Search squid archive

Re: Squid 6.10 on Fedora 40 cannot intercept and bump SSL Traffic

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

OK so the issue was that:

The http_port was used for ssl bump with intercept while the only port which can really intercept ssl connections is:

https_port

 

so I believe that there should be a warning about such a line in the cache log.

When there is http_port and intercept and ssl_bump there should be a warning.

 

Thanks,

Eliezer

 

From: NgTech LTD <ngtech1ltd@xxxxxxxxx>
Sent: Monday, August 19, 2024 10:48 AM
To: Squid Users <squid-users@xxxxxxxxxxxxxxxxxxxxx>
Subject: Squid 6.10 on Fedora 40 cannot intercept and bump SSL Traffic

 

I am testing Squid 6.10 on Fedora 40 (their package).
And it seems that Squid is unable to bump clients (ESNI/ECH)?

 

I had couple iterations of pek stare and bump and I am not sure what is the reason for that:
shutdown_lifetime 3 seconds
external_acl_type whitelist-lookup-helper ipv4 ttl=10 children-max=10 children-startup=2 \
        children-idle=2 concurrency=10 %URI %SRC /usr/local/bin/squid-conf-url-lookup.rb
acl whitelist-lookup external  whitelist-lookup-helper
acl ytmethods method POST GET
acl localnet src 0.0.0.1-0.255.255.255  # RFC 1122 "this" network (LAN)
acl localnet src 10.0.0.0/8             # RFC 1918 local private network (LAN)
acl localnet src 100.64.0.0/10          # RFC 6598 shared address space (CGN)
acl localnet src 169.254.0.0/16         # RFC 3927 link-local (directly plugged) machines
acl localnet src 172.16.0.0/12          # RFC 1918 local private network (LAN)
acl localnet src 192.168.0.0/16         # RFC 1918 local private network (LAN)
acl localnet src fc00::/7               # RFC 4193 local private network range
acl localnet src fe80::/10              # RFC 4291 link-local (directly plugged) machines
acl SSL_ports port 443
acl Safe_ports port 80          # http
acl Safe_ports port 21          # ftp
acl Safe_ports port 443         # https
acl Safe_ports port 70          # gopher
acl Safe_ports port 210         # wais
acl Safe_ports port 1025-65535  # unregistered ports
acl Safe_ports port 280         # http-mgmt
acl Safe_ports port 488         # gss-http
acl Safe_ports port 591         # filemaker
acl Safe_ports port 777         # multiling http
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
http_access allow localhost manager
http_access deny manager
http_access allow localhost
http_access deny to_localhost
http_access deny to_linklocal
acl tubedoms dstdomain .ytimg.com .youtube.com .youtu.be
http_access allow ytmethods localnet tubedoms whitelist-lookup
http_access allow localnet
http_access deny all
http_port 3128
http_port 13128 ssl-bump tls-cert=/etc/squid/ssl/cert.pem tls-key=/etc/squid/ssl/key.pem \
        generate-host-certificates=on dynamic_cert_mem_cache_size=4MB
http_port 23128 tproxy ssl-bump tls-cert=/etc/squid/ssl/cert.pem tls-key=/etc/squid/ssl/key.pem \
        generate-host-certificates=on dynamic_cert_mem_cache_size=4MB
http_port 33128 intercept ssl-bump tls-cert=/etc/squid/ssl/cert.pem tls-key=/etc/squid/ssl/key.pem \
        generate-host-certificates=on dynamic_cert_mem_cache_size=4MB
sslcrtd_program /usr/lib64/squid/security_file_certgen -s /var/spool/squid/ssl_db -M 4MB
sslcrtd_children 5
acl foreignProtocol squid_error ERR_PROTOCOL_UNKNOWN ERR_TOO_BIG
acl serverTalksFirstProtocol squid_error ERR_REQUEST_START_TIMEOUT
on_unsupported_protocol tunnel foreignProtocol
on_unsupported_protocol tunnel serverTalksFirstProtocol
on_unsupported_protocol respond all
acl monitoredSites ssl::server_name .youtube.com .ytimg.com
acl monitoredSitesRegex ssl::server_name_regex \.youtube\.com \.ytimg\.com
acl serverIsBank ssl::server_name .visa.com
acl step1 at_step SslBump1
acl step2 at_step SslBump2
acl step3 at_step SslBump3
ssl_bump bump all
strip_query_terms off
coredump_dir /var/spool/squid
refresh_pattern ^ftp:           1440    20%     10080
refresh_pattern -i (/cgi-bin/|\?) 0     0%      0
refresh_pattern .               0       20%     4320
logformat ssl_custom_format %ts.%03tu %6tr %>a %Ss/%03>Hs %<st %rm %ru %[un %Sh/%<a %mt %ssl::>sni
access_log daemon:/var/log/squid/access.log ssl_custom_format
##EOF

