Problems using squid as transparent proxy for SSL/TLS

Mon, 04 Jan 2016 08:38:36 -0800 

Hi all,
I have configured squid in an OpenBSD host acting as a transparent proxy. Actually all works OK for all traffic except for SSL/TLS, ex: port 443. 

 My pf rules are:



pass in inet proto tcp from $prod_network to !<internal_networks> port 
$proxy_tcp_svcs divert-to localhost \
                port 3129 label "Allow access to Internet via Proxy on 
port $dstport/$proto"



pass in inet proto tcp from $prod_network to !<internal_networks> port 
https divert-to localhost \
                port 3130 label "Allow access to Internet via Proxy on 
port $dstport/$proto"



 In my squid.conf:

# Squid normally listens to port 3128
http_port 127.0.0.1:3128
http_port 127.0.0.1:3129 intercept

http_port 127.0.0.1:3130 intercept ssl-bump 
cert=/etc/squid/ssl_cert/uxdom.org.cert 
key=/etc/squid/ssl_cert/uxdom.org.private \
                        generate-host-certificates=on version=1 
options=NO_SSLv2,NO_SSLv3,SINGLE_DH_USE



 When some internal client tries to connect to, for example, 
https://www.google.com:


tcpdump: WARNING: snaplen raised from 116 to 160
tcpdump: listening on pflog0, link-type PFLOG

Jan 04 16:34:10.750926 rule 16/(match) [uid 0, pid 1374] block out on 
vio0: 216.58.210.131.443 > 172.21.55.3.53694: R [bad tcp cksum 7aa1! -> 
5af5] 157608502:157608502(0) win 0 (DF) (ttl 64, id 61853, len 40, bad 
ip cksum 7b96! -> bb5b)
Jan 04 16:34:10.750956 rule 16/(match) [uid 0, pid 1374] block in on 
vio0: 172.21.55.3.53694 > 216.58.210.131.443: F [tcp sum ok] 
2332161592:2332161592(0) ack 157608502 win 256 (ttl 128, id 12637, len 40)
Jan 04 16:34:10.751003 rule 16/(match) [uid 0, pid 1374] block in on 
vio0: 172.21.55.3.53694 > 216.58.210.131.443: R [tcp sum ok] 1:1(0) ack 
1274 win 0 (ttl 128, id 12639, len 40)
Jan 04 16:34:10.751027 rule 16/(match) [uid 0, pid 1374] block in on 
vio0: 172.21.55.3.53694 > 216.58.210.131.443: R [tcp sum ok] 
2332161585:2332161585(0) win 0 (DF) (ttl 128, id 12640, len 40)
Jan 04 16:34:10.751047 rule 16/(match) [uid 0, pid 1374] block in on 
vio0: 172.21.55.3.53694 > 216.58.210.131.443: R [tcp sum ok] 
2332161585:2332161585(0) win 0 (DF) (ttl 128, id 12641, len 40)
Jan 04 16:34:10.752913 rule 16/(match) [uid 0, pid 1374] block out on 
vio0: 216.58.210.131.443 > 172.21.55.3.53695: R [bad tcp cksum b923! -> 
b16] 3886046168:3886046168(0) win 0 (DF) (ttl 64, id 24204, len 40, bad 
ip cksum 7b8f! -> 4e6d)
Jan 04 16:34:10.752937 rule 16/(match) [uid 0, pid 1374] block in on 
vio0: 172.21.55.3.53695 > 216.58.210.131.443: . [tcp sum ok] ack 
3886047652 win 256 (ttl 128, id 12644, len 40)


 I have tried to add a divert-reply rule:

pass out on vio0 inet from $prod_network divert-reply

 .. but it doesn't works.

 What am I doing wrong??

Thanks.























					Reply via email to