Uchenna Nebedum
2018-10-25 16:29:08 UTC
Hi all, thanks to Rafael and Amos, I've been able to set up a Squid Proxy
with a mikrotik. ssl bumping is enabled on squid and i have connected it to
greasyspoon for content adaptation, but i can't be sure if ssl bumping is
working because i only see adapted content over http and not https.
here is my squid.conf
cache_effective_user proxy
acl localnet src 10.0.0.0/24
acl localnet src 172.16.0.0/12
acl localnet src 192.168.0.0/16
acl localnet src fc00::/7
acl localnet src fe80::/10
acl SSL_ports port 443
acl Safe_ports port 80 # http
acl Safe_ports port 21 # ftp
acl Safe_ports port 443 # https
acl Safe_ports port 70 # gopher
acl Safe_ports port 210 # wais
acl Safe_ports port 1025-65535 # unregistered ports
acl Safe_ports port 280 # http-mgmt
acl Safe_ports port 488 # gss-http
acl Safe_ports port 591 # filemaker
acl Safe_ports port 777 # multiling http
acl CONNECT method CONNECT
http_port 3128 ssl-bump generate-host-certificates=on
dynamic_cert_mem_cache_size=4MB cert=/opt/websafety/etc/myca.pem
http_port 3126 intercept
https_port 3127 intercept ssl-bump generate-host-certificates=on
dynamic_cert_mem_cache_size=4MB cert=/opt/websafety/etc/myca.pem
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
http_access allow localhost manager
http_access deny manager
http_access allow localnet
http_access allow localhost
http_access deny all
sslcrtd_program /usr/local/squid/libexec/ssl_crtd -s /var/spool/squid_ssldb
-M 4MB
acl step1 at_step SslBump1
acl step2 at_step SslBump2
acl step3 at_step SslBump3
ssl_bump peek step1 all
ssl_bump bump all
ssl_bump bump ssl_force_bump
ssl_bump splice localhost
acl ssl_error_domains dstdomain
"/opt/websafety/etc/squid/ssl/error/domains.conf"
acl ssl_error_ips dst
"/opt/websafety/etc/squid/ssl/error/ips.conf"
acl ssl_error_ips dst
"/opt/websafety/etc/squid/ssl/error/subnets.conf"
sslproxy_cert_error allow ssl_error_domains
sslproxy_cert_error allow ssl_error_ips
shutdown_lifetime 10 seconds
adaptation_access greasyspoon allow all
visible_hostname proxy.example.lan
acl cache_exclude_domainname dstdomain
"/opt/websafety/etc/squid/cache/exclude/domain_name.conf"
acl cache_exclude_domainaddr dst
"/opt/websafety/etc/squid/cache/exclude/domain_ip.conf"
acl cache_exclude_domainaddr dst
"/opt/websafety/etc/squid/cache/exclude/domain_subnet.conf"
acl cache_exclude_domainaddr dst
"/opt/websafety/etc/squid/cache/exclude/domain_range.conf"
acl cache_exclude_useraddr src
"/opt/websafety/etc/squid/cache/exclude/user_ip.conf"
acl cache_exclude_useraddr src
"/opt/websafety/etc/squid/cache/exclude/user_subnet.conf"
acl cache_exclude_useraddr src
"/opt/websafety/etc/squid/cache/exclude/user_range.conf"
acl cache_exclude_useragent browser -i
"/opt/websafety/etc/squid/cache/exclude/user_agent.conf"
acl cache_exclude_schedule time
"/opt/websafety/etc/squid/cache/exclude/schedule.conf"
cache deny cache_exclude_domainname
cache deny cache_exclude_domainaddr
cache deny cache_exclude_useraddr
cache deny cache_exclude_useragent
cache deny cache_exclude_schedule
acl cache_exclude_contenttype rep_mime_type
"/opt/websafety/etc/squid/cache/exclude/content_type.conf"
send_hit deny cache_exclude_contenttype
store_miss deny cache_exclude_contenttype
refresh_pattern ^ftp: 1440 20% 10080
refresh_pattern ^gopher: 1440 0% 1440
refresh_pattern -i (/cgi-bin/|\?) 0 0% 0
refresh_pattern . 0 20% 4320
cache_replacement_policy lru
minimum_object_size 0 KB
maximum_object_size 4096 KB
dns_timeout 30 seconds
dns_v4_first on
icap_enable on
icap_preview_enable off
icap_preview_size 2048
icap_persistent_connections on
adaptation_send_client_ip on
adaptation_send_username on
icap_service greasyspoon respmod_precache icap://127.0.0.1:1344/response
bypass=0
cache_mem 256 MB
maximum_object_size_in_memory 512 KB
memory_replacement_policy lru
forwarded_for on
