On 7/06/2013 8:48 p.m., Nuno Fernandes wrote:
> Em Sexta, Junho de 7 de 2013 09:18 WEST, "Nuno Fernandes" escreveu:
>
>> Em Sexta, Junho de 7 de 2013 08:19 WEST, Amos Jeffries escreveu:
>>
>>>> 10.10.10.254 is the squid box. 3126 is the ssl intercept port.
>>>>
>>>> # grep 3126 /etc/sysconfig/iptables
>>>> [0:0] -A PREROUTING -i vlan10 -s 10.10.10.4 -p tcp -m tcp --dport 443 -j REDIRECT --to-port 3126
>>>>
>>>> Only my ip address is forwarded to 3126... Here is the sslbump part of the conf.
>>>>
>>>> https_port 3126 transparent ssl-bump generate-host-certificates=on dynamic_cert_mem_cache_size=4MB cert=/etc/etproxy/ssl/myCA.pem
>>> Funny story ...
>>>
>>> *if* Squid were actually being "transparent proxy" here the outgoing
>>> details on these connections would be "source 10.10.10.4:random-port,
>>> destination some-IP:443". And your rule would loop that connection back
>>> into Squid.
>>>
>>> Unluckily for you "transparent" is currently an alias for "intercept"
>>> and the Squid outgoing IP should not be 10.10.10.4. So the same
>>> behaviour is being caused by something else more difficult to determin.
>>
>> Ok.. changed to intercept. Thanks for the heads up.
>>
>>>> acl sslsniff src 10.10.10.4
>>>> acl sslbumpbypass dst "/etc/etproxy/whitelist.https"
>>>> acl broken_sites dstdomain .twitter.com
>>>> acl broken_sites dstdomain .facebook.com
>>>> always_direct allow sslsniff
>>>> ssl_bump none sslbumpbypass
>>>> ssl_bump none broken_sites
>>>> ssl_bump server-first all
>>>> sslcrtd_program /usr/lib/squid/ssl_crtd -s /etc/etproxy/ssl/ssl_db -M 4MB
>>>> sslcrtd_children 5
>>> For starters check your configuration for the directive "via off" and
>>> *remove* it. If it does not exist, please report that fact.
>> It does not:
>>
>> # grep via /etc/etproxy/* -Ri
>> #
>>
>> (/etc/etproxy is where my conf files are).
>>
>>> When that is done the broken requests should be rejected with a
>>> forwarding loop error message and not DoS the machine while you are
>>> testing for the source of the loop.
>> I don't have any via directive so it seems that i hit some kind of issue. squid configure parameters are:
>>
>> Squid Cache: Version 3.3.5
>> configure options: '--build=i686-redhat-linux-gnu' '--host=i686-redhat-linux-gnu' '--target=i686-redhat-linux-gnu' '--program-prefix=' '--prefix=/usr' '--exec-prefix=/usr' '--bindir=/usr/bin' '--sbindir=/usr/sbin' '--sysconfdir=/etc' '--datadir=/usr/share' '--includedir=/usr/include' '--libdir=/usr/lib' '--libexecdir=/usr/libexec' '--sharedstatedir=/usr/com' '--mandir=/usr/share/man' '--infodir=/usr/share/info' '--exec_prefix=/usr' '--libexecdir=/usr/lib/squid' '--localstatedir=/var' '--datadir=/usr/share/squid' '--sysconfdir=/etc/squid' '--with-logdir=$(localstatedir)/log/squid' '--with-pidfile=$(localstatedir)/run/squid.pid' '--disable-dependency-tracking' '--enable-eui' '--enable-follow-x-forwarded-for' '--enable-auth' '--enable-auth-basic=DB,LDAP,MSNT,MSNT-multi-domain,NCSA,NIS,PAM,POP3,RADIUS,SASL,SMB,getpwnam' '--enable-auth-ntlm=smb_lm,fake' '--enable-auth-digest=file,LDAP,eDirectory' '--enable-auth-negotiate=kerberos,wrapper' '--enable-external-acl-helpers=wbinfo_gr
> ou
>> p,kerberos_ldap_group,AD_group' '--enable-cache-digests' '--enable-cachemgr-hostname=localhost' '--enable-delay-pools' '--enable-epoll' '--enable-icap-client' '--enable-ident-lookups' '--with-large-files' '--enable-linux-netfilter' '--enable-removal-policies=heap,lru' '--enable-snmp' '--enable-ssl' '--enable-storeio=aufs,diskd,ufs' '--enable-wccpv2' '--enable-esi' '--with-aio' '--with-default-user=squid' '--with-filedescriptors=16384' '--with-dl' '--with-openssl' '--enable-ssl-crtd' '--with-pthreads' 'build_alias=i686-redhat-linux-gnu' 'host_alias=i686-redhat-linux-gnu' 'target_alias=i686-redhat-linux-gnu' 'CFLAGS=-O2 -g -pipe -Wall -Wp,-D_FORTIFY_SOURCE=2 -fexceptions -fstack-protector --param=ssp-buffer-size=4 -m32 -march=i686 -mtune=generic -fasynchronous-unwind-tables' 'CXXFLAGS=-O2 -g -pipe -Wall -Wp,-D_FORTIFY_SOURCE=2 -fexceptions -fstack-protector --param=ssp-buffer-size=4 -m32 -march=i686 -mtune=generic -fasynchronous-unwind-tables' 'PKG_CONFIG_PATH=/usr/lib/pkgco
> nf
>> ig:/usr/share/pkgconfig' --enable-ltdl-convenience
> After reading http://www.squid-cache.org/Versions/v3/3.3/cfgman/via.html i saw that "Requires: --enable-http-violations". In my configure i don't seem to find that flag. Nevertheless checking my cache.log i do see:
>
> Via: 1.1 etfw.eurotux.com (squid)
Good. That should be preventing loops.
The ALL,2 will include the details from 11,2 I mentioned. So your log
should contain the outgoing request details.
Amos
Received on Fri Jun 07 2013 - 10:39:20 MDT
This archive was generated by hypermail 2.2.0 : Fri Jun 07 2013 - 12:00:06 MDT