Squid transparent proxy + HTTPS
-
I have a squid proxy server in transparent mode with HTTPS filtering with custom option for HTTPS - peek + splice. Is there a way for lightsquid to resolve IP addresses to URL in statistic without using stare + splice? I don't need to see exactly what page was opened, I only need name of the host. Right now statistic in lightsquid looks like this (see image)
-
I did it, with this squid custom options (SSL/MITM) it works:
acl step1 at_step SslBump1 ssl_bump peek step1 ssl_bump splice all
but now some sites doesn't open and return an error like this:
NONE_NONE/000 error:transaction-end-before-headers
what could be the problem?
for example, it happens with google translate site
-
What sites don’t open?
-
@JonathanLee this sites, for example
https://translate.google.com https://reddit.com/
-
@wndrew did you put your pc at the proxy?
ACL step1 at_step SslBump1
This is included already in squid configssl_bump peek step1
ssl_bump splice allhttps://wiki.squid-cache.org/Features/SslPeekAndSplice
-
@JonathanLee Yes, proxy works in transparent mode
-
Just leave it in transparent mode than. Unless you need the other mode to inspect issues
-
@JonathanLee What do you mean? I need access to those sites. What's may be the problem, because if I set this settings:
ssl_bump peek all ssl_bump splice all
everything opens fine
-
@wndrew That should work also you're not bumping connections I have no issues with those websites.. did you create certificates ?
-
@JonathanLee Yes, I have one
-
How did you configure your squid ? Both transparent and ssl intercept? Loopback also?
-
@JonathanLee Yes, transparent and ssl intercept + loopback
-
@wndrew Those domains should work weird I never have issues with them
-
This is my advanced config
http_access deny !safeports http_access deny CONNECT !sslports http_access allow localhost manager http_access deny manager cachemgr_passwd disable offline_toggle reconfigure shutdown cachemgr_passwd reacted all eui_lookup on acl no_miss url_regex -i gateway\.facebook\.com\/ws\/realtime\? acl no_miss url_regex -i web-chat-e2ee\.facebook\.com\/ws\/chat acl CONNECT method CONNECT acl wuCONNECT dstdomain www.update.microsoft.com acl wuCONNECT dstdomain sls.microsoft.com http_access allow CONNECT wuCONNECT localnet http_access allow CONNECT wuCONNECT localhost http_access allow windowsupdate localnet http_access allow windowsupdate localhost http_access allow HttpAccess localnet http_access allow HttpAccess localhost http_access deny manager http_access deny to_ipv6 http_access deny from_ipv6 acl BrokenButTrustedServers dstdomain "/usr/local/pkg/dstdom.broken" acl DomainMismatch ssl_error SQUID_X509_V_ERR_DOMAIN_MISMATCH sslproxy_cert_error allow BrokenButTrustedServers DomainMismatch sslproxy_cert_error deny all acl splice_only src 192.168.1.8 #Tasha iPhone acl splice_only src 192.168.1.10 #Jon iPhone acl splice_only src 192.168.1.11 #Amazon Fire acl splice_only src 192.168.1.15 #Tasha HP acl splice_only src 192.168.1.16 #iPad acl splice_only_mac arp redacted acl splice_only_mac arp redacted acl splice_only_mac arp redacted acl splice_only_mac arp redacted acl splice_only_mac arp redacted acl NoSSLIntercept ssl::server_name_regex -i "/usr/local/pkg/reg.url.nobump" acl NoBumpDNS dstdomain "/usr/local/pkg/dns.nobump" #acl markBumped annotate_client bumped=true acl active_use annotate_client active=true acl bump_only src 192.168.1.3 #webtv acl bump_only src 192.168.1.4 #toshiba acl bump_only src 192.168.1.5 #imac acl bump_only src 192.168.1.9 #macbook acl bump_only src 192.168.1.13 #dell acl bump_only_mac arp redacted acl bump_only_mac arp redacted acl bump_only_mac arp redacted acl bump_only_mac arp redacted acl bump_only_mac arp redacted collapsed_forwarding on negative_dns_ttl 5 minutes shutdown_lifetime 1 seconds ssl_bump peek step1 miss_access deny no_miss active_use ssl_bump splice https_login active_use ssl_bump splice splice_only_mac splice_only active_use ssl_bump splice NoBumpDNS active_use ssl_bump splice NoSSLIntercept active_use ssl_bump bump bump_only_mac bump_only active_use acl activated note active_use true ssl_bump terminate !activated #acl SSLIntercept ssl::server_name_regex -i "/usr/local/pkg/url.bump" #ssl_bump bump SSLIntercept
try this setting see if it helps?
tls_outgoing_options options=NO_SSLv3,NO_TLSv1,NO_TLSv1_1,NO_TICKET,SINGLE_DH_USE,SINGLE_ECDH_USE
-
@JonathanLee it didn't help
tls_outgoing_options options=NO_SSLv3,NO_TLSv1,NO_TLSv1_1,NO_TICKET,SINGLE_DH_USE,SINGLE_ECDH_USE
What version of squid you are using?
Mine isSquid Cache: Version 6.3 Service Name: squid
-
@wndrew Squid 6.6 and Squid 5.8
-
Wait…. Have you blocked DoH ?? And HTTP3 DoH over QUIC ? Your systems have to use pfSense as the DNS