Hello all. I tried reading all the FAQ's and scoured the rest of the internet for any configuration examples I can find and I have not seen a working solution for this. I have been using squid for a couple of years now to bump SSL traffic with no issues. However I have a new environment where an upstream proxy is already in place and MUST be used. So I am trying to get squid working with SSL bump where I have to use a cache_peer. So here's the environment.
Normal network setup: Client --> Forefront Threat Manager Gateway/Proxy (TMG) --> Internet Client is setup to use TMG:8080 to get to internet for all protocols. Here's my new network chain with squid inserted: Moving forward, I will abbreviate the Forefront proxy as "TMG" Client --> Squid 3.5.5 --> TMG --> Internet And then I set the client to use squid:3128 The problem is the CONNECT tunnel. Scenario: Under normal circumstances, the following takes place for a standard request: GET http://www.arin.net This results in a 301 redirect to https://www.arin.net The client then immediately sends CONNECT www.arin.net:443 to TMG:8080 And the connection is made. Perfectly normal. Currently, I have configured the client to use squid:3128 for all protocols How do I bump the CONNECT tunnel? I have been trying to manipulate the configuration file for days with no success. I have settled on the configuration below for now because it allows unimpeded network traffic. It does not bump any SSL. Client is still set to use port 3128 for all protocols, Setting it to use 3129 for https was a failure. I've tried: https_port 3128 & 3129 http_port 3128 & 3129 various ssl_bump directives to include peek, stare, bump. Nothing works. Here's my usual failure in /var/log/access.log: 1435482419.334 194 192.168.25.2 TCP_MISS/301 616 GET http://www.arin.net/ - FIRSTUP_PARENT/10.210.4.103 text/html 1435482419.337 0 192.168.25.2 TAG_NONE/409 4324 CONNECT www.arin.net:443 - HIER_NONE/- text/html After reviewing many packet captures... I think the problem is this: In order for squid to establish a connection via SSL to arin, squid would have to send a CONNECT request through the cache_peer. Squid "never" sends a CONNECT www.arin.net:443 to the cache_peer in any configuration I have tried, unless, I leave the configuration the way it is below. Of course, since the client is only talking to squid on port 3128, no SSL bumping takes place. The minute I try to bump port 3128 all SSL stops working. Again... I can get this to work in 2 minutes with no problems if I didn't have to also speak to a cache_peer. Contents of /etc/squid/squid.conf : acl localnet src 192.168.25.0/24 # RFC1918 possible internal network acl localnet src fc00::/7 # RFC 4193 local private network range acl localnet src fe80::/10 # RFC 4291 link-local (directly plugged) machines acl SSL_ports port 443 acl Safe_ports port 80 # http acl Safe_ports port 21 # ftp acl Safe_ports port 443 # https acl Safe_ports port 70 # gopher acl Safe_ports port 210 # wais acl Safe_ports port 1025-65535 # unregistered ports acl Safe_ports port 280 # http-mgmt acl Safe_ports port 488 # gss-http acl Safe_ports port 591 # filemaker acl Safe_ports port 777 # multiling http acl CONNECT method CONNECT cache_effective_user proxy forwarded_for delete http_access allow localhost manager http_access deny manager http_access allow localnet http_access allow localhost http_access deny all never_direct allow all cache_peer 192.168.1.5 parent 8080 0 no-query default login=redacted http_port 3128 host_verify_strict off sslproxy_cert_sign signTrusted sslproxy_cert_error allow all sslproxy_flags DONT_VERIFY_PEER http_port 3129 intercept ssl-bump capath=/etc/ssl/certs cert=/etc/ssl/certs/midca.pem key=/etc/ssl/private/midca.key generate-host-certificates=on ssl_bump server-first all ssl_bump bump all sslcrtd_program /lib/squid/ssl_crtd -s /var/lib/ssl_db -M 4MB sslcrtd_children 40 startup=7 idle=5 cache_dir ufs /var/cache/squid 100 16 256 coredump_dir /var/cache/squid refresh_pattern ^ftp: 1440 20% 10080 refresh_pattern ^gopher: 1440 0% 1440 refresh_pattern -i (/cgi-bin/|\?) 0 0% 0 refresh_pattern . 0 20% 4320 I would send pcaps of the failures but then I would have to sanitize them. Thanks. -JP
_______________________________________________ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
