Re: [squid-users] Configuring SSL Bump in transparent/intercept mode

From: Amos Jeffries <squid3_at_treenet.co.nz>
Date: Mon, 17 Jun 2013 22:19:18 +1200

On 15/06/2013 1:22 p.m., Bharath Madhusudan wrote:
> I know this question has been asked on this forum in the recent past.
> But I could not find any responses that helped my situation. So here
> goes.
>
> Some context:
>
> We are an "in the cloud" web-filtering service and have been using
> Squid very successfully for over a year now. The way we work is by
> having our users point to a DNS server. The DNS server "selectively"
> redirects to our squid proxy. For instance, google.com and youtube.com
> would be redirected to our Squid proxy (where we would perform traffic
> inspection). Not being aware of transparent interception at the time
> of product development, we implemented transparent HTTP and HTTPS
> interception. Squid was modified to have the same port handle both
> intercepted and regularly proxied traffic.
>
> Setup:
>
> Our squid instance is based in the Amazon cloud (base OS is Linux).
> The typical customer is a mid-large network behind a NAT that sends us
> all of their DNS queries. Some of these DNS queries get translated to
> HTTP/HTTPS traffic that then hits squid. The destination website(s)
> will think of Amazon as being the source of the traffic.
>
> The Problem Statement:
>
> Due to customer demand, we need to use the SSL Bump feature. As of
> now, I have no problems getting Dynamic SSL Certificate generating to
> work in regular proxy (non intercepted/transparent) mode. But I have
> run into issues while getting this to work in transparent/intercepted
> mode.
>
> Squid installation details:
>
> ./configure --enable-ssl --enable-ssl-crtd --enable-linux-netfilter
>
> relavent squid.conf parameters:
> http_access allow all
> always_direct allow all
> ssl_bump server-first all (I have also tried ssl_bump allow all)
>
> sslcrtd_program /usr/local/squid/libexec/ssl_crtd -s
> /usr/local/squid/var/lib/ssl_db -M 4MB
> sslcrtd_children 5
>
> http_port 80 intercept ssl-bump generate-host-certificates=on
> dynamic_cert_mem_cache_size=4MB
> cert=/usr/local/squid/ssl_cert/mycert.pem
> http_port 443 intercept ssl-bump generate-host-certificates=on
> dynamic_cert_mem_cache_size=4MB
> cert=/usr/local/squid/ssl_cert/mycert.pem
>
> When I send traffic that I expect be be intercepted to Squid, I get
> the following errors in the log file (and a TCP RST from squid):
>
> ERROR: No forward-proxy ports configured

The above error is from not having a "normal" forward proxy port where
Squid can receive client requests for the icons and bits that make up
error pages generated by Squid.
The default for that is port 3128. Simple and easily fixed.

> NF getsockopt(SO_ORIGINAL_DST) failed on local=10.174.14.75:80
> remote=107.3.142.99:60377 FD 10 flags=33: (92) Protocol not available

That is a different problem, the kernel NAT system is missing the
records about what IP:port the client was connecting to. The others who
posted have pretty clearly identified what is wrong with that and
Eliezer has mentioned the fix: *route* traffic to the Squid box (over a
tunnel if need be), don't use port-forward/NAT or DNS trickery to divert
the packets towards the Squid box.

Amos
Received on Mon Jun 17 2013 - 10:19:42 MDT

This archive was generated by hypermail 2.2.0 : Mon Jun 17 2013 - 12:00:05 MDT