Hi,
Interestingly this seems to work on a http_proxy listener:
http_port 0.0.0.0:3129 ssl-bump \
generate-host-certificates=on dynamic_cert_mem_cache_size=10MB \
cert=/etc/squid/ssl/squid.crt key=/etc/squid/ssl/squid.key
#tls-cert=/etc/squid/ssl/squid.crt tls-key=/etc/squid/ssl/squid.key
always_direct allow all
ssl_bump bump all
But with https_port, I require tproxy/intercept which if I configure it returns:
http_port 0.0.0.0:3128 ssl-bump
https_port 0.0.0.0:3129 ssl-bump intercept \
generate-host-certificates=on dynamic_cert_mem_cache_size=10MB \
cert=/etc/squid/ssl/squid.crt key=/etc/squid/ssl/squid.key \
tls-cert=/etc/squid/ssl/squid.crt tls-key=/etc/squid/ssl/squid.key
2021/03/04 12:11:27 kid1| ERROR: NF getsockopt(ORIGINAL_DST) failed on
local=172.17.0.2:3129 remote=172.17.0.1:64488 FD 13 flags=33: (2) No such file
or directory
2021/03/04 12:11:27 kid1| ERROR: NF getsockopt(ORIGINAL_DST) failed on
local=172.17.0.2:3129 remote=172.17.0.1:64488 FD 13 flags=33: (2) No such file
or directory
2021/03/04 12:11:27 kid1| ERROR: NAT/TPROXY lookup failed to locate original
IPs on local=172.17.0.2:3129 remote=172.17.0.1:64488 FD 13 flags=33
2021/03/04 12:11:27 kid1| ERROR: NAT/TPROXY lookup failed to locate original
IPs on local=172.17.0.2:3129 remote=172.17.0.1:64488 FD 13 flags=33
1614859887.972 0 172.17.0.1 NONE/000 0 NONE error:accept-client-connection
- HIER_NONE/- -
And:
http_port 0.0.0.0:3128 ssl-bump
https_port 0.0.0.0:3129 ssl-bump tproxy \
generate-host-certificates=on dynamic_cert_mem_cache_size=10MB \
cert=/etc/squid/ssl/squid.crt key=/etc/squid/ssl/squid.key \
tls-cert=/etc/squid/ssl/squid.crt tls-key=/etc/squid/ssl/squid.key
FATAL: https_port: TPROXY support in the system does not work.
Niels Hofmans
SITE https://ironpeak.be
BTW BE0694785660
BANK BE76068909740795
On 4 Mar 2021, at 12:21, Niels Hofmans <he...@ironpeak.be> wrote:
Hi,
I think I may have found an issue: it only seems to ICAP the CONNECT request,
whereas it will not pass any subsequent requests in that CONNECT tunnel to ICAP?
So my original implementation did not check for the HTTP method in ICAP, so it
returned the wrong CONNECT hostname:
OPTIONS icap://10.10.0.119:1344/ <icap://10.10.0.119:1344/> ICAP/1.0
Host: 10.10.0.119:1344
Allow: 206
ICAP/1.0 200 OK
Allow: 200,204
Connection: close
Date: Thu, 04 Mar 2021 11:11:45 GMT
Encapsulated: null-body=0
Methods: REQMOD,REQRESP
Preview: 0
Transfer-Preview: *
CONNECT ironpeak.be:443 <http://ironpeak.be:443/> HTTP/1.1
User-Agent: curl/7.64.1
Host: ironpeak.be:443 <http://ironpeak.be:443/>
REQMOD icap://10.10.0.119:1344/ <icap://10.10.0.119:1344/> ICAP/1.0
Host: 10.10.0.119:1344
Date: Thu, 04 Mar 2021 11:11:23 GMT
Encapsulated: req-hdr=0, null-body=84
Preview: 0
Allow: 204
ICAP/1.0 200 OK
Connection: close
Date: Thu, 04 Mar 2021 11:11:23 GMT
Encapsulated: req-hdr=0, null-body=111
CONNECT //ironpeak.be:443 <http://ironpeak.be:443/>/blog/big-sur-t2rminator/
HTTP/1.1 <<<< here is my bug
Host: ironpeak.be:443 <http://ironpeak.be:443/>
User-Agent: curl/7.64.1
But now, it does not pass any HTTP request in the CONNECT tunnel to ICAP:
CONNECT ironpeak.be:443 <http://ironpeak.be:443/> HTTP/1.1
User-Agent: curl/7.64.1
Host: ironpeak.be:443 <http://ironpeak.be:443/>
REQMOD icap://10.10.0.119:1344/ <icap://10.10.0.119:1344/> ICAP/1.0
Host: 10.10.0.119:1344
Date: Thu, 04 Mar 2021 11:19:00 GMT
Encapsulated: req-hdr=0, null-body=84
Preview: 0
Allow: 204
ICAP/1.0 204 No Modifications
Connection: close
Date: Thu, 04 Mar 2021 11:19:00 GMT
Encapsulated: null-body=0
..TLS ciphertext.. <<<<. No more ICAP requests
Any idea on how I pass -every- sslbumped request to ICAP?
