SSL Intercept and AWS gives "Access Denied" instead of remote site
-
Hi,
I have setup a pfsense on AWS with Squid to use for SSL Intercept. This does not work, unfortunately: when I try to go through the proxy I get an error
ERROR The requested URL could not be retrieved The following error was encountered while trying to retrieve the URL: https://www.svd.se/* Access Denied. Access control configuration prevents your request from being allowed at this time. Please contact your service provider if you feel this is incorrect. Your cache administrator is admin@localhost. Generated Thu, 20 Apr 2017 21:03:16 GMT by localhost (squid/3.5.23)I can see that the connection is done properly to the AWS server and the certificate I created is returned OK, i.e., the padlock icon is green. This proves that the connection between the client and the proxy works, I take it.
I have made exactly the same configuration on a virtual machine and there it works, but when I now tried on AWS I get this weird error. I have the default ports setup for Squid (3128 and 3129) and I have opened these in the AWS Security group.
What am I missing?
-
1 ) Make sure SQUID PROXY : ALLOWED SUBNETS added your subnet mask
2 ) Make sure and close DHCP Deny Unknow client access.
-
1 ) Make sure SQUID PROXY : ALLOWED SUBNETS added your subnet mask
I have "Allow Users on Interface" checked in the General Tab - that should override that list, doesn't it?
2 ) Make sure and close DHCP Deny Unknow client access.
Could not find that particular setting, I'm afraid.
Just to recap what I have done so far:
-
Installed Squid
-
Enabled Squid on the one interface I have, WAN, using the default port
-
Enabled SSL Filtering, "Splice whitelist, bump otherwise", using the same interface as before "WAN"[\li]
What I am trying to accomplish is to have a gateway between an old Java application (ten to twelve years old) that wants to talk to more modern sites. Since the modern sites insists on things like TLS 1.2 which was not present with the JDK we use was made, I need a MITM solution to terminate one connection and start another one, this time with a better encryption.
So, in fewer words:
Old server->old SSL->Squid->MITM->Squid->TLS1.2->secure hostThis worked in my test environment (virtual machine via Parallels), where I could set up a browser to use the pfsense machine as a HTTPS proxy and the above strategy worked just fine (after importing the new root cert).
All based on this article: https://turbofuture.com/internet/Intercepting-HTTPS-Traffic-Using-the-Squid-Proxy-in-pfSense
If someone has a better idea as to how I should accomplish this, I am all ears, of course. :)
-
-
Okay , I got it.
Just choose Allow Users on Interface + DNS IPV4 Lookup IT COULD BE WORK !
here is photo for you : http://prntscr.com/ezqoxr
-
Just choose Allow Users on Interface + DNS IPV4 Lookup IT COULD BE WORK !
I had the "Allow Users…" already enabled and I have now enabled "DNS IPv4 Lookup..." but to no avail, I'm sad to say.
I checked my ACL tab and I have nothing in there at all (which is, as I have understood it, as it should be).
In the access log I can see this:
Date IP Status Address User Destination 23.04.2017 07:26:12 81.xxx.yyy.zzz TCP_DENIED/403 http://detectportal.firefox.com/success.txt - - 23.04.2017 07:26:12 81.xxx.yyy.zzz TCP_DENIED/403 http://detectportal.firefox.com/success.txt - - 23.04.2017 07:26:12 81.xxx.yyy.zzz TCP_DENIED/403 http://detectportal.firefox.com/success.txt - - 23.04.2017 07:26:10 81.xxx.yyy.zzz TCP_DENIED/403 http://detectportal.firefox.com/success.txt - - 23.04.2017 07:26:09 81.xxx.yyy.zzz TCP_DENIED/403 http://detectportal.firefox.com/success.txt - - 23.04.2017 07:26:09 81.xxx.yyy.zzz TCP_DENIED/403 http://detectportal.firefox.com/success.txt - - 23.04.2017 07:21:27 81.xxx.yyy.zzz TAG_NONE/403 http://localhost:3128/squid-internal-static/icons/SN.png - - 23.04.2017 07:21:27 81.xxx.yyy.zzz TCP_DENIED/200 www.svd.se:443 - - 23.04.2017 07:21:26 81.xxx.yyy.zzz TAG_NONE/403 https://www.svd.se/ - - 23.04.2017 07:21:25 81.xxx.yyy.zzz TCP_DENIED/200 www.svd.se:443 - - -
Trying to debug the thing, I decided to turn off the SSL Man In the Middle Filtering, just to see if I could get Squid and pfsense on AWS to act as a regular proxy and take it from there. Turns out that that one did not work either :(
I tried a normal, non-ssl, site and still get Access Denied. I wonder if there is something weird with AWS and their network that is acting up on me?
On the Inbound rules I have:
HTTP TCP 80 0.0.0.0/0 Custom UDP Rule UDP 1194 0.0.0.0/0 SSH TCP 22 0.0.0.0/0 Custom TCP Rule TCP 3128 - 3129 0.0.0.0/0 HTTPS TCP 443 0.0.0.0/0And on outbound, nothing