OK so the issue was that: The http_port was used for ssl bump with intercept while the only port which can really intercept ssl connections is: https_port so I believe that there should be a warning about such a line in the cache log. When there is http_port and intercept and ssl_bump there should be a warning. Thanks, Eliezer From: NgTech LTD <ngtech1ltd@xxxxxxxxx> Sent: Monday, August 19, 2024 10:48 AM To: Squid Users <squid-users@xxxxxxxxxxxxxxxxxxxxx> Subject: Squid 6.10 on Fedora 40 cannot intercept and bump SSL Traffic I am testing Squid 6.10 on Fedora 40 (their package). And it seems that Squid is unable to bump clients (ESNI/ECH)? I had couple iterations of pek stare and bump and I am not sure what is the reason for that: shutdown_lifetime 3 seconds external_acl_type whitelist-lookup-helper ipv4 ttl=10 children-max=10 children-startup=2 \ children-idle=2 concurrency=10 %URI %SRC /usr/local/bin/squid-conf-url-lookup.rb acl whitelist-lookup external whitelist-lookup-helper acl ytmethods method POST GET acl localnet src 0.0.0.1-0.255.255.255 # RFC 1122 "this" network (LAN) acl localnet src 10.0.0.0/8 # RFC 1918 local private network (LAN) acl localnet src 100.64.0.0/10 # RFC 6598 shared address space (CGN) acl localnet src 169.254.0.0/16 # RFC 3927 link-local (directly plugged) machines acl localnet src 172.16.0.0/12 # RFC 1918 local private network (LAN) acl localnet src 192.168.0.0/16 # RFC 1918 local private network (LAN) acl localnet src fc00::/7 # RFC 4193 local private network range acl localnet src fe80::/10 # RFC 4291 link-local (directly plugged) machines acl SSL_ports port 443 acl Safe_ports port 80 # http acl Safe_ports port 21 # ftp acl Safe_ports port 443 # https acl Safe_ports port 70 # gopher acl Safe_ports port 210 # wais acl Safe_ports port 1025-65535 # unregistered ports acl Safe_ports port 280 # http-mgmt acl Safe_ports port 488 # gss-http acl Safe_ports port 591 # filemaker acl Safe_ports port 777 # multiling http http_access deny !Safe_ports http_access deny CONNECT !SSL_ports http_access allow localhost manager http_access deny manager http_access allow localhost http_access deny to_localhost http_access deny to_linklocal acl tubedoms dstdomain .ytimg.com .youtube.com .youtu.be http_access allow ytmethods localnet tubedoms whitelist-lookup http_access allow localnet http_access deny all http_port 3128 http_port 13128 ssl-bump tls-cert=/etc/squid/ssl/cert.pem tls-key=/etc/squid/ssl/key.pem \ generate-host-certificates=on dynamic_cert_mem_cache_size=4MB http_port 23128 tproxy ssl-bump tls-cert=/etc/squid/ssl/cert.pem tls-key=/etc/squid/ssl/key.pem \ generate-host-certificates=on dynamic_cert_mem_cache_size=4MB http_port 33128 intercept ssl-bump tls-cert=/etc/squid/ssl/cert.pem tls-key=/etc/squid/ssl/key.pem \ generate-host-certificates=on dynamic_cert_mem_cache_size=4MB sslcrtd_program /usr/lib64/squid/security_file_certgen -s /var/spool/squid/ssl_db -M 4MB sslcrtd_children 5 acl foreignProtocol squid_error ERR_PROTOCOL_UNKNOWN ERR_TOO_BIG acl serverTalksFirstProtocol squid_error ERR_REQUEST_START_TIMEOUT on_unsupported_protocol tunnel foreignProtocol on_unsupported_protocol tunnel serverTalksFirstProtocol on_unsupported_protocol respond all acl monitoredSites ssl::server_name .youtube.com .ytimg.com acl monitoredSitesRegex ssl::server_name_regex \.youtube\.com \.ytimg\.com acl serverIsBank ssl::server_name .visa.com acl step1 at_step SslBump1 acl step2 at_step SslBump2 acl step3 at_step SslBump3 ssl_bump bump all strip_query_terms off coredump_dir /var/spool/squid refresh_pattern ^ftp: 1440 20% 10080 refresh_pattern -i (/cgi-bin/|\?) 