Join Log in
Score:1
sam avatar Ubuntu

Squid Proxy and Certificate problem

st flag
sam

Recently i installed squid proxy on Ubuntu 18.04 and it was working fine for the http requests , but i faced a problem with some applications that require https connection , so i downloaded the source and compiled it with the following configuration options :

squid -v 
Squid Cache: Version 4.17
Service Name: squid

This binary uses OpenSSL 1.1.1  11 Sep 2018. For legal restrictions on distribution see https://www.openssl.org/source/license.html

configure options:  '--enable-ssl-crtd' '--with-openssl'

What i want is just to use squid to pass http/https traffic through it from a remote system due to some geo restrictions and regardless of the application used , But when i used the certificate for http/https ports , no traffic is passed at all ! only http port works if i don't use any cert with it .

I followed the instructions mentioned here to generate the cert (alternate method) ,created and Initialized the SSL database and also imported the cert in the browser and system wide ,but still no luck:

Installing and configuring Squid Proxy for SSL (Bumping or Peek-n-splice)

squid.conf:

acl all src all
http_access allow all
dns_v4_first on
#
# Recommended minimum configuration:
#

# Example rule allowing access from your local networks.
# Adapt to list your (internal) IP networks from where browsing
# should be allowed
acl localnet src 0.0.0.1-0.255.255.255  # RFC 1122 "this" network (LAN)
acl localnet src 10.0.0.0/8     # RFC 1918 local private network (LAN)
acl localnet src 100.64.0.0/10      # RFC 6598 shared address space (CGN)
acl localnet src 169.254.0.0/16     # RFC 3927 link-local (directly plugged) machines
acl localnet src 172.16.0.0/12      # RFC 1918 local private network (LAN)
acl localnet src 192.168.0.0/16     # RFC 1918 local private network (LAN)


acl SSL_ports port 443
acl Safe_ports port 80      # http
acl Safe_ports port 21      # ftp
acl Safe_ports port 443     # https
acl Safe_ports port 70      # gopher
acl Safe_ports port 210     # wais
acl Safe_ports port 1025-65535  # unregistered ports
acl Safe_ports port 280     # http-mgmt
acl Safe_ports port 488     # gss-http
acl Safe_ports port 591     # filemaker
acl Safe_ports port 777     # multiling http
acl CONNECT method CONNECT

#
# Recommended minimum Access Permission configuration:
#
# Deny requests to certain unsafe ports
http_access deny !Safe_ports

# Deny CONNECT to other than secure SSL ports
http_access deny CONNECT !SSL_ports

# Only allow cachemgr access from localhost
http_access allow localhost manager
http_access deny manager

# We strongly recommend the following be uncommented to protect innocent
# web applications running on the proxy server who think the only
# one who can access services on "localhost" is a local user
#http_access deny to_localhost

#
# INSERT YOUR OWN RULE(S) HERE TO ALLOW ACCESS FROM YOUR CLIENTS
#

# Example rule allowing access from your local networks.
# Adapt localnet in the ACL section to list your (internal) IP networks
# from where browsing should be allowed
http_access allow localnet
http_access allow localhost

# And finally deny all other access to this proxy
#http_access deny all

# Squid normally listens to port 3128
http_port 3128 ssl-bump cert=/usr/local/squid/etc/certs/squid-ca-cert-key.pem generate-host-certificates=on dynamic_cert_mem_cache_size=4MB
https_port 3129 intercept ssl-bump cert=/usr/local/squid/etc/certs/squid-ca-cert-key.pem generate-host-certificates=on dynamic_cert_mem_cache_size=4MB

acl step1 at_step SslBump1                       
ssl_bump peek step1                       
ssl_bump bump all
sslcrtd_program /usr/local/squid/libexec/security_file_certgen -s /usr/local/squid/var/cache/squid/ssl_db -M 4MB
sslcrtd_children 5
ssl_bump server-first all
sslproxy_cert_error allow all
# Uncomment and adjust the following to add a disk cache directory.
#cache_dir ufs /usr/local/squid/var/cache/squid 100 16 256

# Leave coredumps in the first cache dir
coredump_dir /usr/local/squid/var/cache/squid

#
# Add any of your own refresh_pattern entries above these.
#
refresh_pattern ^ftp:       1440    20% 10080
refresh_pattern ^gopher:    1440    0%  1440
refresh_pattern -i (/cgi-bin/|\?) 0 0%  0
refresh_pattern .       0   20% 4320

cache.log:

