Discussion:
[squid-users] SSL Bump and NF getsockopt failed
Job
2015-10-02 11:31:43 UTC
Permalink
Hello,

i have enabled SSL Bump with certificates, i redirect the 443 on the 3129 port of my Squid server but https sites are not accessible anymore and i can see these errors in logs:

ERROR: NF getsockopt(ORIGINAL_DST) failed on local=192.168.10.xxx

The section regardings SSL Bump in squid.conf if the following:

http_port 3128
https_port 3129 intercept ssl-bump generate-host-certificates=on dynamic_cert_mem_cache_size=16MB cert=/etc/squid/ssl/squid.pem key=/etc/squid/ssl/squid.key
sslcrtd_program /usr/lib/squid/ssl_crtd -s /var/lib/squid_ssl_db -M 16MB
sslcrtd_children 50 startup=5 idle=1
ssl_bump server-first all

And https traffic, with NAT, goes out with any problems.

Where am i wrong?

Thank you!
Francesco
Amos Jeffries
2015-10-03 05:44:25 UTC
Permalink
On 3/10/2015 12:31 a.m., Job wrote:
> Hello,
>
> i have enabled SSL Bump with certificates, i redirect the 443 on the 3129 port of my Squid server but https sites are not accessible anymore and i can see these errors in logs:
>
> ERROR: NF getsockopt(ORIGINAL_DST) failed on local=192.168.10.xxx

The connection arriving at Squid does not have any NAT records in the
Squid machine kernel.

It is mandatory that NAT be done on the Squid machine. Not on some
remote router (aka CPE "port-forwarding").
<http://wiki.squid-cache.org/ConfigExamples/Intercept/LinuxDnat>


It is mandatory that you *not* test NAT ports by configuring your
browser to use the proxy via it. Configure the testing browser the same
way teh cleints woudl be tested.

Amos
Job
2015-10-05 12:06:36 UTC
Permalink
Hello Amos!

>The connection arriving at Squid does not have any NAT records in the
>Squid machine kernel.

>It is mandatory that NAT be done on the Squid machine. Not on some
>remote router (aka CPE "port-forwarding").

The iptables gateway is in the same machine where Squid+SSL bump run.

Our transparent proxy for 80/HTTP works perfectly, but users cannot access do https pages.

By consolle, if i telnet localhost 3129 (https intecept port), i have no connections, even though in netstat -avn | grep 3129 i have active and listening connections.

Please note i use the REDIRECT --to-port command in iptables.

Where am i wrong?

Thank you!
Francesco
Veiko Kukk
2015-10-06 13:52:53 UTC
Permalink
Hi everyone,

I have successfully set up reverse proxy and ICP communication between
siblings. I'd like to encrypt cache sharing between siblings, but cannot
figure out the optimal solution for this. I have not found from
documentation, how to do ssl encryption between cache_peer hosts so that
cache objects are transferred securely over the Internet.

It works like this: local http client connects to squid with plain http,
squid acts as https client for remote server, fetches objects and stores
them into cache. The question is, how to fetch objects from sibling
caches with ssl and minimal overhead?

My current test system configuration (replaced hostnames with foobar,
the second test sibling just has y.y.y.y ip address in configuration):

cache_effective_user squid
cache_effective_group squid

http_port 3128 accel vhost

cache_peer foo.bar.tld parent 443 0 no-query no-digest originserver ssl
sslversion=6 name=foo-1

cache_peer_domain foo-1 .foo.bar.tld

icp_port 3130

cache_peer x.x.x.x sibling 3128 3130 proxy-only

maximum_object_size 64 MB

cache_mem 4 GB

forwarded_for transparent

refresh_pattern -i cgi-bin 0 0% 0
refresh_pattern -i ^http:\/\/AUTH_.*squid.internal.* 2880 100% 10080
override-expire
refresh_pattern . 0 20% 4320

acl foobar_storage dstdomain .bar.tld
acl sibling_list src x.x.x.x/32

http_access allow localhost manager
http_access deny manager
http_access allow localhost
http_access allow sibling_list
http_access deny all

cache_peer_access foo-1 allow foobar_storage
cache_peer_access foo-1 deny all

icp_access allow sibling_list

cache_replacement_policy heap LFUDA
cache_dir aufs /var/spool/squid/ssd 65536 16 256 min-size=0 max-size=1MB

cache_dir aufs /var/cache/squid 1000000 64 256 min-size=1MB

coredump_dir /var/spool/squid

store_id_program /usr/lib64/squid/storeid_file_rewrite
/var/spool/squid/store_id_db
store_id_children 20 startup=2
store_id_access allow foobar_storage
store_id_access deny all

####
foo.bar.tld is remote storage service.

Thanks in advance,
Veiko
Job
2015-10-07 12:28:40 UTC
Permalink
Hi Amos!