0 0% 0 refresh_pattern . 0 20% 4320 logformat ssl_custom_format %ts.%03tu %6tr %>a %Ss/%03>Hs %<st %rm %ru %[un %Sh/%<a %mt %ssl::>sni access_log daemon:/var/log/squid/access.log ssl_custom_format ##EOF access.log from before: 1724028804.797 486 192.168.78.15 TCP_TUNNEL/200 17764 CONNECT 40.126.31.73:443 - ORIGINAL_DST/40.126.31.73 - - 1724028805.413 0 192.168.78.15 NONE_NONE/000 0 - error:invalid-request - HIER_NONE/- - - 1724028806.028 0 192.168.78.15 NONE_NONE/000 0 - error:invalid-request - HIER_NONE/- - - 1724028806.028 0 192.168.78.15 NONE_NONE/000 0 - error:invalid-request - HIER_NONE/- - - 1724028806.029 0 192.168.78.15 NONE_NONE/000 0 - error:invalid-request - HIER_NONE/- - - 1724028806.030 0 192.168.78.15 NONE_NONE/000 0 - error:invalid-request - HIER_NONE/- - - 1724028806.085 57 192.168.78.15 TCP_TUNNEL/200 4513 CONNECT 104.18.72.113:443 - ORIGINAL_DST/104.18.72.113 - - 1724028806.086 56 192.168.78.15 TCP_TUNNEL/200 4513 CONNECT 104.18.72.113:443 - ORIGINAL_DST/104.18.72.113 - - 1724028806.086 56 192.168.78.15 TCP_TUNNEL/200 4512 CONNECT 104.18.72.113:443 - ORIGINAL_DST/104.18.72.113 - - 1724028806.208 0 192.168.78.15 NONE_NONE/000 0 - error:invalid-request - HIER_NONE/- - - 1724028806.213 0 192.168.78.15 NONE_NONE/000 0 - error:invalid-request - HIER_NONE/- - - 1724028806.338 0 192.168.78.15 NONE_NONE/000 0 - error:invalid-request - HIER_NONE/- - - 1724028806.469 0 192.168.78.15 NONE_NONE/000 0 - error:invalid-request - HIER_NONE/- - - 1724028806.596 0 192.168.78.15 NONE_NONE/000 0 - error:invalid-request - HIER_NONE/- - - 1724028807.006 0 192.168.78.15 NONE_NONE/000 0 - error:invalid-request - HIER_NONE/- - - 1724028807.262 0 192.168.78.15 NONE_NONE/000 0 - error:invalid-request - HIER_NONE/- - - 1724028808.922 5037 192.168.78.15 TCP_TUNNEL/200 6096 CONNECT 13.107.246.60:443 - ORIGINAL_DST/13.107.246.60 - - 1724028812.906 8336 192.168.78.15 TCP_TUNNEL/200 1071500 CONNECT 104.126.37.171:443 - ORIGINAL_DST/104.126.37.171 - - 1724028819.209 247893 192.168.78.15 TCP_TUNNEL/200 4023 CONNECT 142.250.186.34:443 - ORIGINAL_DST/142.250.186.34 - - 1724028820.097 250033 192.168.78.15 TCP_TUNNEL/200 549611 CONNECT 142.250.184.246:443 - ORIGINAL_DST/142.250.184.246 - - 1724028820.154 246850 192.168.78.15 TCP_TUNNEL/200 15119 CONNECT 216.58.206.65:443 - ORIGINAL_DST/216.58.206.65 - - 1724028820.164 246856 192.168.78.15 TCP_TUNNEL/200 3037 CONNECT 142.250.181.227:443 - ORIGINAL_DST/142.250.181.227 - - 1724028820.203 246893 192.168.78.15 TCP_TUNNEL/200 3031 CONNECT 172.217.16.196:443 - ORIGINAL_DST/172.217.16.196 - - 1724028822.656 271833 192.168.78.15 TCP_TUNNEL/200 387583 CONNECT 142.250.185.238:443 - ORIGINAL_DST/142.250.185.238 - - 1724028830.336 0 192.168.78.15 NONE_NONE/000 0 - error:invalid-request - HIER_NONE/- - - 1724028830.781 444 192.168.78.15 TCP_TUNNEL/200 18505 CONNECT 40.126.31.73:443 - ORIGINAL_DST/40.126.31.73 - - 1724028841.781 155018 192.168.78.15 TCP_TUNNEL/200 15960 CONNECT 13.107.6.158:443 - ORIGINAL_DST/13.107.6.158 - - 1724028849.443 0 192.168.78.15 NONE_NONE/000 0 - error:invalid-request - HIER_NONE/- - - 1724028849.698 0 192.168.78.15 NONE_NONE/000 0 - error:invalid-request - HIER_NONE/- - - 1724028865.261 0 192.168.78.15 NONE_NONE/000 0 - error:invalid-request - HIER_NONE/- - - 1724028865.779 517 192.168.78.15 TCP_TUNNEL/200 18557 CONNECT 40.126.31.73:443 - ORIGINAL_DST/40.126.31.73 - - 1724028870.718 109994 192.168.78.15 TCP_TUNNEL/200 6972 CONNECT 20.42.65.94:443 - ORIGINAL_DST/20.42.65.94 - - 1724028871.179 64583 192.168.78.15 TCP_TUNNEL/200 1903 CONNECT 104.18.10.207:443 - ORIGINAL_DST/104.18.10.207 - - 