Can't connect to HTTPS websites via squid proxy

Question

I've just tried to create a proxy server on a OpenVZ VPS in CentOS7. All good, but I can't access https websites like google, instagram, facebook, etc..it says timeout, took too long to respond.

I've generated a myCA.pem certificate and using ssl_bump I've linked the signed certificate without errors (checked with systemctl status squid) and now all when I'm trying to connect to the websites above enumerated it gives me no internet error:

Below is my squid.conf and here my cache.log http://pastebin.com/MUkujTig

acl localhost src 127.0.0.1/32
acl to_localhost dst 127.0.0.0/8 0.0.0.0/32
acl SSL_ports port 443
acl Safe_ports port 80        # http
acl Safe_ports port 21        # ftp
acl Safe_ports port 443        # https
acl Safe_ports port 1025-65535    # unregistered ports
acl Safe_ports port 280        # http-mgmt
acl Safe_ports port 488        # gss-http
acl Safe_ports port 591        # filemaker
acl Safe_ports port 777        # multiling http
acl CONNECT method CONNECT

http_access allow manager localhost
http_access deny manager
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
http_access allow all
http_port 3128 ssl-bump \
 generate-host-certificates=on \
 dynamic_cert_mem_cache_size=4MB \
 key=/etc/squid/ssl_cert/myCA.pem \
 cert=/etc/squid/ssl_cert/myCA.pem

# SSL Bump Config
always_direct allow all
ssl_bump server-first all
sslproxy_cert_error deny all
sslproxy_flags DONT_VERIFY_PEER
sslcrtd_program /usr/lib64/squid/ssl_crtd -s /var/lib/ssl_db -M 4MB    sslcrtd_children 8 startup=1 idle=1

hierarchy_stoplist cgi-bin ?
coredump_dir /var/spool/squid
cache deny all

refresh_pattern ^ftp:        1440    20%    10080
refresh_pattern ^gopher:    1440    0%    1440
refresh_pattern -i (/cgi-bin/|\?) 0    0%    0
refresh_pattern .        0    20%    4320

icp_port 3130

forwarded_for off

request_header_access Allow allow all
request_header_access Authorization allow all
request_header_access Proxy-Authorization allow all
request_header_access Proxy-Authenticate allow all
request_header_access Cache-Control allow all
request_header_access Content-Encoding allow all
request_header_access Content-Length allow all

I've added 3128 port in public zone using firewall-cmd

Alex Lucaci · Accepted Answer · 2016-10-06T18:24:59.510

7

For my purpose it doesn't need to use sslbump so I have deleted it and solved it by adding this line in squid.conf dns_v4_first on

edited Oct 06 '16 at 18:24

answered Oct 06 '16 at 16:55

Alex Lucaci

231
1
2
8

score 3 · Answer 2 · edited Apr 01 '20 at 16:17

You log has the following line:

 (ssl_crtd): Failed to initialize /var/lib/ssl_db/index.txt file for writing

Which means that you got mistakes in your sslbump configuration.

The problem with your configuration is that you can't have /var/lib/ssl_db as your sslbump storage, since you won't be able to initialize it with a following command /usr/lib64/squid/ssl_crtd -c -s /var/lib/ssl_db. The ssl_db dir shoudn't exist before you issue the command or it will fail. But squid user can't create the directory in /var/lib because of permissions. So you need to change that directory to /var/lib/squid/ssl_db by doing the following commands (start as as root!):

sudo su (or any other mean to get root shell)
mkdir /var/lib/squid/
chown -R squid:squid /var/lib/squid/
su -l squid -s /bin/bash (next command should be run as squid user, so this step is important)
/usr/lib64/squid/ssl_crtd -c -s /var/lib/squid/ssl_db

If you are successful, the output should display:

 Initialization SSL db...
 Done

Now you change your squid.conf to the new ssl_db directory:

sslcrtd_program /usr/lib64/squid/ssl_crtd -s /var/lib/squid/ssl_db -M 4MB

And this directive should go from a new line, you got a mistake in your config file:

sslcrtd_children 8 startup=1 idle=1

I hope this will help (unless you are doing some censorship, then I hope it won't :))!

P.S. This is not your case, but I'll add nevertheless:

Different distros place ssl_crtd command into different directories, but people got a tendency to copy config files without checking its existence first. Launching /usr/lib64/squid/ssl_crtd as squid user should display:

Uninitialized SSL certificate database directory: . To initialize, run "ssl_crtd -c -s ".

If it says that command not found, then ssl_crtd might be actually located in /usr/libexec/squid/ssl_crtd

P.P.S. After a two-hour skype session trying to fix the unfixable the solution was found - disabling ipv6, incorrectly configured by the hosting provider :)

Who would have thought, that it all will breakdown to the following commands:

 sysctl -w net.ipv6.conf.all.disable_ipv6=1
 sysctl -w net.ipv6.conf.default.disable_ipv6=1
 sysctl -w net.ipv6.conf.lo.disable_ipv6=1

And adding:

 dns_v4_first on

into squid.conf

Hi, I've done the changes and now the config looks like this http://i.prntscr.com/5c3c520d074c413b8e580f87a61897a3.png , but same error in cache.log with the same /var/lib/ssl_db/index.txt file for writing , I don't know why still trying to acces this folder if i've changed in the config, i've restarted squid with no errors..what am I doing wrong? I am not doing censorship or something complicated, I am just trying to create simple proxy server for using them with instagram, twitter, facebook :D not for complicated things — Alex Lucaci, Oct 06 '16 at 13:12
Can't see your screenshot, getting "access denied". If you are sure you replaced `/var/lib/ssl_db ` with `/var/lib/squid/ssl_db` everywhere in you config, try to "cheat" that stupid squid (mitmproxy works so much better :)) by moving `/var/lib/squid/ssl_db` (created with that command I gave you) to `/var/lib/ssl_db` while retaining the `squid` user ownership — Anubioz, Oct 06 '16 at 13:16
`sslcrtd_program /usr/lib64/squid/ssl_crtd -s /var/lib/squid/ssl_db -M 4MB` — Alex Lucaci, Oct 06 '16 at 13:21
I assume that your squid.conf is ok. Now check all other .conf files in `/etc/squid/` directory. Or just move the folder where it wants it (and make sure to do `chown -R squid:squid /var/lib/ssl_db` after moving) — Anubioz, Oct 06 '16 at 13:24
http://chat.stackexchange.com/rooms/46414/trying-to-help-alex-lucaci-with-his-squid — Anubioz, Oct 06 '16 at 13:46
Worked for CentOS7 and squid-4.7 (uses security_file_certgen instead of ssl_crtd) too: # sudo rm -rf /var/spool/squid/ssl_db # chown -R squid:squid /var/spool/squid # su -l squid -s /bin/bash -bash-4.2$ /usr/lib64/squid/security_file_certgen -c -s /var/spool/squid/ssl_db -M 4MB Initialization SSL db... Done — junior ruby developer, Oct 07 '20 at 09:47

Can't connect to HTTPS websites via squid proxy

2 Answers2