Re: [squid-users] Squid 6.10 on Fedora 40 cannot intercept and bump SSL Traffic

ngtech1ltd Fri, 23 Aug 2024 03:29:23 -0700

OK so the issue was that:

The http_port was used for ssl bump with intercept while the only port which 
can really intercept ssl connections is:


https_port

 

so I believe that there should be a warning about such a line in the cache log.

When there is http_port and intercept and ssl_bump there should be a warning.

 

Thanks,

Eliezer

 

From: NgTech LTD <ngtech1...@gmail.com> 
Sent: Monday, August 19, 2024 10:48 AM
To: Squid Users <squid-users@lists.squid-cache.org>
Subject: Squid 6.10 on Fedora 40 cannot intercept and bump SSL Traffic

 

I am testing Squid 6.10 on Fedora 40 (their package).
And it seems that Squid is unable to bump clients (ESNI/ECH)?

 

I had couple iterations of pek stare and bump and I am not sure what is the 
reason for that:
shutdown_lifetime 3 seconds
external_acl_type whitelist-lookup-helper ipv4 ttl=10 children-max=10 
children-startup=2 \
        children-idle=2 concurrency=10 %URI %SRC 
/usr/local/bin/squid-conf-url-lookup.rb
acl whitelist-lookup external  whitelist-lookup-helper
acl ytmethods method POST GET
acl localnet src 0.0.0.1-0.255.255.255  # RFC 1122 "this" network (LAN)
acl localnet src 10.0.0.0/8 <http://10.0.0.0/8>              # RFC 1918 local 
private network (LAN)
acl localnet src 100.64.0.0/10 <http://100.64.0.0/10>           # RFC 6598 
shared address space (CGN)
acl localnet src 169.254.0.0/16 <http://169.254.0.0/16>          # RFC 3927 
link-local (directly plugged) machines
acl localnet src 172.16.0.0/12 <http://172.16.0.0/12>           # RFC 1918 
local private network (LAN)
acl localnet src 192.168.0.0/16 <http://192.168.0.0/16>          # RFC 1918 
local private network (LAN)
acl localnet src fc00::/7               # RFC 4193 local private network range
acl localnet src fe80::/10              # RFC 4291 link-local (directly 
plugged) machines
acl SSL_ports port 443
acl Safe_ports port 80          # http
acl Safe_ports port 21          # ftp
acl Safe_ports port 443         # https
acl Safe_ports port 70          # gopher
acl Safe_ports port 210         # wais
acl Safe_ports port 1025-65535  # unregistered ports
acl Safe_ports port 280         # http-mgmt
acl Safe_ports port 488         # gss-http
acl Safe_ports port 591         # filemaker
acl Safe_ports port 777         # multiling http
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
http_access allow localhost manager
http_access deny manager
http_access allow localhost
http_access deny to_localhost
http_access deny to_linklocal
acl tubedoms dstdomain .ytimg.com <http://ytimg.com>  .youtube.com 
<http://youtube.com>  .youtu.be <http://youtu.be> 
http_access allow ytmethods localnet tubedoms whitelist-lookup
http_access allow localnet
http_access deny all
http_port 3128
http_port 13128 ssl-bump tls-cert=/etc/squid/ssl/cert.pem 
tls-key=/etc/squid/ssl/key.pem \
        generate-host-certificates=on dynamic_cert_mem_cache_size=4MB
http_port 23128 tproxy ssl-bump tls-cert=/etc/squid/ssl/cert.pem 
tls-key=/etc/squid/ssl/key.pem \
        generate-host-certificates=on dynamic_cert_mem_cache_size=4MB
http_port 33128 intercept ssl-bump tls-cert=/etc/squid/ssl/cert.pem 
tls-key=/etc/squid/ssl/key.pem \
        generate-host-certificates=on dynamic_cert_mem_cache_size=4MB
sslcrtd_program /usr/lib64/squid/security_file_certgen -s 
/var/spool/squid/ssl_db -M 4MB
sslcrtd_children 5
acl foreignProtocol squid_error ERR_PROTOCOL_UNKNOWN ERR_TOO_BIG
acl serverTalksFirstProtocol squid_error ERR_REQUEST_START_TIMEOUT
on_unsupported_protocol tunnel foreignProtocol
on_unsupported_protocol tunnel serverTalksFirstProtocol
on_unsupported_protocol respond all
acl monitoredSites ssl::server_name .youtube.com <http://youtube.com>  
.ytimg.com <http://ytimg.com> 
acl monitoredSitesRegex ssl::server_name_regex \.youtube\.com \.ytimg\.com
acl serverIsBank ssl::server_name .visa.com <http://visa.com> 
acl step1 at_step SslBump1
acl step2 at_step SslBump2
acl step3 at_step SslBump3
ssl_bump bump all
strip_query_terms off
coredump_dir /var/spool/squid
refresh_pattern ^ftp:           1440    20%     10080
refresh_pattern -i (/cgi-bin/|\?) 0     0%      0
refresh_pattern .               0       20%     4320
logformat ssl_custom_format %ts.%03tu %6tr %>a %Ss/%03>Hs %<st %rm %ru %[un 
%Sh/%<a %mt %ssl::>sni
access_log daemon:/var/log/squid/access.log ssl_custom_format
##EOF