forward_max_tries 25
here is part of my access.log
1540473704.606 1021 10.0.0.250 TAG_NONE/200 0 CONNECT 52.97.133.226:443 -
HIER_NONE/- -
1540473711.552 465997 10.0.0.254 TCP_TUNNEL/200 4350 CONNECT
outlook.office365.com:443 - ORIGINAL_DST/52.97.131.242 -
1540473711.552 163713 10.0.0.254 TCP_TUNNEL/200 4320 CONNECT
inbox.google.com:443 - ORIGINAL_DST/216.58.223.197 -
1540473711.552 163689 10.0.0.254 TCP_TUNNEL/200 4231 CONNECT
inbox.google.com:443 - ORIGINAL_DST/216.58.223.197 -
and part of my cache.log
2018/10/25 11:36:21 kid1| Accepting SSL bumped HTTP Socket connections at
local=[::]:3128 remote=[::] FD 22 flags=9
2018/10/25 11:36:21 kid1| Accepting NAT intercepted HTTP Socket connections
at local=[::]:3126 remote=[::] FD 23 flags=41
2018/10/25 11:36:21 kid1| Accepting NAT intercepted SSL bumped HTTPS Socket
connections at local=[::]:3127 remote=[::] FD 24 flags=41
2018/10/25 11:36:22 kid1| storeLateRelease: released 0 objects
2018/10/25 11:42:08| Squid is already running! Process ID 3497
2018/10/25 11:46:20| Squid is already running! Process ID 3497
2018/10/25 11:46:24| Squid is already running! Process ID 3497
2018/10/25 11:49:32 kid1| SECURITY ALERT: Host header forgery detected on
local=52.97.133.178:443 remote=10.0.0.250:39627 FD 39 flags=33 (local IP
does not match any domain IP)
2018/10/25 11:49:32 kid1| SECURITY ALERT: on URL: outlook.office365.com:443
2018/10/25 11:49:32 kid1| SECURITY ALERT: Host header forgery detected on
local=52.97.133.178:443 remote=10.0.0.250:39628 FD 39 flags=33 (local IP
does not match any domain IP)
2018/10/25 11:49:32 kid1| SECURITY ALERT: on URL: outlook.office365.com:443
2018/10/25 11:49:32 kid1| SECURITY ALERT: Host header forgery detected on
local=52.97.133.178:443 remote=10.0.0.250:39629 FD 39 flags=33 (local IP
does not match any domain IP)
please i don't know if traffic is being bumped correctly as i only see
adapted content over http. Thanks for the anticipated help.
with a mikrotik. ssl bumping is enabled on squid and i have connected it to
greasyspoon for content adaptation, but i can't be sure if ssl bumping is
working because i only see adapted content over http and not https.
here is my squid.conf
cache_effective_user proxy
acl localnet src 10.0.0.0/24
acl localnet src 172.16.0.0/12
acl localnet src 192.168.0.0/16
acl localnet src fc00::/7
acl localnet src fe80::/10
acl SSL_ports port 443
acl Safe_ports port 80 # http
acl Safe_ports port 21 # ftp
acl Safe_ports port 443 # https
acl Safe_ports port 70 # gopher
acl Safe_ports port 210 # wais
acl Safe_ports port 1025-65535 # unregistered ports
acl Safe_ports port 280 # http-mgmt
acl Safe_ports port 488 # gss-http
acl Safe_ports port 591 # filemaker
acl Safe_ports port 777 # multiling http
acl CONNECT method CONNECT
http_port 3128 ssl-bump generate-host-certificates=on
dynamic_cert_mem_cache_size=4MB cert=/opt/websafety/etc/myca.pem
http_port 3126 intercept
https_port 3127 intercept ssl-bump generate-host-certificates=on
dynamic_cert_mem_cache_size=4MB cert=/opt/websafety/etc/myca.pem
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
http_access allow localhost manager
http_access deny manager
http_access allow localnet
http_access allow localhost
http_access deny all
sslcrtd_program /usr/local/squid/libexec/ssl_crtd -s /var/spool/squid_ssldb
-M 4MB
acl step1 at_step SslBump1
acl step2 at_step SslBump2
acl step3 at_step SslBump3
ssl_bump peek step1 all
ssl_bump bump all
ssl_bump bump ssl_force_bump
ssl_bump splice localhost
acl ssl_error_domains dstdomain
"/opt/websafety/etc/squid/ssl/error/domains.conf"
acl ssl_error_ips dst
"/opt/websafety/etc/squid/ssl/error/ips.conf"
acl ssl_error_ips dst
"/opt/websafety/etc/squid/ssl/error/subnets.conf"
sslproxy_cert_error allow ssl_error_domains
sslproxy_cert_error allow ssl_error_ips
shutdown_lifetime 10 seconds
