyncCall clientListenerConnectionOpened constructed, this=0x5636c42036d0 [call18] 2023/11/28 11:13:22.333 kid1| 33,2| AsyncCall.cc(92) ScheduleCall: StartListening.cc(59) will call clientListenerConnectionOpened(local=0.0.0.0:3128 remote=[::] FD 22 flags=9, err=0, HTTP Socket port=0x5636c4203730) [call18] 2023/11/28 11:13:22.333 kid1| 33,2| AsyncCall.cc(25) AsyncCall: The AsyncCall clientListenerConnectionOpened constructed, this=0x5636c420ca50 [call20] 2023/11/28 11:13:22.337 kid1| 33,2| AsyncCall.cc(92) ScheduleCall: StartListening.cc(59) will call clientListenerConnectionOpened(local=0.0.0.0:443 remote=[::] FD 23 flags=25, err=0, HTTPS Socket port=0x5636c420cab0) [call20] 
2023/11/28 11:13:22.337 kid1| HTCP Disabled.
2023/11/28 11:13:22.337 kid1| Squid plugin modules loaded: 0
2023/11/28 11:13:22.337 kid1| Adaptation support is off.
2023/11/28 11:13:22.338 kid1| 93,2| Config.cc(224) FinalizeEach: Initialized 0 message adaptation services 2023/11/28 11:13:22.338 kid1| 93,2| Config.cc(224) FinalizeEach: Initialized 0 message adaptation service groups 2023/11/28 11:13:22.338 kid1| 93,2| Config.cc(224) FinalizeEach: Initialized 0 message adaptation access rules 2023/11/28 11:13:22.339 kid1| 33,2| AsyncCallQueue.cc(55) fireNext: entering clientListenerConnectionOpened(local=0.0.0.0:3128 remote=[::] FD 22 flags=9, err=0, HTTP Socket port=0x5636c4203730) 2023/11/28 11:13:22.339 kid1| 33,2| AsyncCall.cc(37) make: make call clientListenerConnectionOpened [call18] 2023/11/28 11:13:22.339 kid1| Accepting HTTP Socket connections at local=0.0.0.0:3128 remote=[::] FD 22 flags=9 2023/11/28 11:13:22.346 kid1| 33,2| AsyncCallQueue.cc(57) fireNext: leaving clientListenerConnectionOpened(local=0.0.0.0:3128 remote=[::] FD 22 flags=9, err=0, HTTP Socket port=0x5636c4203730) 2023/11/28 11:13:22.346 kid1| 33,2| AsyncCallQueue.cc(55) fireNext: entering clientListenerConnectionOpened(local=0.0.0.0:443 remote=[::] FD 23 flags=25, err=0, HTTPS Socket port=0x5636c420cab0) 2023/11/28 11:13:22.346 kid1| 33,2| AsyncCall.cc(37) make: make call clientListenerConnectionOpened [call20] 2023/11/28 11:13:22.346 kid1| Accepting TPROXY intercepted SSL bumped HTTPS Socket connections at local=0.0.0.0:443 remote=[::] FD 23 flags=25 2023/11/28 11:13:22.352 kid1| 33,2| AsyncCallQueue.cc(57) fireNext: leaving clientListenerConnectionOpened(local=0.0.0.0:443 remote=[::] FD 23 flags=25, err=0, HTTPS Socket port=0x5636c420cab0) 
2023/11/28 11:13:22.352 kid1| Configuring Parent test.de.regify.com/443/0
2023/11/28 11:13:22.353 kid1| 15,2| neighbors.cc(1198) peerDNSConfigure: --> IP address #0: 192.168.1.122 2023/11/28 11:13:22.368 kid1| 15,2| neighbors.cc(1272) peerConnectSucceded: TCP connection to test.de.regify.com/443 succeeded 
2023/11/28 11:13:23 kid1| storeLateRelease: released 0 objects


