Squid transparent proxy + HTTPS

wndrew · Jul 4, 2024, 5:47 AM

I have a squid proxy server in transparent mode with HTTPS filtering with custom option for HTTPS - peek + splice. Is there a way for lightsquid to resolve IP addresses to URL in statistic without using stare + splice? I don't need to see exactly what page was opened, I only need name of the host. Right now statistic in lightsquid looks like this (see image)

wndrew · Jul 8, 2024, 6:07 AM

I did it, with this squid custom options (SSL/MITM) it works:

acl step1 at_step SslBump1
ssl_bump peek step1
ssl_bump splice all

but now some sites doesn't open and return an error like this:

NONE_NONE/000 error:transaction-end-before-headers

what could be the problem?
for example, it happens with google translate site

JonathanLee · Jul 9, 2024, 5:39 AM

What sites don’t open?

wndrew · Jul 9, 2024, 5:39 AM

@JonathanLee this sites, for example

https://translate.google.com
https://reddit.com/

JonathanLee · Jul 9, 2024, 6:11 AM

@wndrew did you put your pc at the proxy?

ACL step1 at_step SslBump1
This is included already in squid config

ssl_bump peek step1
ssl_bump splice all

https://wiki.squid-cache.org/Features/SslPeekAndSplice

wndrew · Jul 10, 2024, 5:31 AM

@JonathanLee Yes, proxy works in transparent mode

JonathanLee · Jul 10, 2024, 5:49 AM

Just leave it in transparent mode than. Unless you need the other mode to inspect issues

wndrew · Jul 12, 2024, 5:30 AM

@JonathanLee What do you mean? I need access to those sites. What's may be the problem, because if I set this settings:

ssl_bump peek all
ssl_bump splice all

everything opens fine

JonathanLee · Jul 12, 2024, 8:31 PM

@wndrew That should work also you're not bumping connections I have no issues with those websites.. did you create certificates ?

wndrew · Jul 15, 2024, 5:27 AM

@JonathanLee Yes, I have one

JonathanLee · Jul 15, 2024, 5:44 AM

How did you configure your squid ? Both transparent and ssl intercept? Loopback also?

wndrew · Jul 15, 2024, 6:47 AM

@JonathanLee Yes, transparent and ssl intercept + loopback

JonathanLee · Jul 16, 2024, 5:44 PM

@wndrew Those domains should work weird I never have issues with them

JonathanLee · Jul 16, 2024, 5:47 PM

@wndrew

This is my advanced config

http_access deny !safeports
http_access deny CONNECT !sslports
http_access allow localhost manager
http_access deny manager
cachemgr_passwd disable offline_toggle reconfigure shutdown
cachemgr_passwd reacted all
eui_lookup on
acl no_miss url_regex -i gateway\.facebook\.com\/ws\/realtime\?
acl no_miss url_regex -i web-chat-e2ee\.facebook\.com\/ws\/chat
acl CONNECT method CONNECT
acl wuCONNECT dstdomain www.update.microsoft.com
acl wuCONNECT dstdomain sls.microsoft.com
http_access allow CONNECT wuCONNECT localnet
http_access allow CONNECT wuCONNECT localhost
http_access allow windowsupdate localnet
http_access allow windowsupdate localhost
http_access allow HttpAccess localnet
http_access allow HttpAccess localhost
http_access deny manager
http_access deny to_ipv6
http_access deny from_ipv6

acl BrokenButTrustedServers dstdomain "/usr/local/pkg/dstdom.broken"
acl DomainMismatch ssl_error SQUID_X509_V_ERR_DOMAIN_MISMATCH
sslproxy_cert_error allow BrokenButTrustedServers DomainMismatch
sslproxy_cert_error deny all

acl splice_only src 192.168.1.8 #Tasha iPhone
acl splice_only src 192.168.1.10 #Jon iPhone
acl splice_only src 192.168.1.11 #Amazon Fire
acl splice_only src 192.168.1.15 #Tasha HP
acl splice_only src 192.168.1.16 #iPad

acl splice_only_mac arp redacted
acl splice_only_mac arp redacted
acl splice_only_mac arp redacted
acl splice_only_mac arp redacted
acl splice_only_mac arp redacted

acl NoSSLIntercept ssl::server_name_regex -i "/usr/local/pkg/reg.url.nobump"
acl NoBumpDNS dstdomain "/usr/local/pkg/dns.nobump"

#acl markBumped annotate_client bumped=true
acl active_use annotate_client active=true

acl bump_only src 192.168.1.3 #webtv
acl bump_only src 192.168.1.4 #toshiba
acl bump_only src 192.168.1.5 #imac
acl bump_only src 192.168.1.9 #macbook
acl bump_only src 192.168.1.13 #dell

acl bump_only_mac arp redacted
acl bump_only_mac arp redacted
acl bump_only_mac arp redacted
acl bump_only_mac arp redacted
acl bump_only_mac arp redacted

collapsed_forwarding on
negative_dns_ttl 5 minutes
shutdown_lifetime 1 seconds

ssl_bump peek step1
miss_access deny no_miss active_use
ssl_bump splice https_login active_use
ssl_bump splice splice_only_mac splice_only active_use
ssl_bump splice NoBumpDNS active_use
ssl_bump splice NoSSLIntercept active_use
ssl_bump bump bump_only_mac bump_only active_use
acl activated note active_use true
ssl_bump terminate !activated

#acl SSLIntercept ssl::server_name_regex -i "/usr/local/pkg/url.bump"
#ssl_bump bump SSLIntercept

try this setting see if it helps?

tls_outgoing_options options=NO_SSLv3,NO_TLSv1,NO_TLSv1_1,NO_TICKET,SINGLE_DH_USE,SINGLE_ECDH_USE

wndrew · Jul 17, 2024, 6:49 AM

@JonathanLee it didn't help

tls_outgoing_options options=NO_SSLv3,NO_TLSv1,NO_TLSv1_1,NO_TICKET,SINGLE_DH_USE,SINGLE_ECDH_USE

What version of squid you are using?
Mine is

Squid Cache: Version 6.3
Service Name: squid

JonathanLee · Jul 17, 2024, 5:34 PM

@wndrew Squid 6.6 and Squid 5.8

JonathanLee · Jul 18, 2024, 7:24 AM

Wait…. Have you blocked DoH ?? And HTTP3 DoH over QUIC ? Your systems have to use pfSense as the DNS