Re: [squid-users] ssl-bump, server-first

From: Delton <delton_at_bnpapel.com.br>
Date: Wed, 20 Mar 2013 07:54:58 -0300

Em 20/03/2013 02:19, Amos Jeffries escreveu:
> On 20/03/2013 9:48 a.m., Alex Rousskov wrote:
>> On 03/19/2013 01:27 PM, Delton wrote:
>>> Dear,
>>>
>>> I compiled Squid 3.3.3 on a Debian 7 with the --enable-ssl and
>>> --enable-ssl-crtd.
>>>
>>> I wish Squid exhibit an error message to the user to access a blocked
>>> page, for example https://www.facebook.com
>>>
>>> It worked more or less: imported the root certificate in the browser
>>> and
>>> access an HTTPS site when the certificate is displayed correctly.
>> Do you meant that everything works for non-blocked sites?
When accessing any site over HTTP everything works.
For HTTPS, when the site is not blocked it is displayed with problems.
Some objects need to be recharged for display.
For HTTPS, when the site is blocked as often is the message from Squid
and sometimes displays the fault message in the browser connection.
>>> With the option 'ssl-server-first bump all' active site is not
>>> displayed
>>> correctly.
>> There is no "ssl-server-first" directive in Squid. Did you mean
>> "ssl_bump ssl-server-first all"? You configuration shows:
Sorry, it was an error copying my squid.conf. Below is my squid.conf
correct. The option used is 'ssl_bump ssl-server-first all'
>>
>>> ssl_bump first-server all
>> There is no "first-server" option for ssl_bump. Did you mean
>> "server-first"?
>>
>> Please fix your configuration and retest. If you are still having
>> problems, please clarify what works, what does not, and what
>> configuration (or request) changes result in problems.
>>
>>
>>> The logs showed, for example:
>>>
>>> 1363716588.893 364 192.168.0.52 TCP_MISS/200 24765 GET
>>> https://www.google.com.br/ - PINNED/2800:3f0:4001:804::101f text/html
>>>
>>> Then I applied the following patch:
>>>
>>> http://master.squid-cache.org/ amosjeffries ~ / patches /
>>> pinning_hier_note.patch
>>>
>>> Now there is no more PINNED displayed in the logs, but even so the
>>> sites
>>> do not display correctly.
>> You should see PINNED for requests sent over correctly bumped SSL
>> connections. AFAIK, Amos' patch fixes the wrong IPv6 address. The
>> "PINNED" part before that IPv6 address was not wrong.
I do not use ipv6.
>>
>> Amos, will your pinning_hier_note.patch patch log forward bumped
>> requests as non-PINNED?
>
> The patch just causes the actually selected peer information to be
> displayed instead of the next-retry peer. Initial testing of that
> patch showed a second bug that the server connection was not marked
> PINNED properly when the pinning was performed - so it showed as
> DIRECT in the log mostly.
>
>
>>
>>> By accessing facebook.com first is the message's default browser: there
>>> are connection problems. Pressing F5 displays properly Squid page with
>>> the message Access Denied.
>> Interesting. I do not know what exactly can cause that,
>
> The difference is that F5 invokes the browser cache to be overridden.
> There must be something stored there which is joining the transaction
> - ie revalidating a cached object over the HTTPS connection making
> squids error response act like a revalidate failed instead of a fetch
> failed.
The first time when accessing(direct, no F5):

1363776566.837 0 192.168.0.52 TCP_DENIED/200 0 CONNECT
www.facebook.com:443 - HIER_NONE/- -
1363776566.912 0 192.168.0.52 NONE/403 3575 GET
https://www.facebook.com/ - HIER_NONE/- text/html

I see the error message from Squid.

The second time when accessing(pressing F5):

No log, error message of the browser.

The third time when accessing(pressing F5):

1363776753.173 0 192.168.0.52 TCP_DENIED/200 0 CONNECT
www.facebook.com:443 - HIER_NONE/- -
1363776753.186 0 192.168.0.52 NONE/403 3575 GET
https://www.facebook.com/ - HIER_NONE/- text/html

I see the error message from Squid.
>
>> but let's start
>> with fixing your configuration as discussed above.
>>
>>
>> Thank you,
>>
>> Alex.
>>
>
> Amos
>
My squid.conf:

#
# Recommended minimum configuration:
#

# Example rule allowing access from your local networks.
# Adapt to list your (internal) IP networks from where browsing
# should be allowed
acl localnet src 10.0.0.0/8 # RFC1918 possible internal network
acl localnet src 172.16.0.0/12 # RFC1918 possible internal network
acl localnet src 192.168.0.0/16 # RFC1918 possible internal network
acl localnet src fc00::/7 # RFC 4193 local private network range
acl localnet src fe80::/10 # RFC 4291 link-local (directly plugged)
machines

acl SSL_ports port 443
acl Safe_ports port 80 # http
acl Safe_ports port 21 # ftp
acl Safe_ports port 443 # https
acl Safe_ports port 70 # gopher
acl Safe_ports port 210 # wais
acl Safe_ports port 1025-65535 # unregistered ports
acl Safe_ports port 280 # http-mgmt
acl Safe_ports port 488 # gss-http
acl Safe_ports port 591 # filemaker
acl Safe_ports port 777 # multiling http
acl CONNECT method CONNECT

#
# Recommended minimum Access Permission configuration:
#
# Only allow cachemgr access from localhost
http_access allow localhost manager
http_access deny manager

# Deny requests to certain unsafe ports
http_access deny !Safe_ports

# Deny CONNECT to other than secure SSL ports
http_access deny CONNECT !SSL_ports

# We strongly recommend the following be uncommented to protect innocent
# web applications running on the proxy server who think the only
# one who can access services on "localhost" is a local user
#http_access deny to_localhost

#
# INSERT YOUR OWN RULE(S) HERE TO ALLOW ACCESS FROM YOUR CLIENTS
#

acl block url_regex .facebook.com
http_access deny block
# And finally deny all other access to this proxy
http_access deny all

# Squid normally listens to port 3128
http_port 3128 ssl-bump generate-host-certificates=on
dynamic_cert_mem_cache_size=4MB cert=/etc/squid3/ssl_cert/bnpapel.pem

sslcrtd_program /usr/src/squid-3.3.3/src/ssl/ssl_crtd -s
/etc/squid3/ssl_cert/ssl_db -M 4MB
sslcrtd_children 5

# SSL Settings #

ssl_bump server-first all
sslproxy_cert_error deny all

# Uncomment and adjust the following to add a disk cache directory.
#cache_dir ufs /var/cache/squid 100 16 256

# Leave coredumps in the first cache dir
coredump_dir /var/cache/squid

# Add any of your own refresh_pattern entries above these.
refresh_pattern ^ftp: 1440 20% 10080
refresh_pattern ^gopher: 1440 0% 1440
refresh_pattern -i (/cgi-bin/|\?) 0 0% 0
refresh_pattern . 0 20% 4320
# Example rule allowing access from your local networks.
# Adapt localnet in the ACL section to list your (internal) IP networks
# from where browsing should be allowed
http_access allow localnet
http_access allow localhost
Received on Wed Mar 20 2013 - 10:54:59 MDT

This archive was generated by hypermail 2.2.0 : Wed Mar 20 2013 - 12:00:06 MDT