Search squid archive

Re: Squid 6.10 on Fedora 40 cannot intercept and bump SSL Traffic

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

On 2024-08-23 06:29, ngtech1ltd@xxxxxxxxx wrote:

OK so the issue was that:

The http_port was used for ssl bump with intercept
I would not phrase it that way because "bump" is a red herring here. I would instead say that the issue was that "http_port was used for intercepted TLS traffic" or "intercepted TLS traffic was directed to http_port".
while the only port which can really intercept ssl connections is: https_port 

Correct (for some definition of "ssl connections").



so I believe that ...
When there is http_port and intercept and ssl_bump there should be a warning.
When configuration X does not work for use case Y, there are several scenarios to consider when deciding whether Squid should warn about configuration X, including these three:
* When configuration X does not work at all, Squid should reject that configuration as invalid. It is not a warning; it is an error. This is not the case we are discussing (AFAICT) because "http_port intercept ssl-bump" does work in some cases.
* When configuration X does not work for use case Y, Squid should reject that configuration as invalid _if_ Squid can detect that it is being used for use case Y. This is not the case we are discussing (AFAICT) because Squid cannot detect (at configuration time) what traffic you intend to intercept and redirect to a given Squid port: It could be TLS. It could be plain HTTP. It could be a mix. Squid cannot tell.
* When an unusual configuration X does not work for common use cases, Squid may warn about it while giving the admin an ability to turn the warning off (to accommodate admins that utilize that configuration for some uncommon but valid use cases). One can argue that this is the case we are discussing: "http_port intercept ssl-bump" configuration in question is unusual, does not work for common TLS interception cases, but can be used (AFAICT) to bump traffic between a client and an HTTP proxy. Quality pull requests (that take this email considerations into account) are welcome. 


HTH,

Alex.



*From:* NgTech LTD <ngtech1ltd@xxxxxxxxx>
*Sent:* Monday, August 19, 2024 10:48 AM
*To:* Squid Users <squid-users@xxxxxxxxxxxxxxxxxxxxx>
*Subject:* Squid 6.10 on Fedora 40 cannot intercept and bump SSL Traffic