 

access.log from before:
1724028804.797    486 192.168.78.15 TCP_TUNNEL/200 17764 CONNECT 
40.126.31.73:443 <http://40.126.31.73:443>  - ORIGINAL_DST/40.126.31.73 
<http://40.126.31.73>  - -
1724028805.413      0 192.168.78.15 NONE_NONE/000 0 - error:invalid-request - 
HIER_NONE/- - -
1724028806.028      0 192.168.78.15 NONE_NONE/000 0 - error:invalid-request - 
HIER_NONE/- - -
1724028806.028      0 192.168.78.15 NONE_NONE/000 0 - error:invalid-request - 
HIER_NONE/- - -
1724028806.029      0 192.168.78.15 NONE_NONE/000 0 - error:invalid-request - 
HIER_NONE/- - -
1724028806.030      0 192.168.78.15 NONE_NONE/000 0 - error:invalid-request - 
HIER_NONE/- - -
1724028806.085     57 192.168.78.15 TCP_TUNNEL/200 4513 CONNECT 
104.18.72.113:443 <http://104.18.72.113:443>  - ORIGINAL_DST/104.18.72.113 
<http://104.18.72.113>  - -
1724028806.086     56 192.168.78.15 TCP_TUNNEL/200 4513 CONNECT 
104.18.72.113:443 <http://104.18.72.113:443>  - ORIGINAL_DST/104.18.72.113 
<http://104.18.72.113>  - -
1724028806.086     56 192.168.78.15 TCP_TUNNEL/200 4512 CONNECT 
104.18.72.113:443 <http://104.18.72.113:443>  - ORIGINAL_DST/104.18.72.113 
<http://104.18.72.113>  - -
1724028806.208      0 192.168.78.15 NONE_NONE/000 0 - error:invalid-request - 
HIER_NONE/- - -
1724028806.213      0 192.168.78.15 NONE_NONE/000 0 - error:invalid-request - 
HIER_NONE/- - -
1724028806.338      0 192.168.78.15 NONE_NONE/000 0 - error:invalid-request - 
HIER_NONE/- - -
1724028806.469      0 192.168.78.15 NONE_NONE/000 0 - error:invalid-request - 
HIER_NONE/- - -
1724028806.596      0 192.168.78.15 NONE_NONE/000 0 - error:invalid-request - 
HIER_NONE/- - -
1724028807.006      0 192.168.78.15 NONE_NONE/000 0 - error:invalid-request - 
HIER_NONE/- - -
1724028807.262      0 192.168.78.15 NONE_NONE/000 0 - error:invalid-request - 
HIER_NONE/- - -
1724028808.922   5037 192.168.78.15 TCP_TUNNEL/200 6096 CONNECT 
13.107.246.60:443 <http://13.107.246.60:443>  - ORIGINAL_DST/13.107.246.60 
<http://13.107.246.60>  - -
1724028812.906   8336 192.168.78.15 TCP_TUNNEL/200 1071500 CONNECT 
104.126.37.171:443 <http://104.126.37.171:443>  - ORIGINAL_DST/104.126.37.171 
<http://104.126.37.171>  - -
1724028819.209 247893 192.168.78.15 TCP_TUNNEL/200 4023 CONNECT 
142.250.186.34:443 <http://142.250.186.34:443>  - ORIGINAL_DST/142.250.186.34 
<http://142.250.186.34>  - -
1724028820.097 250033 192.168.78.15 TCP_TUNNEL/200 549611 CONNECT 
142.250.184.246:443 <http://142.250.184.246:443>  - 
ORIGINAL_DST/142.250.184.246 <http://142.250.184.246>  - -
1724028820.154 246850 192.168.78.15 TCP_TUNNEL/200 15119 CONNECT 
216.58.206.65:443 <http://216.58.206.65:443>  - ORIGINAL_DST/216.58.206.65 
<http://216.58.206.65>  - -
1724028820.164 246856 192.168.78.15 TCP_TUNNEL/200 3037 CONNECT 
142.250.181.227:443 <http://142.250.181.227:443>  - 
ORIGINAL_DST/142.250.181.227 <http://142.250.181.227>  - -
1724028820.203 246893 192.168.78.15 TCP_TUNNEL/200 3031 CONNECT 
172.217.16.196:443 <http://172.217.16.196:443>  - ORIGINAL_DST/172.217.16.196 
<http://172.217.16.196>  - -
1724028822.656 271833 192.168.78.15 TCP_TUNNEL/200 387583 CONNECT 