Resolved: in squid.conf i have to write ip:port instead of :port.
As example, 192.168.10.254:3129 works with interception.

Only with :3129 it does not works!

Francesco

________________________________________
Da: squid-users [squid-users-***@lists.squid-cache.org] per conto di Job [***@colliniconsulting.it]
Inviato: lunedì 5 ottobre 2015 14.06
A: Amos Jeffries; squid-***@lists.squid-cache.org
Oggetto: [squid-users] R: SSL Bump and NF getsockopt failed

Hello Amos!

>The connection arriving at Squid does not have any NAT records in the
>Squid machine kernel.

>It is mandatory that NAT be done on the Squid machine. Not on some
>remote router (aka CPE "port-forwarding").

The iptables gateway is in the same machine where Squid+SSL bump run.

Our transparent proxy for 80/HTTP works perfectly, but users cannot access do https pages.

By consolle, if i telnet localhost 3129 (https intecept port), i have no connections, even though in netstat -avn | grep 3129 i have active and listening connections.

Please note i use the REDIRECT --to-port command in iptables.

Where am i wrong?

Thank you!
Francesco
_______________________________________________
squid-users mailing list
squid-***@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users
Amos Jeffries
2015-10-12 17:18:47 UTC
Permalink
On 8/10/2015 1:28 a.m., Job wrote:
> Hi Amos!
>
> Resolved: in squid.conf i have to write ip:port instead of :port.
> As example, 192.168.10.254:3129 works with interception.
>
> Only with :3129 it does not works!

Try it without the colon. You only need a colon to separate the
ip/hostname and port values.

Amos
Veiko Kukk
2015-10-06 14:11:38 UTC
Permalink
Hi everyone,

I have successfully set up reverse proxy and ICP communication between
siblings. I'd like to encrypt cache sharing between siblings, but cannot
figure out the optimal solution for this. I have not found from
documentation, how to do ssl encryption between cache_peer hosts so that
cache objects are transferred securely over the Internet.

It works like this: local http client connects to squid with plain http,
squid acts as https client for remote server, fetches objects and stores
them into cache. The question is, how to fetch objects from sibling
caches with ssl and minimal overhead?

My current test system configuration (replaced hostnames with foobar,
the second test sibling just has y.y.y.y ip address in configuration):

cache_effective_user squid
cache_effective_group squid

http_port 3128 accel vhost

cache_peer foo.bar.tld parent 443 0 no-query no-digest originserver ssl
sslversion=6 name=foo-1

cache_peer_domain foo-1 .foo.bar.tld

icp_port 3130

cache_peer x.x.x.x sibling 3128 3130 proxy-only

maximum_object_size 64 MB

cache_mem 4 GB

forwarded_for transparent

refresh_pattern -i cgi-bin 0 0% 0
refresh_pattern -i ^http:\/\/AUTH_.*squid.internal.* 2880 100% 10080
override-expire
refresh_pattern . 0 20% 4320

acl foobar_storage dstdomain .bar.tld
acl sibling_list src x.x.x.x/32

http_access allow localhost manager
http_access deny manager
http_access allow localhost
http_access allow sibling_list
http_access deny all

cache_peer_access foo-1 allow foobar_storage
cache_peer_access foo-1 deny all

icp_access allow sibling_list

cache_replacement_policy heap LFUDA
cache_dir aufs /var/spool/squid/ssd 65536 16 256 min-size=0 max-size=1MB

cache_dir aufs /var/cache/squid 1000000 64 256 min-size=1MB

coredump_dir /var/spool/squid

store_id_program /usr/lib64/squid/storeid_file_rewrite
/var/spool/squid/store_id_db
store_id_children 20 startup=2
store_id_access allow foobar_storage
store_id_access deny all

####
foo.bar.tld is remote storage service.

Thanks in advance,
Veiko
Amos Jeffries
2015-10-07 08:30:24 UTC
Permalink
On 7/10/2015 3:11 a.m., Veiko Kukk wrote:
> Hi everyone,
>
> I have successfully set up reverse proxy and ICP communication between
> siblings. I'd like to encrypt cache sharing between siblings, but cannot
> figure out the optimal solution for this. I have not found from
> documentation, how to do ssl encryption between cache_peer hosts so that
> cache objects are transferred securely over the Internet.
>
> It works like this: local http client connects to squid with plain http,
> squid acts as https client for remote server, fetches objects and stores
> them into cache. The question is, how to fetch objects from sibling
> caches with ssl and minimal overhead?

Same way you configured it for the parent proxy. What makes you think it
would be any different?

Amos
Loading...