adaptation_access greasyspoon allow all
visible_hostname proxy.example.lan
acl cache_exclude_domainname dstdomain
"/opt/websafety/etc/squid/cache/exclude/domain_name.conf"
acl cache_exclude_domainaddr dst
"/opt/websafety/etc/squid/cache/exclude/domain_ip.conf"
acl cache_exclude_domainaddr dst
"/opt/websafety/etc/squid/cache/exclude/domain_subnet.conf"
acl cache_exclude_domainaddr dst
"/opt/websafety/etc/squid/cache/exclude/domain_range.conf"
acl cache_exclude_useraddr src
"/opt/websafety/etc/squid/cache/exclude/user_ip.conf"
acl cache_exclude_useraddr src
"/opt/websafety/etc/squid/cache/exclude/user_subnet.conf"
acl cache_exclude_useraddr src
"/opt/websafety/etc/squid/cache/exclude/user_range.conf"
acl cache_exclude_useragent browser -i
"/opt/websafety/etc/squid/cache/exclude/user_agent.conf"
acl cache_exclude_schedule time
"/opt/websafety/etc/squid/cache/exclude/schedule.conf"
cache deny cache_exclude_domainname
cache deny cache_exclude_domainaddr
cache deny cache_exclude_useraddr
cache deny cache_exclude_useragent
cache deny cache_exclude_schedule
acl cache_exclude_contenttype rep_mime_type
"/opt/websafety/etc/squid/cache/exclude/content_type.conf"
send_hit deny cache_exclude_contenttype
store_miss deny cache_exclude_contenttype
refresh_pattern ^ftp: 1440 20% 10080
refresh_pattern ^gopher: 1440 0% 1440
refresh_pattern -i (/cgi-bin/|\?) 0 0% 0
refresh_pattern . 0 20% 4320
cache_replacement_policy lru
minimum_object_size 0 KB
maximum_object_size 4096 KB
dns_timeout 30 seconds
dns_v4_first on
icap_enable on
icap_preview_enable off
icap_preview_size 2048
icap_persistent_connections on
adaptation_send_client_ip on
adaptation_send_username on
icap_service greasyspoon respmod_precache icap://127.0.0.1:1344/response
bypass=0
cache_mem 256 MB
maximum_object_size_in_memory 512 KB
memory_replacement_policy lru
forwarded_for on
forward_max_tries 25
here is part of my access.log
1540473704.606 1021 10.0.0.250 TAG_NONE/200 0 CONNECT 52.97.133.226:443 -
HIER_NONE/- -
1540473711.552 465997 10.0.0.254 TCP_TUNNEL/200 4350 CONNECT
outlook.office365.com:443 - ORIGINAL_DST/52.97.131.242 -
1540473711.552 163713 10.0.0.254 TCP_TUNNEL/200 4320 CONNECT
inbox.google.com:443 - ORIGINAL_DST/216.58.223.197 -
1540473711.552 163689 10.0.0.254 TCP_TUNNEL/200 4231 CONNECT
inbox.google.com:443 - ORIGINAL_DST/216.58.223.197 -
and part of my cache.log
2018/10/25 11:36:21 kid1| Accepting SSL bumped HTTP Socket connections at
local=[::]:3128 remote=[::] FD 22 flags=9
2018/10/25 11:36:21 kid1| Accepting NAT intercepted HTTP Socket connections
at local=[::]:3126 remote=[::] FD 23 flags=41
2018/10/25 11:36:21 kid1| Accepting NAT intercepted SSL bumped HTTPS Socket
connections at local=[::]:3127 remote=[::] FD 24 flags=41
2018/10/25 11:36:22 kid1| storeLateRelease: released 0 objects
2018/10/25 11:42:08| Squid is already running! Process ID 3497
2018/10/25 11:46:20| Squid is already running! Process ID 3497
2018/10/25 11:46:24| Squid is already running! Process ID 3497
2018/10/25 11:49:32 kid1| SECURITY ALERT: Host header forgery detected on
local=52.97.133.178:443 remote=10.0.0.250:39627 FD 39 flags=33 (local IP
does not match any domain IP)
2018/10/25 11:49:32 kid1| SECURITY ALERT: on URL: outlook.office365.com:443
2018/10/25 11:49:32 kid1| SECURITY ALERT: Host header forgery detected on
local=52.97.133.178:443 remote=10.0.0.250:39628 FD 39 flags=33 (local IP
does not match any domain IP)
2018/10/25 11:49:32 kid1| SECURITY ALERT: on URL: outlook.office365.com:443
2018/10/25 11:49:32 kid1| SECURITY ALERT: Host header forgery detected on
local=52.97.133.178:443 remote=10.0.0.250:39629 FD 39 flags=33 (local IP
does not match any domain IP)
please i don't know if traffic is being bumped correctly as i only see
adapted content over http. Thanks for the anticipated help.
--
Nebedum Uchenna
Nebedum Uchenna