3

i hope someone can help me. i have this problem:

squid is running as a ssl transparent proxy, and at the moment it's receiving all the traffic with these two iptables rules:

iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 80 -j REDIRECT --to-port 3128
iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 443 -j REDIRECT --to-port 3130

so far no problem at all. everything works perfect ... but when i add any simple acl to block a ssl website, i get this browser's error: ssl connection error (ERR_SSL_PROTOCOL_ERROR) also, if i try to run squid with the line currently commented in the conf pasted below, i get a certificate error (domain mismatch) from the client.

http_port 3128 intercept https_port 3130 intercept ssl-bump generate-host-certificates=on dynamic_cert_mem_cache_size=4MB cert=/usr/local/squid/ssl_cert/proxy_matrix-test_com.crt key=/usr/local/squid/ssl_cert/squid.key acl broken_sites dstdomain .example.com ssl_bump none localhost ssl_bump none broken_sites
#ssl_bump server-first all ssl_bump none sslcrtd_program /usr/local/squid/libexec/ssl_crtd -s /usr/local/squid/var/lib/ssl_db
-M 4MB sslcrtd_children 5

(cert.crt is signed by a recognized certification authority) any ideas ? thanks.

krisFR
  • 13,280
  • 4
  • 36
  • 42
user3401310
  • 31
  • 1
  • 2

1 Answers1

3

You will always get a certificate error when using Squid over SSL. The reason is that there is that there is a separate SSL connection from Squid to the target website and from Squid to the browser. So, when the browser is presented with a certificate from Squid, even though it may be signed, the domain does not match. 

+-----------+               +-------+               +---------+
| gmail.com |<----Cert1---->| Squid |<----Cert2---->| Browser |
+-----------+               +-------+               +---------+

There is a way around this in some situations. You can use Dynamic SSL Cert generation which generates a certificate for the target domain, e.g., gmail.com, and signs it with a self signed root CA that you created. The catch is that the self signed root CA cert must be trusted on every browser/client that will access the internet through the proxy. It does not need to be signed by an actual certificate authority, in fact, it can't be. If in a windows environment you can probably push the self signed root CA out through Group Policy Manager.

http://wiki.squid-cache.org/Features/DynamicSslCert

Tim
  • 441
  • 2
  • 10
  • Has this changed? Because all I need Squid to get is the IP address, I don't care about the packet otherwise. After all, the iptables code is capable of doing that! From what I understand here Squid is useless now that all websites use SSL. – Alexis Wilke Nov 10 '20 at 00:45
  • @AlexisWilke What do you mean by "get the IP addresses?" If you mean that you want to know what source IP addresses are requesting a particular site, then you can use TCP level proxies if you don't care what's happening on an HTTP level. I think that you can probably use HAProxy to do this... it has been a while since I have been in this realm though. Not sure what the hip new thing is. – Tim Nov 10 '20 at 23:22