Then when i call curl -k https://test.regify.com/

i get

The requested URL could not be retrieved

And the log has the following:
2023/11/28 11:15:05.467 kid1| 5,2| TcpAcceptor.cc(224) doAccept: New connection on FD 23 2023/11/28 11:15:05.467 kid1| 5,2| TcpAcceptor.cc(312) acceptNext: connection on local=0.0.0.0:443 remote=[::] FD 23 flags=25 2023/11/28 11:15:05.467 kid1| 17,2| QosConfig.cc(125) getNfmarkFromConnection: QOS: Failed to retrieve connection mark: (-1) (2) No such file or directory (Destination 192.168.1.132:443, source 192.168.1.124:60690) 2023/11/28 11:15:05.468 kid1| 33,2| client_side.cc(2742) httpsSslBumpAccessCheckDone: sslBump action peekneeded for local=192.168.1.132:443 remote=192.168.1.124:60690 FD 11 flags=17 2023/11/28 11:15:05.468 kid1| 33,2| client_side.cc(3418) fakeAConnectRequest: fake a CONNECT request to force connState to tunnel for ssl-bump 2023/11/28 11:15:05.468 kid1| 85,2| client_side_request.cc(751) clientAccessCheckDone: The request CONNECT 192.168.1.132:443 is ALLOWED; last ACL checked: all 2023/11/28 11:15:05.468 kid1| 85,2| client_side_request.cc(729) clientAccessCheck2: No adapted_http_access configuration. default: ALLOW 2023/11/28 11:15:05.468 kid1| 85,2| client_side_request.cc(751) clientAccessCheckDone: The request CONNECT 192.168.1.132:443 is ALLOWED; last ACL checked: all 2023/11/28 11:15:05.483 kid1| 17,2| FwdState.cc(142) FwdState: Forwarding client request local=192.168.1.132:443 remote=192.168.1.124:60690 FD 11 flags=17, url=192.168.1.132:443 2023/11/28 11:15:05.483 kid1| 44,2| peer_select.cc(316) peerSelectDnsPaths: Found sources for '192.168.1.132:443' 2023/11/28 11:15:05.483 kid1| 44,2| peer_select.cc(317) peerSelectDnsPaths:   always_direct = DENIED 2023/11/28 11:15:05.483 kid1| 44,2| peer_select.cc(318) peerSelectDnsPaths:    never_direct = DENIED 2023/11/28 11:15:05.483 kid1| 44,2| peer_select.cc(324) peerSelectDnsPaths:    ORIGINAL_DST = local=192.168.1.124 remote=192.168.1.132:443 flags=25 2023/11/28 11:15:05.483 kid1| 44,2| peer_select.cc(331) peerSelectDnsPaths:        timedout = 0 2023/11/28 11:16:05.433 kid1| 4,2| errorpage.cc(1259) BuildContent: No existing error page language negotiated for ERR_CONNECT_FAIL. Using default error file. 2023/11/28 11:16:05.433 kid1| 20,2| store.cc(985) checkCachable: StoreEntry::checkCachable: NO: not cachable 2023/11/28 11:16:05.433 kid1| 20,2| store.cc(985) checkCachable: StoreEntry::checkCachable: NO: not cachable 2023/11/28 11:16:05.463 kid1| 83,2| client_side.cc(2675) clientNegotiateSSL: New session 0x5636c4227330 on FD 11 (192.168.1.124:60690) 2023/11/28 11:16:05.464 kid1| 11,2| client_side.cc(1306) parseHttpRequest: HTTP Client local=192.168.1.132:443 remote=192.168.1.124:60690 FD 11 flags=17 2023/11/28 11:16:05.464 kid1| 11,2| client_side.cc(1307) parseHttpRequest: HTTP Client REQUEST: 
---------
GET / HTTP/1.1
Host: test.regify.com
User-Agent: curl/7.74.0
Accept: */*


----------
2023/11/28 11:16:05.464 kid1| 88,2| client_side_reply.cc(2062) processReplyAccessResult: The reply for GET https://test.regify.com/ is ALLOWED, because it matched (access_log daemon:/var/log/squid/access.log line) 2023/11/28 11:16:05.464 kid1| 11,2| Stream.cc(271) sendStartOfMessage: HTTP Client local=192.168.1.132:443 remote=192.168.1.124:60690 FD 11 flags=17 2023/11/28 11:16:05.464 kid1| 11,2| Stream.cc(272) sendStartOfMessage: HTTP Client REPLY: 
---------
HTTP/1.1 503 Service Unavailable
Server: squid/4.13
Mime-Version: 1.0
Date: Tue, 28 Nov 2023 10:16:05 GMT
Content-Type: text/html;charset=utf-8
Content-Length: 3487
X-Squid-Error: ERR_CONNECT_FAIL 110
Vary: Accept-Language
Content-Language: en
X-Cache: MISS from proxy
X-Cache-Lookup: NONE from proxy:3128
Via: 1.1 proxy (squid/4.13)
Connection: close


----------
2023/11/28 11:16:05.464 kid1| 20,2| store.cc(985) checkCachable: StoreEntry::checkCachable: NO: not cachable 2023/11/28 11:16:05.464 kid1| 33,2| client_side.cc(895) kick: local=192.168.1.132:443 remote=192.168.1.124:60690 flags=17 Connection was closed 2023/11/28 11:16:05.464 kid1| 33,2| client_side.cc(586) swanSong: local=192.168.1.132:443 remote=192.168.1.124:60690 flags=17 2023/11/28 11:16:05.465 kid1| 20,2| store.cc(985) checkCachable: StoreEntry::checkCachable: NO: not cachable
I've been reading the squid docs and other internet resources, but am failing to figure out why this is not working. 

Any clue sticks would be appreciated.

Also appreciated would be advise on where to find this documented.


--
Mit Freundlichen Grüßen / Kind regards

Mario Theodoridis

regify GmbH
Römerstrasse 39 | D-78183 Hüfingen-Behla
Amtsgericht Freiburg HRB 709343
Telefon: +49 771 8978 4238

_______________________________________________
squid-users mailing list
squid-users@xxxxxxxxxxxxxxxxxxxxx
https://lists.squid-cache.org/listinfo/squid-users
[Index of Archives]     [Linux Audio Users]     [Samba]     [Big List of Linux Books]     [Linux USB]     [Yosemite News]

  Powered by Linux