 

access.log from before:
1724028804.797    486 192.168.78.15 TCP_TUNNEL/200 17764 CONNECT 40.126.31.73:443 - ORIGINAL_DST/40.126.31.73 - -
1724028805.413      0 192.168.78.15 NONE_NONE/000 0 - error:invalid-request - HIER_NONE/- - -
1724028806.028      0 192.168.78.15 NONE_NONE/000 0 - error:invalid-request - HIER_NONE/- - -
1724028806.028      0 192.168.78.15 NONE_NONE/000 0 - error:invalid-request - HIER_NONE/- - -
1724028806.029      0 192.168.78.15 NONE_NONE/000 0 - error:invalid-request - HIER_NONE/- - -
1724028806.030      0 192.168.78.15 NONE_NONE/000 0 - error:invalid-request - HIER_NONE/- - -
1724028806.085     57 192.168.78.15 TCP_TUNNEL/200 4513 CONNECT 104.18.72.113:443 - ORIGINAL_DST/104.18.72.113 - -
1724028806.086     56 192.168.78.15 TCP_TUNNEL/200 4513 CONNECT 104.18.72.113:443 - ORIGINAL_DST/104.18.72.113 - -
1724028806.086     56 192.168.78.15 TCP_TUNNEL/200 4512 CONNECT 104.18.72.113:443 - ORIGINAL_DST/104.18.72.113 - -
1724028806.208      0 192.168.78.15 NONE_NONE/000 0 - error:invalid-request - HIER_NONE/- - -
1724028806.213      0 192.168.78.15 NONE_NONE/000 0 - error:invalid-request - HIER_NONE/- - -
1724028806.338      0 192.168.78.15 NONE_NONE/000 0 - error:invalid-request - HIER_NONE/- - -
1724028806.469      0 192.168.78.15 NONE_NONE/000 0 - error:invalid-request - HIER_NONE/- - -
1724028806.596      0 192.168.78.15 NONE_NONE/000 0 - error:invalid-request - HIER_NONE/- - -
1724028807.006      0 192.168.78.15 NONE_NONE/000 0 - error:invalid-request - HIER_NONE/- - -
1724028807.262      0 192.168.78.15 NONE_NONE/000 0 - error:invalid-request - HIER_NONE/- - -
1724028808.922   5037 192.168.78.15 TCP_TUNNEL/200 6096 CONNECT 13.107.246.60:443 - ORIGINAL_DST/13.107.246.60 - -
1724028812.906   8336 192.168.78.15 TCP_TUNNEL/200 1071500 CONNECT 104.126.37.171:443 - ORIGINAL_DST/104.126.37.171 - -
1724028819.209 247893 192.168.78.15 TCP_TUNNEL/200 4023 CONNECT 142.250.186.34:443 - ORIGINAL_DST/142.250.186.34 - -
1724028820.097 250033 192.168.78.15 TCP_TUNNEL/200 549611 CONNECT 142.250.184.246:443 - ORIGINAL_DST/142.250.184.246 - -
1724028820.154 246850 192.168.78.15 TCP_TUNNEL/200 15119 CONNECT 216.58.206.65:443 - ORIGINAL_DST/216.58.206.65 - -
1724028820.164 246856 192.168.78.15 TCP_TUNNEL/200 3037 CONNECT 142.250.181.227:443 - ORIGINAL_DST/142.250.181.227 - -
1724028820.203 246893 192.168.78.15 TCP_TUNNEL/200 3031 CONNECT 172.217.16.196:443 - ORIGINAL_DST/172.217.16.196 - -