I am testing Squid 6.10 on Fedora 40 (their package).
And it seems that Squid is unable to bump clients (ESNI/ECH)?
I had couple iterations of pek stare and bump and I am not sure what is the reason for that: 
shutdown_lifetime 3 seconds
external_acl_type whitelist-lookup-helper ipv4 ttl=10 children-max=10 children-startup=2 \         children-idle=2 concurrency=10 %URI %SRC /usr/local/bin/squid-conf-url-lookup.rb 
acl whitelist-lookup external  whitelist-lookup-helper
acl ytmethods method POST GET
acl localnet src 0.0.0.1-0.255.255.255  # RFC 1122 "this" network (LAN)
acl localnet src 10.0.0.0/8 <http://10.0.0.0/8>             # RFC 1918 local private network (LAN) acl localnet src 100.64.0.0/10 <http://100.64.0.0/10>          # RFC 6598 shared address space (CGN) acl localnet src 169.254.0.0/16 <http://169.254.0.0/16>         # RFC 3927 link-local (directly plugged) machines acl localnet src 172.16.0.0/12 <http://172.16.0.0/12>          # RFC 1918 local private network (LAN) acl localnet src 192.168.0.0/16 <http://192.168.0.0/16>         # RFC 1918 local private network (LAN) acl localnet src fc00::/7               # RFC 4193 local private network range acl localnet src fe80::/10              # RFC 4291 link-local (directly plugged) machines 
acl SSL_ports port 443
acl Safe_ports port 80          # http
acl Safe_ports port 21          # ftp
acl Safe_ports port 443         # https
acl Safe_ports port 70          # gopher
acl Safe_ports port 210         # wais
acl Safe_ports port 1025-65535  # unregistered ports
acl Safe_ports port 280         # http-mgmt
acl Safe_ports port 488         # gss-http
acl Safe_ports port 591         # filemaker
acl Safe_ports port 777         # multiling http
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
http_access allow localhost manager
http_access deny manager
http_access allow localhost
http_access deny to_localhost
http_access deny to_linklocal
acl tubedoms dstdomain .ytimg.com <http://ytimg.com> .youtube.com <http://youtube.com> .youtu.be <http://youtu.be> 
http_access allow ytmethods localnet tubedoms whitelist-lookup
http_access allow localnet
http_access deny all
http_port 3128
http_port 13128 ssl-bump tls-cert=/etc/squid/ssl/cert.pem tls-key=/etc/squid/ssl/key.pem \ 
         generate-host-certificates=on dynamic_cert_mem_cache_size=4MB
http_port 23128 tproxy ssl-bump tls-cert=/etc/squid/ssl/cert.pem tls-key=/etc/squid/ssl/key.pem \ 
         generate-host-certificates=on dynamic_cert_mem_cache_size=4MB
http_port 33128 intercept ssl-bump tls-cert=/etc/squid/ssl/cert.pem tls-key=/etc/squid/ssl/key.pem \ 
         generate-host-certificates=on dynamic_cert_mem_cache_size=4MB
sslcrtd_program /usr/lib64/squid/security_file_certgen -s /var/spool/squid/ssl_db -M 4MB 
sslcrtd_children 5
acl foreignProtocol squid_error ERR_PROTOCOL_UNKNOWN ERR_TOO_BIG
acl serverTalksFirstProtocol squid_error ERR_REQUEST_START_TIMEOUT
on_unsupported_protocol tunnel foreignProtocol
on_unsupported_protocol tunnel serverTalksFirstProtocol
on_unsupported_protocol respond all
acl monitoredSites ssl::server_name .youtube.com <http://youtube.com> .ytimg.com <http://ytimg.com> 
acl monitoredSitesRegex ssl::server_name_regex \.youtube\.com \.ytimg\.com
acl serverIsBank ssl::server_name .visa.com <http://visa.com>
acl step1 at_step SslBump1
acl step2 at_step SslBump2
acl step3 at_step SslBump3
ssl_bump bump all
strip_query_terms off
coredump_dir /var/spool/squid
refresh_pattern ^ftp:           1440    20%     10080
refresh_pattern -i (/cgi-bin/|\?) 0     0%      0
refresh_pattern .               0       20%     4320
logformat ssl_custom_format %ts.%03tu %6tr %>a %Ss/%03>Hs %<st %rm %ru %[un %Sh/%<a %mt %ssl::>sni 
access_log daemon:/var/log/squid/access.log ssl_custom_format
##EOF

