Re: [squid-users] Issues with ssl-bump in 3.HEAD

From: Mike <mcsnv96_at_afo.net>
Date: Wed, 18 Jun 2014 12:35:17 -0500

I compiled source 3.4.5 from squid-cache.org with all the needed rules
and it is still refusing all connections.
OS (on all 3 tested systems) is Scientific Linux 6.5, kernel is
2.6.32.431.17.1.el6. The latest squid version available in their repo is
3.1.10 which does not have the needed SSL related options.

No unusual errors with configure, make or make install.
-----
     ./configure '--program-prefix=' '--prefix=/usr'
'--exec-prefix=/usr' '--bindir=/usr/bin' '--sbindir=/usr/sbin'
'--sysconfdir=/etc' '--datadir=/usr/share' '--includedir=/usr/include'
'--libdir=/usr/lib64' '--libexecdir=/usr/libexec'
'--sharedstatedir=/var/lib' '--mandir=/usr/share/man'
'--infodir=/usr/share/info' '--exec_prefix=/usr'
'--libexecdir=/usr/lib64/squid' '--localstatedir=/var'
'--datadir=/usr/share/squid' '--sysconfdir=/etc/squid'
'--with-logdir=$(localstatedir)/log/squid'
'--with-pidfile=$(localstatedir)/run/squid.pid'
'--disable-dependency-tracking' '--enable-follow-x-forwarded-for'
'--enable-auth'
'--enable-auth-basic=DB,LDAP,NCSA,NIS,PAM,POP3,RADIUS,SASL,SMB,getpwnam'
'--enable-auth-ntlm=smb_lm,fake'
'--enable-auth-digest=file,LDAP,eDirectory'
'--enable-auth-negotiate=kerberos,wrapper'
'--enable-external-acl-helpers=wbinfo_group,kerberos_ldap_group,AD_group' '--enable-cache-digests'
'--enable-cachemgr-hostname=localhost' '--enable-delay-pools'
'--enable-epoll' '--enable-icap-client' '--enable-ident-lookups'
'--enable-linux-netfilter' '--enable-removal-policies=heap,lru'
'--enable-snmp' '--enable-storeio=aufs,diskd,ufs,rock' '--enable-wccpv2'
'--enable-esi' '--enable-ssl' '--enable-ssl-crtd' '--enable-icmp'
'--with-aio' '--with-default-user=squid' '--with-filedescriptors=16384'
'--with-dl' '--with-openssl' '--with-pthreads' '--with-included-ltdl'
'--disable-arch-native' 'CFLAGS=-O2 -g -pipe -Wall
-Wp,-D_FORTIFY_SOURCE=2 -fexceptions -fstack-protector
--param=ssp-buffer-size=4 -m64 -mtune=generic' 'CXXFLAGS=-O2 -g -pipe
-Wall -Wp,-D_FORTIFY_SOURCE=2 -fexceptions -fstack-protector
--param=ssp-buffer-size=4 -m64 -mtune=generic -fPIC'
'PKG_CONFIG_PATH=/usr/lib64/pkgconfig:/usr/share/pkgconfig'
-----

It works fine on the 2 test servers, yet once again on the production
server it is not working. Iptables is turned off, selinux is disabled.
The rules and the settings is all the same as previously mentioned below
and yes we kept the default acl rules.

All traffic (both secure and insecure) is being stopped like this in the
access.log:

TCP_DENIED/403 3725 GET http://yahoo.com/ - HIER_NONE/- text/html
TCP_DENIED/403 3811 GET http://www.squid-cache.org/ - HIER_NONE/- text/html

TCP_DENIED/403 3674 CONNECT local.nixle.com:443 - HIER_NONE/- text/html
TCP_DENIED/403 3677 CONNECT www.facebook.com:443 - HIER_NONE/- text/html
TCP_DENIED/403 3671 CONNECT www.google.com:443 - HIER_NONE/- text/html

Now the strange part is when we enable dansguardian via port 10101, all
insecure traffic works just fine.