1724028822.656 271833 192.168.78.15 TCP_TUNNEL/200 387583 CONNECT 142.250.185.238:443 - ORIGINAL_DST/142.250.185.238 - -
1724028830.336      0 192.168.78.15 NONE_NONE/000 0 - error:invalid-request - HIER_NONE/- - -
1724028830.781    444 192.168.78.15 TCP_TUNNEL/200 18505 CONNECT 40.126.31.73:443 - ORIGINAL_DST/40.126.31.73 - -
1724028841.781 155018 192.168.78.15 TCP_TUNNEL/200 15960 CONNECT 13.107.6.158:443 - ORIGINAL_DST/13.107.6.158 - -
1724028849.443      0 192.168.78.15 NONE_NONE/000 0 - error:invalid-request - HIER_NONE/- - -
1724028849.698      0 192.168.78.15 NONE_NONE/000 0 - error:invalid-request - HIER_NONE/- - -
1724028865.261      0 192.168.78.15 NONE_NONE/000 0 - error:invalid-request - HIER_NONE/- - -
1724028865.779    517 192.168.78.15 TCP_TUNNEL/200 18557 CONNECT 40.126.31.73:443 - ORIGINAL_DST/40.126.31.73 - -
1724028870.718 109994 192.168.78.15 TCP_TUNNEL/200 6972 CONNECT 20.42.65.94:443 - ORIGINAL_DST/20.42.65.94 - -
1724028871.179  64583 192.168.78.15 TCP_TUNNEL/200 1903 CONNECT 104.18.10.207:443 - ORIGINAL_DST/104.18.10.207 - -
1724028871.179  63917 192.168.78.15 TCP_TUNNEL/200 2430 CONNECT 142.250.186.99:443 - ORIGINAL_DST/142.250.186.99 - -
1724028871.179  64709 192.168.78.15 TCP_TUNNEL/200 2439 CONNECT 142.250.185.170:443 - ORIGINAL_DST/142.250.185.170 - -
1724028871.308      0 192.168.78.15 NONE_NONE/000 0 - error:invalid-request - HIER_NONE/- - -
1724028871.731    422 192.168.78.15 TCP_TUNNEL/200 17789 CONNECT 40.126.31.73:443 - ORIGINAL_DST/40.126.31.73 - -
1724028872.486      0 192.168.78.15 NONE_NONE/000 0 - error:invalid-request - HIER_NONE/- - -
1724028873.477      0 192.168.78.15 NONE_NONE/000 0 - error:invalid-request - HIER_NONE/- - -
1724028873.745      0 192.168.78.15 NONE_NONE/000 0 - error:invalid-request - HIER_NONE/- - -
1724028873.902    424 192.168.78.15 TCP_TUNNEL/200 18520 CONNECT 40.126.31.73:443 - ORIGINAL_DST/40.126.31.73 - -
1724028877.056      0 192.168.78.15 NONE_NONE/000 0 - error:invalid-request - HIER_NONE/- - -
1724028877.060      0 192.168.78.15 NONE_NONE/000 0 - error:invalid-request - HIER_NONE/- - -
1724028877.060      0 192.168.78.15 NONE_NONE/000 0 - error:invalid-request - HIER_NONE/- - -
1724028877.060      0 192.168.78.15 NONE_NONE/000 0 - error:invalid-request - HIER_NONE/- - -
1724028877.430 312389 192.168.78.15 TCP_TUNNEL/200 7884 CONNECT 142.250.186.78:443 - ORIGINAL_DST/142.250.186.78 - -
1724028878.800      0 192.168.78.15 NONE_NONE/000 0 - error:invalid-request - HIER_NONE/- - -