142.250.185.238:443 <http://142.250.185.238:443>  - 
ORIGINAL_DST/142.250.185.238 <http://142.250.185.238>  - -
1724028830.336      0 192.168.78.15 NONE_NONE/000 0 - error:invalid-request - 
HIER_NONE/- - -
1724028830.781    444 192.168.78.15 TCP_TUNNEL/200 18505 CONNECT 
40.126.31.73:443 <http://40.126.31.73:443>  - ORIGINAL_DST/40.126.31.73 
<http://40.126.31.73>  - -
1724028841.781 155018 192.168.78.15 TCP_TUNNEL/200 15960 CONNECT 
13.107.6.158:443 <http://13.107.6.158:443>  - ORIGINAL_DST/13.107.6.158 
<http://13.107.6.158>  - -
1724028849.443      0 192.168.78.15 NONE_NONE/000 0 - error:invalid-request - 
HIER_NONE/- - -
1724028849.698      0 192.168.78.15 NONE_NONE/000 0 - error:invalid-request - 
HIER_NONE/- - -
1724028865.261      0 192.168.78.15 NONE_NONE/000 0 - error:invalid-request - 
HIER_NONE/- - -
1724028865.779    517 192.168.78.15 TCP_TUNNEL/200 18557 CONNECT 
40.126.31.73:443 <http://40.126.31.73:443>  - ORIGINAL_DST/40.126.31.73 
<http://40.126.31.73>  - -
1724028870.718 109994 192.168.78.15 TCP_TUNNEL/200 6972 CONNECT 20.42.65.94:443 
<http://20.42.65.94:443>  - ORIGINAL_DST/20.42.65.94 <http://20.42.65.94>  - -
1724028871.179  64583 192.168.78.15 TCP_TUNNEL/200 1903 CONNECT 
104.18.10.207:443 <http://104.18.10.207:443>  - ORIGINAL_DST/104.18.10.207 
<http://104.18.10.207>  - -
1724028871.179  63917 192.168.78.15 TCP_TUNNEL/200 2430 CONNECT 
142.250.186.99:443 <http://142.250.186.99:443>  - ORIGINAL_DST/142.250.186.99 
<http://142.250.186.99>  - -
1724028871.179  64709 192.168.78.15 TCP_TUNNEL/200 2439 CONNECT 
142.250.185.170:443 <http://142.250.185.170:443>  - 
ORIGINAL_DST/142.250.185.170 <http://142.250.185.170>  - -
1724028871.308      0 192.168.78.15 NONE_NONE/000 0 - error:invalid-request - 
HIER_NONE/- - -
1724028871.731    422 192.168.78.15 TCP_TUNNEL/200 17789 CONNECT 
40.126.31.73:443 <http://40.126.31.73:443>  - ORIGINAL_DST/40.126.31.73 
<http://40.126.31.73>  - -
1724028872.486      0 192.168.78.15 NONE_NONE/000 0 - error:invalid-request - 
HIER_NONE/- - -
1724028873.477      0 192.168.78.15 NONE_NONE/000 0 - error:invalid-request - 
HIER_NONE/- - -
1724028873.745      0 192.168.78.15 NONE_NONE/000 0 - error:invalid-request - 
HIER_NONE/- - -
1724028873.902    424 192.168.78.15 TCP_TUNNEL/200 18520 CONNECT 
40.126.31.73:443 <http://40.126.31.73:443>  - ORIGINAL_DST/40.126.31.73 
<http://40.126.31.73>  - -
1724028877.056      0 192.168.78.15 NONE_NONE/000 0 - error:invalid-request - 
HIER_NONE/- - -
1724028877.060      0 192.168.78.15 NONE_NONE/000 0 - error:invalid-request - 
HIER_NONE/- - -
1724028877.060      0 192.168.78.15 NONE_NONE/000 0 - error:invalid-request - 
HIER_NONE/- - -
1724028877.060      0 192.168.78.15 NONE_NONE/000 0 - error:invalid-request - 
HIER_NONE/- - -
1724028877.430 312389 192.168.78.15 TCP_TUNNEL/200 7884 CONNECT 
142.250.186.78:443 <http://142.250.186.78:443>  - ORIGINAL_DST/142.250.186.78 
<http://142.250.186.78>  - -
1724028878.800      0 192.168.78.15 NONE_NONE/000 0 - error:invalid-request - 
HIER_NONE/- - -
1724028878.920      0 192.168.78.15 NONE_NONE/000 0 - error:invalid-request - 
HIER_NONE/- - -
1724028879.072      0 192.168.78.15 NONE_NONE/000 0 - error:invalid-request - 