Before configuring, make and make install, I grabbed all the needed
packages:

  *

    wget http://www.squid-cache.org/Versions/v3/3.4/squid-3.4.5.tar.gz

Usual build chain:

  *

    yum install perl gcc autoconf automake make wget

Extra pkgs for CentOS/SL based installs

  *

    yum install libxml2-devel libcap-devel gcc gcc-c++ avr-gcc-c++
    libtool-ltdl-devel openssl-devel ksh perl-Crypt-OpenSSL-X509.x86_64

During the build I got no unusual errors in the configure, make or make
install process.

Here is the full squid.conf:

# Mike 20140618 commented unneeded networks
# acl localnet src 10.0.0.0/8 # RFC1918 possible internal network
acl localnet src 66.xx.0.0/16 # our internal network
# acl localnet src 172.16.0.0/12 # RFC1918 possible internal network
acl localnet src 192.168.0.0/16 # RFC1918 possible internal network
# acl localnet src fc00::/7 # RFC 4193 local private network range
# acl localnet src fe80::/10 # RFC 4291 link-local (directly
plugged) machines

acl SSL_ports port 443
acl Safe_ports port 80 # http
acl Safe_ports port 21 # ftp
acl Safe_ports port 443 # https
acl Safe_ports port 70 # gopher
acl Safe_ports port 210 # wais
acl Safe_ports port 1025-65535 # unregistered ports
acl Safe_ports port 280 # http-mgmt
acl Safe_ports port 488 # gss-http
acl Safe_ports port 591 # filemaker
acl Safe_ports port 777 # multiling http
acl CONNECT method CONNECT

#
# Recommended minimum Access Permission configuration:
#
# Deny requests to certain unsafe ports
http_access deny !Safe_ports

# Deny CONNECT to other than secure SSL ports
http_access deny CONNECT !SSL_ports

# Only allow cachemgr access from localhost
http_access allow localhost manager
http_access deny manager

# We strongly recommend the following be uncommented to protect innocent
# web applications running on the proxy server who think the only
# one who can access services on "localhost" is a local user
#http_access deny to_localhost

#
# INSERT YOUR OWN RULE(S) HERE TO ALLOW ACCESS FROM YOUR CLIENTS
#

# Example rule allowing access from your local networks.
# Adapt localnet in the ACL section to list your (internal) IP networks
# from where browsing should be allowed
http_access allow localnet
http_access allow localhost

# And finally deny all other access to this proxy
http_access deny all

# Squid normally listens to port 3128
http_port 3128
http_port 3129 intercept
https_port 3130 intercept ssl-bump connection-auth=off
generate-host-certificates=on dynamic_cert_mem_cache_size=16MB
cert=/etc/squid/ssl/squid.pem key=/etc/squid/ssl/squid.key
cipher=ECDHE-RSA-RC4-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-AES128-SHA:DHE-RSA-CAMELLIA128-SHA:AES128-SHA:RC4-SHA:HIGH:!aNULL:!MD5:!ADH

sslcrtd_program /usr/lib64/squid/ssl_crtd -s /var/lib/squid_ssl_db -M 16MB
sslcrtd_children 50 startup=5 idle=1
ssl_bump server-first all
ssl_bump none localhost
always_direct allow all

visible_hostname xxxxx01.xxxx.net
cache_mgr xxxxsupport_at_xxxx.net

Uncomment when sys goes to production
#cache_access_log /dev/null
#cache_store_log none
#cache_log /dev/null

# 20141616 Mike - Below line is for troubleshooting only, comment out
when sys goes to production
cache_access_log /var/log/squid/access.log
cache_store_log /var/log/squid/store.log
cache_log /var/log/squid/cache.log
debug_options ALL,0

# Uncomment and adjust the following to add a disk cache directory.
cache_dir ufs /var/cache/squid 10000 32 512
cache_effective_user squid

# Leave coredumps in the first cache dir
coredump_dir /var/spool/squid

#
# Add any of your own refresh_pattern entries above these.
#
refresh_pattern ^ftp: 1440 20% 10080
refresh_pattern ^gopher: 1440 0% 1440
refresh_pattern -i (/cgi-bin/|\?) 0 0% 0
refresh_pattern . 0 20% 4320

So any suggestions or other items to check?