1724028878.920      0 192.168.78.15 NONE_NONE/000 0 - error:invalid-request - HIER_NONE/- - -
1724028879.072      0 192.168.78.15 NONE_NONE/000 0 - error:invalid-request - HIER_NONE/- - -
1724028880.808   7062 192.168.78.15 TCP_TUNNEL/200 836391 CONNECT 104.126.37.145:443 - ORIGINAL_DST/104.126.37.145 - -
1724028882.468  33024 192.168.78.15 TCP_TUNNEL/200 1488697 CONNECT 49.12.59.2:443 - ORIGINAL_DST/49.12.59.2 - -
1724028883.728   6671 192.168.78.15 TCP_TUNNEL/200 69351 CONNECT 52.216.185.251:443 - ORIGINAL_DST/52.216.185.251 - -
1724028883.789   6728 192.168.78.15 TCP_TUNNEL/200 69216 CONNECT 52.216.185.251:443 - ORIGINAL_DST/52.216.185.251 - -
1724028883.797   6736 192.168.78.15 TCP_TUNNEL/200 104657 CONNECT 52.216.185.251:443 - ORIGINAL_DST/52.216.185.251 - -
1724028883.845   6784 192.168.78.15 TCP_TUNNEL/200 80277 CONNECT 52.216.185.251:443 - ORIGINAL_DST/52.216.185.251 - -
1724028884.460 170355 192.168.78.15 TCP_TUNNEL/200 44690 CONNECT 185.199.108.153:443 - ORIGINAL_DST/185.199.108.153 - -
1724028889.845 120370 192.168.78.15 TCP_TUNNEL/200 5868 CONNECT 104.126.37.161:443 - ORIGINAL_DST/104.126.37.161 - -
1724028890.011 122862 192.168.78.15 TCP_TUNNEL/200 136726 CONNECT 23.37.37.211:443 - ORIGINAL_DST/23.37.37.211 - -
1724028890.297 120381 192.168.78.15 TCP_TUNNEL/200 9176 CONNECT 2.18.140.238:443 - ORIGINAL_DST/2.18.140.238 - -
1724028891.212      0 192.168.78.15 NONE_NONE/000 0 - error:invalid-request - HIER_NONE/- - -
1724028891.365    152 192.168.78.15 TCP_TUNNEL/200 2359 CONNECT 142.250.185.138:443 - ORIGINAL_DST/142.250.185.138 - -
1724028893.885  90253 192.168.78.15 TCP_TUNNEL/200 6374 CONNECT 13.107.246.60:443 - ORIGINAL_DST/13.107.246.60 - -
1724028900.169      0 192.168.78.15 NONE_NONE/000 0 - error:invalid-request - HIER_NONE/- - -
1724028934.465 900262 192.168.78.15 TCP_TUNNEL/200 5530 CONNECT 52.123.243.197:443 - ORIGINAL_DST/52.123.243.197 - -
1724028960.494  60324 192.168.78.15 TCP_TUNNEL/503 0 CONNECT 172.217.16.206:443 - ORIGINAL_DST/172.217.16.206 - -
1724028960.494      0 192.168.78.15 NONE_NONE/000 0 - error:transaction-end-before-headers - HIER_NONE/- - -

 

Thanks for any help,



----
Eliezer Croitoru
Tech Support
Mobile: +972-5-28704261
Email: ngtech1ltd@xxxxxxxxx

_______________________________________________
squid-users mailing list
squid-users@xxxxxxxxxxxxxxxxxxxxx
https://lists.squid-cache.org/listinfo/squid-users
[Index of Archives]     [Linux Audio Users]     [Samba]     [Big List of Linux Books]     [Linux USB]     [Yosemite News]

  Powered by Linux