[squid-users] Configuring SSL Bump in transparent/intercept mode

From: Bharath Madhusudan <bharath.madhusudan_at_gmail.com>
Date: Fri, 14 Jun 2013 18:22:00 -0700

I know this question has been asked on this forum in the recent past.
But I could not find any responses that helped my situation. So here
goes.

Some context:

We are an "in the cloud" web-filtering service and have been using
Squid very successfully for over a year now. The way we work is by
having our users point to a DNS server. The DNS server "selectively"
redirects to our squid proxy. For instance, google.com and youtube.com
would be redirected to our Squid proxy (where we would perform traffic
inspection). Not being aware of transparent interception at the time
of product development, we implemented transparent HTTP and HTTPS
interception. Squid was modified to have the same port handle both
intercepted and regularly proxied traffic.

Setup:

Our squid instance is based in the Amazon cloud (base OS is Linux).
The typical customer is a mid-large network behind a NAT that sends us
all of their DNS queries. Some of these DNS queries get translated to
HTTP/HTTPS traffic that then hits squid. The destination website(s)
will think of Amazon as being the source of the traffic.

The Problem Statement:

Due to customer demand, we need to use the SSL Bump feature. As of
now, I have no problems getting Dynamic SSL Certificate generating to
work in regular proxy (non intercepted/transparent) mode. But I have
run into issues while getting this to work in transparent/intercepted
mode.

Squid installation details:

./configure --enable-ssl --enable-ssl-crtd --enable-linux-netfilter

relavent squid.conf parameters:
http_access allow all
always_direct allow all
ssl_bump server-first all (I have also tried ssl_bump allow all)

sslcrtd_program /usr/local/squid/libexec/ssl_crtd -s
/usr/local/squid/var/lib/ssl_db -M 4MB
sslcrtd_children 5

http_port 80 intercept ssl-bump generate-host-certificates=on
dynamic_cert_mem_cache_size=4MB
cert=/usr/local/squid/ssl_cert/mycert.pem
http_port 443 intercept ssl-bump generate-host-certificates=on
dynamic_cert_mem_cache_size=4MB
cert=/usr/local/squid/ssl_cert/mycert.pem

When I send traffic that I expect be be intercepted to Squid, I get
the following errors in the log file (and a TCP RST from squid):

ERROR: No forward-proxy ports configured
NF getsockopt(SO_ORIGINAL_DST) failed on local=10.174.14.75:80
remote=107.3.142.99:60377 FD 10 flags=33: (92) Protocol not available

I know I am missing something pretty simple here.

Any help would be hugely appreciated!

Thanks, Bharath
Received on Sat Jun 15 2013 - 01:22:06 MDT

This archive was generated by hypermail 2.2.0 : Mon Jun 17 2013 - 12:00:05 MDT