HIER_NONE/- - -
1724028880.808   7062 192.168.78.15 TCP_TUNNEL/200 836391 CONNECT 
104.126.37.145:443 <http://104.126.37.145:443>  - ORIGINAL_DST/104.126.37.145 
<http://104.126.37.145>  - -
1724028882.468  33024 192.168.78.15 TCP_TUNNEL/200 1488697 CONNECT 
49.12.59.2:443 <http://49.12.59.2:443>  - ORIGINAL_DST/49.12.59.2 
<http://49.12.59.2>  - -
1724028883.728   6671 192.168.78.15 TCP_TUNNEL/200 69351 CONNECT 
52.216.185.251:443 <http://52.216.185.251:443>  - ORIGINAL_DST/52.216.185.251 
<http://52.216.185.251>  - -
1724028883.789   6728 192.168.78.15 TCP_TUNNEL/200 69216 CONNECT 
52.216.185.251:443 <http://52.216.185.251:443>  - ORIGINAL_DST/52.216.185.251 
<http://52.216.185.251>  - -
1724028883.797   6736 192.168.78.15 TCP_TUNNEL/200 104657 CONNECT 
52.216.185.251:443 <http://52.216.185.251:443>  - ORIGINAL_DST/52.216.185.251 
<http://52.216.185.251>  - -
1724028883.845   6784 192.168.78.15 TCP_TUNNEL/200 80277 CONNECT 
52.216.185.251:443 <http://52.216.185.251:443>  - ORIGINAL_DST/52.216.185.251 
<http://52.216.185.251>  - -
1724028884.460 170355 192.168.78.15 TCP_TUNNEL/200 44690 CONNECT 
185.199.108.153:443 <http://185.199.108.153:443>  - 
ORIGINAL_DST/185.199.108.153 <http://185.199.108.153>  - -
1724028889.845 120370 192.168.78.15 TCP_TUNNEL/200 5868 CONNECT 
104.126.37.161:443 <http://104.126.37.161:443>  - ORIGINAL_DST/104.126.37.161 
<http://104.126.37.161>  - -
1724028890.011 122862 192.168.78.15 TCP_TUNNEL/200 136726 CONNECT 
23.37.37.211:443 <http://23.37.37.211:443>  - ORIGINAL_DST/23.37.37.211 
<http://23.37.37.211>  - -
1724028890.297 120381 192.168.78.15 TCP_TUNNEL/200 9176 CONNECT 
2.18.140.238:443 <http://2.18.140.238:443>  - ORIGINAL_DST/2.18.140.238 
<http://2.18.140.238>  - -
1724028891.212      0 192.168.78.15 NONE_NONE/000 0 - error:invalid-request - 
HIER_NONE/- - -
1724028891.365    152 192.168.78.15 TCP_TUNNEL/200 2359 CONNECT 
142.250.185.138:443 <http://142.250.185.138:443>  - 
ORIGINAL_DST/142.250.185.138 <http://142.250.185.138>  - -
1724028893.885  90253 192.168.78.15 TCP_TUNNEL/200 6374 CONNECT 
13.107.246.60:443 <http://13.107.246.60:443>  - ORIGINAL_DST/13.107.246.60 
<http://13.107.246.60>  - -
1724028900.169      0 192.168.78.15 NONE_NONE/000 0 - error:invalid-request - 
HIER_NONE/- - -
1724028934.465 900262 192.168.78.15 TCP_TUNNEL/200 5530 CONNECT 
52.123.243.197:443 <http://52.123.243.197:443>  - ORIGINAL_DST/52.123.243.197 
<http://52.123.243.197>  - -
1724028960.494  60324 192.168.78.15 TCP_TUNNEL/503 0 CONNECT 172.217.16.206:443 
<http://172.217.16.206:443>  - ORIGINAL_DST/172.217.16.206 
<http://172.217.16.206>  - -
1724028960.494      0 192.168.78.15 NONE_NONE/000 0 - 
error:transaction-end-before-headers - HIER_NONE/- - -

 

Thanks for any help,





----
Eliezer Croitoru
Tech Support
Mobile: +972-5-28704261
Email: ngtech1...@gmail.com <mailto:ngtech1...@gmail.com>

_______________________________________________
squid-users mailing list
squid-users@lists.squid-cache.org
https://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] Squid 6.10 on Fedora 40 cannot intercept and bump SSL Traffic

Reply via email to