4

I am trying to setup squid3 as an HTTPS proxy using the tutorial given here. I have properly setup the proxy settings in my browser and when I try to hit HTTP web sites, I am able to connect successfully. However, I keep getting a "Connection timed out error" whenever I hit an HTTPS protocol web site and the following error in my /var/log/squid3/cache.log:

2016/06/20 19:12:47|  NF getsockopt(SO_ORIGINAL_DST) failed on local=<local_ip_address>:3129 remote=<remote_ip_address>:55209 FD 8 flags=33: (92) Protocol not available

Here is my /etc/squid3/squid.conf file (commented lines removed for brevity):

auth_param basic program /usr/lib/squid3/basic_ncsa_auth /usr/etc/passwd
auth_param basic casesensitive off
auth_param basic credentialsttl 2 hours

acl user_auth proxy_auth REQUIRED

http_access allow user_auth

acl SSL_ports port 443
acl Safe_ports port 80          # http
acl Safe_ports port 21          # ftp
acl Safe_ports port 443         # https
acl Safe_ports port 70          # gopher
acl Safe_ports port 210         # wais
acl Safe_ports port 1025-65535  # unregistered ports
acl Safe_ports port 280         # http-mgmt
acl Safe_ports port 488         # gss-http
acl Safe_ports port 591         # filemaker
acl Safe_ports port 777         # multiling http
acl CONNECT method CONNECT

http_access allow localhost
http_access allow all
http_port 3127

https_port 3129 intercept ssl-bump generate-host-certificates=on dynamic_cert_mem_cache_size=4MB key=/etc/squid3/example.com.private cert=/etc/squid3/example.com.cert

ssl_bump server-first all
sslproxy_flags DONT_VERIFY_PEER
sslproxy_cert_error deny all
sslcrtd_program /usr/lib/squid3/ssl_crtd -s /var/lib/ssl_db -M 4MB sslcrtd_children 8 startup=1 idle=1
coredump_dir /var/spool/squid3

refresh_pattern ^ftp:           1440    20%     10080
refresh_pattern ^gopher:        1440    0%      1440
refresh_pattern -i (/cgi-bin/|\?) 0     0%      0
refresh_pattern (Release|Packages(.gz)*)$      0       20%     2880
refresh_pattern .               0       20%     4320

always_direct allow all

Here is the output of my squid3 -v:

Squid Cache: Version 3.3.8
 (Ubuntu)
configure options:  '--build=i686-linux-gnu' '--prefix=/usr' '--includedir=${prefix}/include' '--mandir=${prefix}/share/man' '--infodir=${prefix}/share/info' '--sysconfdir=/etc' '--localstatedir=/var' '--libexecdir=${prefix}/lib/squid3' '--srcdir=.' '--disable-maintainer-mode' '--disable-dependency-tracking' '--disable-silent-rules' '--datadir=/usr/share/squid3' '--sysconfdir=/etc/squid3' '--mandir=/usr/share/man' '--enable-inline' '--enable-async-io=8' '--enable-ssl' '--enable-ssl-crtd' '--enable-storeio=ufs,aufs,diskd,rock' '--enable-removal-policies=lru,heap' '--enable-delay-pools' '--enable-cache-digests' '--enable-underscores' '--enable-icap-client' '--enable-follow-x-forwarded-for' '--enable-auth-basic=DB,fake,getpwnam,LDAP,MSNT,MSNT-multi-domain,NCSA,NIS,PAM,POP3,RADIUS,SASL,SMB' '--enable-auth-digest=file,LDAP' '--enable-auth-negotiate=kerberos,wrapper' '--enable-auth-ntlm=fake,smb_lm' '--enable-external-acl-helpers=file_userip,kerberos_ldap_group,LDAP_group,session,SQL_session,unix_group,wbinfo_group' '--enable-url-rewrite-helpers=fake' '--enable-eui' '--enable-esi' '--enable-icmp' '--enable-zph-qos' '--enable-ecap' '--disable-translation' '--with-swapdir=/var/spool/squid3' '--with-logdir=/var/log/squid3' '--with-pidfile=/var/run/squid3.pid' '--with-filedescriptors=65536' '--with-large-files' '--with-default-user=proxy' '--enable-linux-netfilter' 'build_alias=i686-linux-gnu' 'CFLAGS=-g -O2 -fPIE -fstack-protector --param=ssp-buffer-size=4 -Wformat -Werror=format-security -Wall' 'LDFLAGS=-Wl,-Bsymbolic-functions -fPIE -pie -Wl,-z,relro -Wl,-z,now' 'CPPFLAGS=-D_FORTIFY_SOURCE=2' 'CXXFLAGS=-g -O2 -fPIE -fstack-protector --param=ssp-buffer-size=4 -Wformat -Werror=format-security'

I have spent a lot of time googling this error but could not arrive at a solution which would configure squid as an HTTP proxy. How do I get this working?

jobin
  • 233
  • 1
  • 3
  • 9
  • You need to use `http_port` instead of `https_port`. – Diamond Jun 20 '16 at 14:15
  • @bangal : I am using 3127 for `http_port` and 3129 for `https_port`. However, based on your suggestion, I tried changing `https_port` to `http_port` and the page was inaccessible with the same exception on the browser and in the logs. – jobin Jun 20 '16 at 14:25
  • 1
    @Diamant why did you suggest the http_port instead of https_port? – Walid Jan 11 '19 at 06:07

2 Answers2

3

May be you need to consider usinghttp_port directive with ssl-bump and not https_port, since you have your browsers configured with proxy (CONNECT method).

