Score:1

Unable to access HTTP sites through HTTPS Squid proxy

bm flag

I have working configuration for SSL bumping on Squid 4.4 and RHEL8. I'm finding though, that a handful of sites that don't have SSL set up (e.g., http://squidguard.org) are not working.

I've had to cobble together my configuration using several different sources since none seem to offer a definitive approach to setting up SSL bumping. It's possible that I've missed something that would allow Squid to handle both HTTP and HTTPS traffic?

This is what I'm seeing in the log:

1624658033.150  59887 10.108.0.18 TCP_MISS/503 4300 GET http://squidguard.com/favicon.ico - HIER_DIRECT/3.223.115.185 text/html
1624658042.966  60608 10.108.0.18 TCP_MISS/503 4392 GET http://squidguard.com/ - HIER_DIRECT/3.223.115.185 text/html

The error on the browser page says

The following error was encountered while trying to retrieve the URL: http://squidguard.com/
Connection to 3.223.115.185 failed.
The system returned: (110) Connection timed out
The remote host or network may be down. Please try the request again.

The remote host or network isn't down, though. I can reach it when not going through the proxy.

My squid.conf:

acl vdi src 10.108.0.0/20

acl SSL_ports port 443
acl Safe_ports port 80          # http
acl Safe_ports port 21          # ftp
acl Safe_ports port 443         # https
acl Safe_ports port 70          # gopher
acl Safe_ports port 210         # wais
acl Safe_ports port 1025-65535  # unregistered ports
acl Safe_ports port 280         # http-mgmt
acl Safe_ports port 488         # gss-http
acl Safe_ports port 591         # filemaker
acl Safe_ports port 777         # multiling http
acl CONNECT method CONNECT

acl intermediate_fetching transaction_initiator certificate-fetching
http_access allow intermediate_fetching

http_access deny !Safe_ports

http_access allow localhost manager
http_access deny manager

http_access allow vdi

http_access deny all

http_port 0.0.0.0:3128
http_port 0.0.0.0:3129 ssl-bump cert=/etc/squid/ssl_cert/myCA.pem generate-host-certificates=on
https_port 0.0.0.0:3130 intercept ssl-bump generate-host-certificates=on dynamic_cert_mem_cache_size=20MB cert=/etc/squid/ssl_cert/myCA.pem

sslcrtd_program /usr/lib64/squid/security_file_certgen -s /var/lib/squid/ssl_db -M 20MB
ssl_bump stare all
ssl_bump bump all

cache_dir ufs /var/spool/squid 100 16 256

coredump_dir /var/spool/squid

refresh_pattern ^ftp:           1440    20%     10080
refresh_pattern ^gopher:        1440    0%      1440
refresh_pattern -i (/cgi-bin/|\?) 0     0%      0
refresh_pattern .               0       20%     4320

shutdown_lifetime 1 second

I don't have iptables running so I don't have any REDIRECT rules. I do suspect this to be the problem.

roelvanmeer avatar
ie flag
If you don't have REDIRECT rules, how do you access the proxy? If you've configured the proxy in your browser, the proxy isn't transparent and then you don't need SSL bumping at all.
mandza avatar
rs flag
Can you add your iptables configuration? You can check it with: sudo iptables -S
cn flag
I thought SSL bumping is for MITM of accessing HTTPS sites to be able to inspect the traffic. HTTP sites are already unencrypted, so SSL bumping is irrelevant.
bm flag
@roelvanmeer This was a misunderstanding on my part; I thought "SSL Bumping" and "Transparent Proxy" were interchangeable. I'm guessing that manually configuring the proxy on the clients makes the REDIRECT rules unnecessary since it works without them. Ultimately, the problem was outside of the proxy, the server, and the clients. Oddly, the firewall, which I don't control, was configured to allow port 443 but not port 80. This has been corrected and now all traffic flows as expected.
bm flag
@chutz The problem was (see my comment above) that I could not access websites that are only configured for HTTP; e.g., http://www.squidguard.org. When I would attempt to access these sites the connection would time out. On the surface, this might not seem like a significant issue since most of the Internet has moved to HTTPS. There are some cases that cause problems, though. Specifically, CRLs are typically served over HTTP. These were being blocked.
Score:0
bm flag

The issue is moot. The source of the problem was outside the scope of Squid or even the server on which it is running. Port 80 was being blocked at the firewall.

mangohost

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.