1724028871.179 63917 192.168.78.15 TCP_TUNNEL/200 2430 CONNECT 142.250.186.99:443 - ORIGINAL_DST/142.250.186.99 - - 1724028871.179 64709 192.168.78.15 TCP_TUNNEL/200 2439 CONNECT 142.250.185.170:443 - ORIGINAL_DST/142.250.185.170 - - 1724028871.308 0 192.168.78.15 NONE_NONE/000 0 - error:invalid-request - HIER_NONE/- - - 1724028871.731 422 192.168.78.15 TCP_TUNNEL/200 17789 CONNECT 40.126.31.73:443 - ORIGINAL_DST/40.126.31.73 - - 1724028872.486 0 192.168.78.15 NONE_NONE/000 0 - error:invalid-request - HIER_NONE/- - - 1724028873.477 0 192.168.78.15 NONE_NONE/000 0 - error:invalid-request - HIER_NONE/- - - 1724028873.745 0 192.168.78.15 NONE_NONE/000 0 - error:invalid-request - HIER_NONE/- - - 1724028873.902 424 192.168.78.15 TCP_TUNNEL/200 18520 CONNECT 40.126.31.73:443 - ORIGINAL_DST/40.126.31.73 - - 1724028877.056 0 192.168.78.15 NONE_NONE/000 0 - error:invalid-request - HIER_NONE/- - - 1724028877.060 0 192.168.78.15 NONE_NONE/000 0 - error:invalid-request - HIER_NONE/- - - 1724028877.060 0 192.168.78.15 NONE_NONE/000 0 - error:invalid-request - HIER_NONE/- - - 1724028877.060 0 192.168.78.15 NONE_NONE/000 0 - error:invalid-request - HIER_NONE/- - - 1724028877.430 312389 192.168.78.15 TCP_TUNNEL/200 7884 CONNECT 142.250.186.78:443 - ORIGINAL_DST/142.250.186.78 - - 1724028878.800 0 192.168.78.15 NONE_NONE/000 0 - error:invalid-request - HIER_NONE/- - - 1724028878.920 0 192.168.78.15 NONE_NONE/000 0 - error:invalid-request - HIER_NONE/- - - 1724028879.072 0 192.168.78.15 NONE_NONE/000 0 - error:invalid-request - HIER_NONE/- - - 1724028880.808 7062 192.168.78.15 TCP_TUNNEL/200 836391 CONNECT 104.126.37.145:443 - ORIGINAL_DST/104.126.37.145 - - 1724028882.468 33024 192.168.78.15 TCP_TUNNEL/200 1488697 CONNECT 49.12.59.2:443 - ORIGINAL_DST/49.12.59.2 - - 1724028883.728 6671 192.168.78.15 TCP_TUNNEL/200 69351 CONNECT 52.216.185.251:443 - ORIGINAL_DST/52.216.185.251 - - 1724028883.789 6728 192.168.78.15 TCP_TUNNEL/200 69216 CONNECT 52.216.185.251:443 - ORIGINAL_DST/52.216.185.251 - - 1724028883.797 6736 192.168.78.15 TCP_TUNNEL/200 104657 CONNECT 52.216.185.251:443 - ORIGINAL_DST/52.216.185.251 - - 1724028883.845 6784 192.168.78.15 TCP_TUNNEL/200 80277 CONNECT 52.216.185.251:443 - ORIGINAL_DST/52.216.185.251 - - 1724028884.460 170355 192.168.78.15 TCP_TUNNEL/200 44690 CONNECT 185.199.108.153:443 - ORIGINAL_DST/185.199.108.153 - - 1724028889.845 120370 192.168.78.15 TCP_TUNNEL/200 5868 CONNECT 104.126.37.161:443 - ORIGINAL_DST/104.126.37.161 - - 1724028890.011 122862 192.168.78.15 TCP_TUNNEL/200 136726 CONNECT 23.37.37.211:443 - ORIGINAL_DST/23.37.37.211 - - 1724028890.297 120381 192.168.78.15 TCP_TUNNEL/200 9176 CONNECT 2.18.140.238:443 - ORIGINAL_DST/2.18.140.238 - - 1724028891.212 0 192.168.78.15 NONE_NONE/000 0 - error:invalid-request - HIER_NONE/- - - 1724028891.365 152 192.168.78.15 TCP_TUNNEL/200 2359 CONNECT 142.250.185.138:443 - ORIGINAL_DST/142.250.185.138 - - 1724028893.885 90253 192.168.78.15 TCP_TUNNEL/200 6374 CONNECT 13.107.246.60:443 - ORIGINAL_DST/13.107.246.60 - - 1724028900.169 0 192.168.78.15 NONE_NONE/000 0 - error:invalid-request - HIER_NONE/- - - 1724028934.465 900262 192.168.78.15 TCP_TUNNEL/200 5530 CONNECT 52.123.243.197:443 - ORIGINAL_DST/52.123.243.197 - - 1724028960.494 60324 192.168.78.15 TCP_TUNNEL/503 0 CONNECT 172.217.16.206:443 - ORIGINAL_DST/172.217.16.206 - - 1724028960.494 0 192.168.78.15 NONE_NONE/000 0 - error:transaction-end-before-headers - HIER_NONE/- - - |
_______________________________________________
squid-users mailing list
squid-users@xxxxxxxxxxxxxxxxxxxxx
https://lists.squid-cache.org/listinfo/squid-users