Intercept mode is appropriate for transparent proxy (no browser settings needed), when packets are automatically forwarded to the proxy using iptables. https_port directive is used to intercept and handle such traffic arriving at proxy.

ssl-bump: http://www.squid-cache.org/Doc/config/ssl_bump/

This option is consulted when a CONNECT request is received on an http_port (or a new connection is intercepted at an https_port), provided that port was configured with an ssl-bump flag. The subsequent data on the connection is either treated as HTTPS and decrypted OR tunneled at TCP level without decryption, depending on the first matching bumping "action".

For ssl-bump example: http://wiki.squid-cache.org/ConfigExamples/Intercept/SslBumpExplicit

Diamond
  • 9,001
  • 3
  • 24
  • 38
  • I tried this but ran into the same exception as before (on browser as well as in the `/var/log/squid3/cache.log` file). You may be right, but for some reason, many of the tutorials on the web are using `https_port` for `ssl-bump`! – jobin Jun 20 '16 at 14:30
  • Can you check the syslog while restarting squid? You will surely get a hint if there is any error. You can also try: `squid3 -k parse`. Well, surely you cant declare http_port twice. So, with the https_port may be you can restart squid and check syslog. Also see if the port you have assignend for https_port is available with `netstat` command. – Diamond Jun 20 '16 at 14:43
  • 1
    You can also try with only one `http_port` declaration with ssl-bump and see if it works, if you have not tried already. Both http and https should work. – Diamond Jun 20 '16 at 14:47
  • I am now using only `http_port 3129 intercept ssl-bump generate-host-certificates=on dynamic_cert_mem_cache_size=4MB key=/etc/squid3/example.com.private cert=/etc/squid3/example.com.cert` and restarted squid3 but don't see any exception coming up in `/var/log/syslog`. I have pasted the output of `squid3 -k parse` here: http://pastebin.com/j16MSMjf – jobin Jun 20 '16 at 14:54
  • You are also using intercept mode, which means it is a transparent proxy so take note of that. Also make sure your proxy server can connect to the world on port 443. – Diamond Jun 20 '16 at 14:55
  • Yes, the server can connect to internet using port 443 (I tried `telnet google.com 443` and it connects). Also,I tried removing `intercept` and restarted squid3 and see that my browser is now asking for the username & password (which was not the case before) but then failed with `Secure Connection Failed. The connection to the server was reset while the page was loading. The page you are trying to view cannot be shown because the authenticity of the received data could not be verified. Please contact the website owners to inform them of this problem. ` – jobin Jun 20 '16 at 15:06
  • 1
    this answer is wrong. ssl-bump is available on https_port and when intercepting port 443 that is the correct directive to receive the traffic with. – Amos Jeffries Sep 28 '16 at 03:31
  • @AmosJeffries, you are correct, I have updated my answer. – Diamond Sep 28 '16 at 06:50
2

The error "NF getsockopt(SO_ORIGINAL_DST)" is a NAT error. It has nothing to do with the encryption.

Since you have configured your browser to use the proxy explicitly:

  • you are not intercepting anything. Using the "intercept" option is wrong and leads to the NAT error.

  • the browser would not be using TLS to connect to the proxy. That is the real reason why https_port is wrong to use.

  • the browser will be sending CONNECT messages to port 3127 of the proxy. These are what need to be "bumped".

So what you need to do to is simply to move the ssl-bump settings to your existing http_port line. It should become like this:

http_port 3127 ssl-bump \
   generate-host-certificates=on \
   dynamic_cert_mem_cache_size=4MB \
   key=/etc/squid3/example.com.private \
   cert=/etc/squid3/example.com.cert

Other things you should do to correctly setup SSL-Bump is remove the following lines:

 sslproxy_flags DONT_VERIFY_PEER
 sslproxy_cert_error deny all

 always_direct allow all

They do more harm than good and are not even useful for debugging.

Also, upgrade your proxy to the latest upstream release. TLS and SSL-Bump are involved in a fast changing arms race to do better security, and to decrypt that better security. Using older versions than latest is guaranteed to hit problems one way or another. Squid-3.3 specifically has issues with Elliptic Curve and other recent ciphers, breaks when TLS session resume is used, cannot bypass cert pinning using SNI, generates SHA-1 certificates, etc.

Amos Jeffries
  • 280
  • 1
  • 5