Thank you.
Regards,
Niels Hofmans
SITE https://ironpeak.be <https://ironpeak.be/>
On 4 Mar 2021, at 12:01, NgTech LTD <ngtech1...@gmail.com
<mailto:ngtech1...@gmail.com>> wrote:
Would it be possible to dump some icap traffic so we would be able to
understand what might cause this issue if at all?
Eliezer
בתאריך יום ה׳, 4 במרץ 2021, 12:36, מאת Niels Hofmans <he...@ironpeak.be
<mailto:he...@ironpeak.be>>:
Hi guys,
I’m asking here but since I’m not too comfortable with a mailing list, it’s
also on serverfault.com <http://serverfault.com/>:
https://serverfault.com/questions/1055663/squid-icap-not-working-if-using-tls-interception-but-both-work-separately
<https://serverfault.com/questions/1055663/squid-icap-not-working-if-using-tls-interception-but-both-work-separately>
I have an odd issue that squid will return a HTTP 503 when I try to do ICAP for
an ssl-bumped HTTPS website. HTTP website works fine.
Any ideas?
Config:
visible_hostname proxy
forwarded_for delete
via off
httpd_suppress_version_string on
logfile_rotate 0
cache_log stdio:/dev/stdout
access_log stdio:/dev/stdout
cache_store_log stdio:/dev/stdout
dns_v4_first on
cache_dir ufs /cache 100 16 256
pid_filename /cache/squid.pid
mime_table /usr/share/squid/mime.conf
http_port 0.0.0.0:3128 <http://0.0.0.0:3128/>
https_port 0.0.0.0:3129 <http://0.0.0.0:3129/> \
generate-host-certificates=on dynamic_cert_mem_cache_size=10MB \
tls-cert=/etc/squid/ssl/squid.crt tls-key=/etc/squid/ssl/squid.key
ssl_bump peek all
ssl_bump bump all
quick_abort_min 0
quick_abort_max 0
quick_abort_pct 95
pinger_enable off
icap_enable on
icap_service_failure_limit -1
icap_service service_req reqmod_precache bypass=0 icap://10.10.0.119:1344/ <>
icap_preview_enable on
adaptation_access service_req allow all
cache_mem 512 mb
dns_nameservers 1.1.1.1 1.0.0.1
cache_effective_user proxy
sslcrtd_program /usr/lib/squid/security_file_certgen -s /cache/ssl_db -M 4MB
sslcrtd_children 8 startup=1 idle=1
sslproxy_cert_error allow all
http_access allow all
Log line HTTPS when it doesn’t work:
1614853306.542 40 172.17.0.1 NONE/503 0 CONNECT //ironpeak.be:443
<http://ironpeak.be:443/> - HIER_NONE/- -
< HTTP/1.1 503 Service Unavailable
< Server: squid
< Mime-Version: 1.0
< Date: Thu, 04 Mar 2021 10:36:05 GMT
< Content-Type: text/html;charset=utf-8
< Content-Length: 1849
< X-Squid-Error: ERR_DNS_FAIL 0
Log line HTTP when it does work:
-1 1614851916 text/plain 60/60 GET
http://ironpeak.be/blog/big-sur-t2rminator/
<http://ironpeak.be/blog/big-sur-t2rminator/>
1614853320.743 SWAPOUT 00 00000002 F7A390D89822E9BA831C47E1B4CDD0A8 301
1614853320 -1 1614853320 text/plain 60/60 GET
http://ironpeak.be/blog/big-sur-t2rminator/
<http://ironpeak.be/blog/big-sur-t2rminator/>
1614853320.748 302 172.17.0.1 TCP_REFRESH_MODIFIED/301 1647 GET
http://ironpeak.be/blog/big-sur-t2rminator/
<http://ironpeak.be/blog/big-sur-t2rminator/> - HIER_DIRECT/104.21.60.47
<http://104.21.60.47/> text/plain
Example CLI command used:
ALL_PROXY="https://127.0.0.1:3129 <https://127.0.0.1:3129/>" curl -vvv
--proxy-insecure http://ironpeak.be/ <http://ironpeak.be/>
Command used to start squid:
exec /usr/sbin/squid -f /etc/squid/squid.conf --foreground -YCd 1
Package info:
Package: squid-openssl
Version: 4.13-5
Many thanks!
Regards,
Niels Hofmans
SITE https://ironpeak.be <https://ironpeak.be/>
_______________________________________________
squid-users mailing list
squid-users@lists.squid-cache.org <mailto:squid-users@lists.squid-cache.org>
http://lists.squid-cache.org/listinfo/squid-users
<http://lists.squid-cache.org/listinfo/squid-users>
_______________________________________________
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users