Mike

On 6/17/2014 12:34 AM, Amos Jeffries wrote:
> On 17/06/2014 10:30 a.m., Mike wrote:
>> Running into another issue, not sure whats going on here.
>>
>> ALL HTTPS connections are being denied. Temporarily, selinux is disabled
>> and firewall is off. We have it working on 2 other servers with same OS,
>> same kernel, same settings but it is just this one that refuses to allow
>> connections to HTTPS sites.
>>
>> We went with this version since none of the other rpms (3.4x and newer)
>> we could find included the ssl_crtd without manually compiling the
>> entire thing, which we wanted to stay away from if possible, due to ease
>> of updating squid at some point down the road on many servers without
>> having to recompile on dozens (or maybe hundreds by then) when it comes
>> time.
>>
>> The cache.log shows no errors. "squid -k parse" shows no errors.
>>
>> [root_at_servername $]# yum info squid
>> Loaded plugins: security
>> Installed Packages
>> Name : squid
>> Arch : x86_64
>> Epoch : 7
>> Version : 3.5.0.001
>> Release : 1.el6
>> Size : 8.2 M
>> Repo : installed
>>
>> [root_at_servername $]# squid -v
>> Squid Cache: Version 3.HEAD-20140127-r13248
> Hi Mike,
> that package is several months old now and this sounds like one of the
> bugs now fixed. I'm sending Eliezer a request to update the package, you
> may want to do so as well.
>
> I dont see any http_access lines at all in the below config file. Squid
> security policy is "closed by default", so if you omit all access
> permissions noting is permitted.
>
>
>> From access.log:
>> TCP_DENIED/403 3742 CONNECT www.facebook.com:443 - HIER_NONE/- text/html
>> TCP_DENIED/403 3733 CONNECT startpage.com:443 - HIER_NONE/- text/html
>> TCP_DENIED/403 3736 CONNECT www.google.com:443 - HIER_NONE/- text/html
>>
>> Rules are same as previously mentioned:
>>
>> # Squid normally listens to port 3128
>> http_port 3128
>> http_port 3129 intercept
>> https_port 3130 intercept ssl-bump connection-auth=off
>> generate-host-certificates=on dynamic_cert_mem_cache_size=16MB
>> cert=/etc/squid/ssl/squid.pem key=/etc/squid/ssl/squid.key
>>
>> sslcrtd_program /usr/lib64/squid/ssl_crtd -s /var/lib/squid_ssl_db -M 16MB
>> sslcrtd_children 50 startup=5 idle=1
>> ssl_bump server-first all
>> ssl_bump none localhost
>> always_direct allow all
>>
>> visible_hostname xxxxx.xx.net
>> cache_mgr xxxx_at_xx.net
>> dns_nameservers xx.xx.xx.xx yy.yy.yy.yy zz.zz.zz.zz
>> hosts_file /etc/hosts
>>
>> #cache_access_log /dev/null
>> #cache_store_log none
>> #cache_log /dev/null
>> # acl blacklist dstdomain -i "/etc/squid/domains"
>> # http_access deny blacklist
>>
>>
>> # Below line is for troubleshooting only, comment out when sys goes to
>> production
>> cache_access_log /var/log/squid/access.log
> The above line should be:
> access_log /var/log/squid/access.log
>
> Also, the cache_log and debug_options lines shoud remain like this in
> production if at all possible. You can start Squid with the -s command
> line option to pipe the cache critical messages to syslog but Squid
> should always have a cache.log for a backup troubleshooting information
> source.
>
>> cache_store_log /var/log/squid/store.log
>> cache_log /var/log/squid/cache.log
>> debug_options ALL,0
>>
>> # Uncomment and adjust the following to add a disk cache directory.
>> cache_dir ufs /var/spool/squid 10000 32 512
>> cache_effective_user squid
>>
>> The cache store (store.log) shows a lot of entries like this:
>> RELEASE -1 FFFFFFFF 10808232E705173EC05BDDACC2C6F47F ? ?
>> ? ? ?/? ?/? ? ?
> Not to worry, temporary files used as disk-backing store for some
> transactions. We have not yet fully removed the need for this type of
> file from Squid.
>
>
> HTH
> Amos
>
Received on Wed Jun 18 2014 - 17:35:21 MDT

This archive was generated by hypermail 2.2.0 : Thu Jun 19 2014 - 12:00:05 MDT