access.log from before:
1724028804.797    486 192.168.78.15 TCP_TUNNEL/200 17764 CONNECT 40.126.31.73:443 <http://40.126.31.73:443> - ORIGINAL_DST/40.126.31.73 <http://40.126.31.73> - - 1724028805.413      0 192.168.78.15 NONE_NONE/000 0 - error:invalid-request - HIER_NONE/- - - 1724028806.028      0 192.168.78.15 NONE_NONE/000 0 - error:invalid-request - HIER_NONE/- - - 1724028806.028      0 192.168.78.15 NONE_NONE/000 0 - error:invalid-request - HIER_NONE/- - - 1724028806.029      0 192.168.78.15 NONE_NONE/000 0 - error:invalid-request - HIER_NONE/- - - 1724028806.030      0 192.168.78.15 NONE_NONE/000 0 - error:invalid-request - HIER_NONE/- - - 1724028806.085     57 192.168.78.15 TCP_TUNNEL/200 4513 CONNECT 104.18.72.113:443 <http://104.18.72.113:443> - ORIGINAL_DST/104.18.72.113 <http://104.18.72.113> - - 1724028806.086     56 192.168.78.15 TCP_TUNNEL/200 4513 CONNECT 104.18.72.113:443 <http://104.18.72.113:443> - ORIGINAL_DST/104.18.72.113 <http://104.18.72.113> - - 1724028806.086     56 192.168.78.15 TCP_TUNNEL/200 4512 CONNECT 104.18.72.113:443 <http://104.18.72.113:443> - ORIGINAL_DST/104.18.72.113 <http://104.18.72.113> - - 1724028806.208      0 192.168.78.15 NONE_NONE/000 0 - error:invalid-request - HIER_NONE/- - - 1724028806.213      0 192.168.78.15 NONE_NONE/000 0 - error:invalid-request - HIER_NONE/- - - 1724028806.338      0 192.168.78.15 NONE_NONE/000 0 - error:invalid-request - HIER_NONE/- - - 1724028806.469      0 192.168.78.15 NONE_NONE/000 0 - error:invalid-request - HIER_NONE/- - - 1724028806.596      0 192.168.78.15 NONE_NONE/000 0 - error:invalid-request - HIER_NONE/- - - 1724028807.006      0 192.168.78.15 NONE_NONE/000 0 - error:invalid-request - HIER_NONE/- - - 1724028807.262      0 192.168.78.15 NONE_NONE/000 0 - error:invalid-request - HIER_NONE/- - - 1724028808.922   5037 192.168.78.15 TCP_TUNNEL/200 6096 CONNECT 13.107.246.60:443 <http://13.107.246.60:443> - ORIGINAL_DST/13.107.246.60 <http://13.107.246.60> - - 1724028812.906   8336 192.168.78.15 TCP_TUNNEL/200 1071500 CONNECT 104.126.37.171:443 <http://104.126.37.171:443> - ORIGINAL_DST/104.126.37.171 <http://104.126.37.171> - - 1724028819.209 247893 192.168.78.15 TCP_TUNNEL/200 4023 CONNECT 142.250.186.34:443 <http://142.250.186.34:443> - ORIGINAL_DST/142.250.186.34 <http://142.250.186.34> - - 1724028820.097 250033 192.168.78.15 TCP_TUNNEL/200 549611 CONNECT 142.250.184.246:443 <http://142.250.184.246:443> - ORIGINAL_DST/142.250.184.246 <http://142.250.184.246> - - 1724028820.154 246850 192.168.78.15 TCP_TUNNEL/200 15119 CONNECT 216.58.206.65:443 <http://216.58.206.65:443> - ORIGINAL_DST/216.58.206.65 <http://216.58.206.65> - - 1724028820.164 246856 192.168.78.15 TCP_TUNNEL/200 3037 CONNECT 142.250.181.227:443 <http://142.250.181.227:443> - ORIGINAL_DST/142.250.181.227 <http://142.250.181.227> - - 1724028820.203 246893 192.168.78.15 TCP_TUNNEL/200 3031 CONNECT 172.217.16.196:443 <http://172.217.16.196:443> - ORIGINAL_DST/172.217.16.196 <http://172.217.16.196> - - 1724028822.656 271833 192.168.78.15 TCP_TUNNEL/200 387583 CONNECT 142.250.185.238:443 <http://142.250.185.238:443> - ORIGINAL_DST/142.250.185.238 <http://142.250.185.238> - - 1724028830.336      0 192.168.78.15 NONE_NONE/000 0 - error:invalid-request - HIER_NONE/- - - 1724028830.781    444 192.168.78.15 TCP_TUNNEL/200 18505 CONNECT 40.126.31.73:443 <http://40.126.31.73:443> - ORIGINAL_DST/40.126.31.73 <http://40.126.31.73> - - 1724028841.781 155018 192.168.78.15 TCP_TUNNEL/200 15960 CONNECT 13.107.6.158:443 <http://13.107.6.158:443> - ORIGINAL_DST/13.107.6.158 <http://13.107.6.158> - - 1724028849.443      0 192.168.78.15 NONE_NONE/000 0 - error:invalid-request - HIER_NONE/- - - 1724028849.698      0 192.168.78.15 NONE_NONE/000 0 - error:invalid-request - HIER_NONE/- - - 1724028865.261      0 192.168.78.15 NONE_NONE/000 0 - error:invalid-request - HIER_NONE/- - - 1724028865.779    517 192.168.78.15 TCP_TUNNEL/200 18557 CONNECT 40.126.31.73:443 <http://40.126.31.73:443> - ORIGINAL_DST/40.126.31.73 <http://40.126.31.73> - - 1724028870.718 109994 192.168.78.15 TCP_TUNNEL/200 6972 CONNECT 20.42.65.94:443 <http://20.42.65.94:443> - ORIGINAL_DST/20.42.65.94 <http://20.42.65.94> - - 1724028871.179  64583 192.168.78.15 TCP_TUNNEL/200 1903 CONNECT 104.18.10.207:443 <http://104.18.10.207:443> - ORIGINAL_DST/104.18.10.207 <http://104.18.10.207> - - 1724028871.179  63917 192.168.78.15 TCP_TUNNEL/200 2430 CONNECT 142.250.186.99:443 <http://142.250.186.99:443> - ORIGINAL_DST/142.250.186.99 <http://142.250.186.99> - - 1724028871.179  64709 192.168.78.15 TCP_TUNNEL/200 2439 CONNECT 142.250.185.170:443 <http://142.250.185.170:443> - ORIGINAL_DST/142.250.185.170 <http://142.250.185.170> - - 1724028871.308      0 192.168.78.15 NONE_NONE/000 0 - error:invalid-request - HIER_NONE/- - - 1724028871.731    422 192.168.78.15 TCP_TUNNEL/200 17789 CONNECT 40.126.31.73:443 <http://40.126.31.73:443> - ORIGINAL_DST/40.126.31.73 <http://40.126.31.73> - - 1724028872.486      0 192.168.78.15 NONE_NONE/000 0 - error:invalid-request - HIER_NONE/- - - 1724028873.477      0 192.168.78.15 NONE_NONE/000 0 - error:invalid-request - HIER_NONE/- - - 1724028873.745      0 192.168.78.15 NONE_NONE/000 0 - error:invalid-request - HIER_NONE/- - - 1724028873.902    424 192.168.78.15 TCP_TUNNEL/200 18520 CONNECT 40.126.31.73:443 <http://40.126.31.73:443> - ORIGINAL_DST/40.126.31.73 <http://40.126.31.73> - - 1724028877.056      0 192.168.78.15 NONE_NONE/000 0 - error:invalid-request - HIER_NONE/- - - 1724028877.060      0 192.168.78.15 NONE_NONE/000 0 - error:invalid-request - HIER_NONE/- - - 1724028877.060      0 192.168.78.15 NONE_NONE/000 0 - error:invalid-request - HIER_NONE/- - - 1724028877.060      0 192.168.78.15 NONE_NONE/000 0 - error:invalid-request - HIER_NONE/- - - 1724028877.430 312389 192.168.78.15 TCP_TUNNEL/200 7884 CONNECT 142.250.186.78:443 <http://142.250.186.78:443> - ORIGINAL_DST/142.250.186.78 <http://142.250.186.78> - - 1724028878.800      0 192.168.78.15 NONE_NONE/000 0 - error:invalid-request - HIER_NONE/- - - 1724028878.920      0 192.168.78.15 NONE_NONE/000 0 - error:invalid-request - HIER_NONE/- - - 1724028879.072      0 192.168.78.15 NONE_NONE/000 0 - error:invalid-request - HIER_NONE/- - - 1724028880.808   7062 192.168.78.15 TCP_TUNNEL/200 836391 CONNECT 104.126.37.145:443 <http://104.126.37.145:443> - ORIGINAL_DST/104.126.37.145 <http://104.126.37.145> - - 1724028882.468  33024 192.168.78.15 TCP_TUNNEL/200 1488697 CONNECT 49.12.59.2:443 <http://49.12.59.2:443> - ORIGINAL_DST/49.12.59.2 <http://49.12.59.2> - - 1724028883.728   6671 192.168.78.15 TCP_TUNNEL/200 69351 CONNECT 52.216.185.251:443 <http://52.216.185.251:443> - ORIGINAL_DST/52.216.185.251 <http://52.216.185.251> - - 1724028883.789   6728 192.168.78.15 TCP_TUNNEL/200 69216 CONNECT 52.216.185.251:443 <http://52.216.185.251:443> - ORIGINAL_DST/52.216.185.251 <http://52.216.185.251> - - 1724028883.797   6736 192.168.78.15 TCP_TUNNEL/200 104657 CONNECT 52.216.185.251:443 <http://52.216.185.251:443> - ORIGINAL_DST/52.216.185.251 <http://52.216.185.251> - - 1724028883.845   6784 192.168.78.15 TCP_TUNNEL/200 80277 CONNECT 52.216.185.251:443 <http://52.216.185.251:443> - ORIGINAL_DST/52.216.185.251 <http://52.216.185.251> - - 1724028884.460 170355 192.168.78.15 TCP_TUNNEL/200 44690 CONNECT 185.199.108.153:443 <http://185.199.108.153:443> - ORIGINAL_DST/185.199.108.153 <http://185.199.108.153> - - 1724028889.845 120370 192.168.78.15 TCP_TUNNEL/200 5868 CONNECT 104.126.37.161:443 <http://104.126.37.161:443> - ORIGINAL_DST/104.126.37.161 <http://104.126.37.161> - - 1724028890.011 122862 192.168.78.15 TCP_TUNNEL/200 136726 CONNECT 23.37.37.211:443 <http://23.37.37.211:443> - ORIGINAL_DST/23.37.37.211 <http://23.37.37.211> - - 1724028890.297 120381 192.168.78.15 TCP_TUNNEL/200 9176 CONNECT 2.18.140.238:443 <http://2.18.140.238:443> - ORIGINAL_DST/2.18.140.238 <http://2.18.140.238> - - 1724028891.212      0 192.168.78.15 NONE_NONE/000 0 - error:invalid-request - HIER_NONE/- - - 1724028891.365    152 192.168.78.15 TCP_TUNNEL/200 2359 CONNECT 142.250.185.138:443 <http://142.250.185.138:443> - ORIGINAL_DST/142.250.185.138 <http://142.250.185.138> - - 1724028893.885  90253 192.168.78.15 TCP_TUNNEL/200 6374 CONNECT 13.107.246.60:443 <http://13.107.246.60:443> - ORIGINAL_DST/13.107.246.60 <http://13.107.246.60> - - 1724028900.169      0 192.168.78.15 NONE_NONE/000 0 - error:invalid-request - HIER_NONE/- - - 1724028934.465 900262 192.168.78.15 TCP_TUNNEL/200 5530 CONNECT 52.123.243.197:443 <http://52.123.243.197:443> - ORIGINAL_DST/52.123.243.197 <http://52.123.243.197> - - 1724028960.494  60324 192.168.78.15 TCP_TUNNEL/503 0 CONNECT 172.217.16.206:443 <http://172.217.16.206:443> - ORIGINAL_DST/172.217.16.206 <http://172.217.16.206> - - 1724028960.494      0 192.168.78.15 NONE_NONE/000 0 - error:transaction-end-before-headers - HIER_NONE/- - - 

Thanks for any help,



----
Eliezer Croitoru
Tech Support
Mobile: +972-5-28704261
Email: ngtech1ltd@xxxxxxxxx <mailto:ngtech1ltd@xxxxxxxxx>


_______________________________________________
squid-users mailing list
squid-users@xxxxxxxxxxxxxxxxxxxxx
https://lists.squid-cache.org/listinfo/squid-users


_______________________________________________
squid-users mailing list
squid-users@xxxxxxxxxxxxxxxxxxxxx
https://lists.squid-cache.org/listinfo/squid-users
[Index of Archives]     [Linux Audio Users]     [Samba]     [Big List of Linux Books]     [Linux USB]     [Yosemite News]

  Powered by Linux