2023/03/20 16:38:28| Created PID file (/usr/local/squid/var/run/squid.pid)
2023/03/20 16:38:28 kid1| Set Current Directory to /usr/local/squid/var/cache/squid
2023/03/20 16:38:28 kid1| Starting Squid Cache version 4.17 for x86_64-pc-linux-gnu...
2023/03/20 16:38:28 kid1| Service Name: squid
2023/03/20 16:38:28 kid1| Process ID 85942
2023/03/20 16:38:28 kid1| Process Roles: worker
2023/03/20 16:38:28 kid1| With 655350 file descriptors available
2023/03/20 16:38:28 kid1| Initializing IP Cache...
2023/03/20 16:38:28 kid1| DNS Socket created at [::], FD 9
2023/03/20 16:38:28 kid1| DNS Socket created at 0.0.0.0, FD 13
2023/03/20 16:38:28 kid1| Adding nameserver 127.0.0.53 from /etc/resolv.conf
2023/03/20 16:38:28 kid1| Adding nameserver 8.8.8.8 from /etc/resolv.conf
2023/03/20 16:38:28 kid1| Adding nameserver 8.8.4.4 from /etc/resolv.conf
2023/03/20 16:38:28 kid1| helperOpenServers: Starting 5/5 'security_file_certgen' processes
2023/03/20 16:38:28 kid1| Logfile: opening log daemon:/usr/local/squid/var/logs/access.log
2023/03/20 16:38:28 kid1| Logfile Daemon: opening log /usr/local/squid/var/logs/access.log
2023/03/20 16:38:28 kid1| Store logging disabled
2023/03/20 16:38:28 kid1| Swap maxSize 0 + 262144 KB, estimated 20164 objects
2023/03/20 16:38:28 kid1| Target number of buckets: 1008
2023/03/20 16:38:28 kid1| Using 8192 Store buckets
2023/03/20 16:38:28 kid1| Max Mem  size: 262144 KB
2023/03/20 16:38:28 kid1| Max Swap size: 0 KB
2023/03/20 16:38:28 kid1| Using Least Load store dir selection
2023/03/20 16:38:28 kid1| Set Current Directory to /usr/local/squid/var/cache/squid
2023/03/20 16:38:28 kid1| Finished loading MIME types and icons.
2023/03/20 16:38:28 kid1| HTCP Disabled.
2023/03/20 16:38:28 kid1| Squid plugin modules loaded: 0
2023/03/20 16:38:28 kid1| Adaptation support is off.
2023/03/20 16:38:28 kid1| Accepting SSL bumped HTTP Socket connections at local=[::]:3128 remote=[::] FD 26 flags=9
2023/03/20 16:38:28 kid1| Accepting NAT intercepted SSL bumped HTTPS Socket connections at local=[::]:3129 remote=[::] FD 27 flags=41
2023/03/20 16:38:29 kid1| storeLateRelease: released 0 objects

access.log:

1679355519.102      0 192.168.0.106 NONE_ABORTED/200 0 CONNECT 192.168.0.106:3129 - HIER_NONE/- -
1679355622.554      0 192.168.0.106 NONE_ABORTED/200 0 CONNECT 192.168.0.106:3129 - HIER_NONE/- -
1679355622.555      0 192.168.0.106 NONE_ABORTED/200 0 CONNECT 192.168.0.106:3129 - HIER_NONE/- -
1679355622.556      0 192.168.0.106 NONE_ABORTED/200 0 CONNECT 192.168.0.106:3129 - HIER_NONE/- -
1679355622.556      0 192.168.0.106 NONE_ABORTED/200 0 CONNECT 192.168.0.106:3129 - HIER_NONE/- -
1679355622.557      0 192.168.0.106 NONE_ABORTED/200 0 CONNECT 192.168.0.106:3129 - HIER_NONE/- -
1679355622.558      0 192.168.0.106 NONE_ABORTED/200 0 CONNECT 192.168.0.106:3129 - HIER_NONE/- -
1679355622.559      0 192.168.0.106 NONE_ABORTED/200 0 CONNECT 192.168.0.106:3129 - HIER_NONE/- -
1679355622.559      0 192.168.0.106 NONE_ABORTED/200 0 CONNECT 192.168.0.106:3129 - HIER_NONE/- -
1679355622.560      0 192.168.0.106 NONE_ABORTED/200 0 CONNECT 192.168.0.106:3129 - HIER_NONE/- -
1679355622.561      0 192.168.0.106 NONE_ABORTED/200 0 CONNECT 192.168.0.106:3129 - HIER_NONE/- -

ifconfig
ens33: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500
        inet 192.168.0.106  netmask 255.255.255.0  broadcast 192.168.0.255
        inet6 fe80::2xx:xxxx:fexx:xxxx  prefixlen 64  scopeid 0x20<link>
        ether xx:xx:xx:xx:xx:xx  txqueuelen 1000  (Ethernet)
        RX packets 347695  bytes 334612753 (334.6 MB)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 281191  bytes 166987314 (166.9 MB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

So what am I doing wrong here ? and as i mentioned before , all i want is just to pass all the traffic without any restrictions through squid (like a public proxy) so if there is a fix or any alternative method for this please let me know .

Regards

551
1 + 0
Score:0
hasto avatar Ubuntu
tf flag
hasto

Try to troubleshoot by running squid in foreground and see what it give in ubuntu console squid -N -d999 -f /etc/squid/squid.conf

  • N meaning run in foreground
  • d999 to show debug message
  • f to choose squid file config

Have you also run this before running squid to create folder

/usr/local/squid/libexec/security_file_certgen -c-s /usr/local/squid/var/cache/squid/ssl_db -M 4MB

Please set ownership of squid folder and all subfolder to "proxy" (squid will run as "proxy" user in ubuntu)

  • /usr/local/squid/
+ 3
sam avatar
st flag
sam
thanks for the reply , i tried the https proxy with curl ,but i get this : "SSL certificate problem: self signed certificate in certificate chain" , is there any workaround ?
0
Reply
hasto avatar
tf flag
hasto
if using curl we can ignore ssl by using `curl -k ` for testing working or fail.
0
Reply
hasto avatar
tf flag
hasto
if using browser, we can import the self-signed certificate into trusted root windows [windowsreport.com](https://windowsreport.com/install-windows-10-root-certificates/) [thesslstore.com](https://www.thesslstore.com/knowledgebase/ssl-install/how-to-import-intermediate-root-certificates-using-mmc/) ubuntu [ubuntu.com](https://ubuntu.com/server/docs/security-trust-store)
0
Reply
ธงชาติไทย
Elon Musk
I sit in a Tesla and translated this thread with Ai:

mangohost

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.