Re: [squid-users] https could not access with ssl bump in squid 3.4

From: Jerry OELoo <oyljerry_at_gmail.com>
Date: Thu, 27 Feb 2014 17:22:40 +0800

Sorry for spam,
It looks like I am wrong, after netstat, I find there is no any
program listen on 80 and 443 port, I think this is the reason that
there is no any traffic redirect by iptables from 80/443 to 3128/3130.
after I change client chrome's proxy port from 80 to 3128, it can
access internet.

So back to my question. Client A and Server B in the same LAN, and B
has squid ssl bump feature on, Now, I want to Client A access HTTPS
via B as proxy, and I want to use ssl bump to read/modify HTTPS
package from Client A.
Below are my testing result,

1) Client A, Chrome browser HTTPS proxy seting both point to Server B
IP with port 3128, It's work, Client A can access HTTPS successfully.
2) Client A, Chrome browser HTTPS proxy direct point to Sever B IP
with port 3130, It's NOT work, Client A could not access HTTPS
As Amos's suggestion, I should redirect packets from port 443 to squid
port 3130 (iptables .....).It means Squid ssl bump could not support
that client A directly connect to server B 3130 port with HTTPS
request? I should add another application that listen for HTTPS 443
port on Server B, and add iptables to redirect 443 traffic to 3130
port for squid ssl bump do further analysis? Is this the correct way?
if is, I should use which HTTPS server?
Thanks a lot for your help.

On Thu, Feb 27, 2014 at 4:56 PM, Jerry OELoo <oyljerry_at_gmail.com> wrote:
> HI All:
> Now I have added below rule for iptabales, and config client A's
> browser proxy, it could not connect to server B anyway. Please kindly
> help it. Thanks!
>
> 1) Add rule to redirect all data from 80 -> 3128, 443 -> 3130
> iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 80 -j REDIRECT
> --to-port 3128
> iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 443 -j REDIRECT
> --to-port 3130
>
> 2) Change browser proxy setting (If I understand correct, I should
> change proxy port as server B has redirect)
> HTTP Proxy, 10.64.12.101, port 80
> HTTPS Proxy, 10.64.12.101, port 443
>
> Base on above change, client A could not access internet no matter
> http or https, and from access.log in squid, it seems there is no any
> log. What's wrong, I am confused, Thanks!
>
> On Thu, Feb 27, 2014 at 3:11 PM, Jerry OELoo <oyljerry_at_gmail.com> wrote:
>> Hi Amos:
>> After reading your comments, Below are my questions in detail, Thanks a lot.
>> 1) Squid SSL Bump must use in NAT network? as my environment, A and B
>> in the same LAN, Can B use Squid SSL Bump to capture all A's https
>> traffic?
>> 2) As mentioned in original mail, PC A and PC B are in same LAN, there
>> is no NAT network, and PC B (installed squid) which only has 1 network
>> interface eth0, As you suggested, I checked iptables, however, I do
>> not know how to redirect port 443 traffic to 3130 port as PC A and PC
>> B is not NAT.
>>
>>
>> On Wed, Feb 26, 2014 at 6:00 PM, Amos Jeffries <squid3_at_treenet.co.nz> wrote:
>>> On 26/02/2014 8:06 p.m., Jerry OELoo wrote:
>>>> Hi Amos:
>>>> Thanks for your quick feedback.
>>>> 1) I do not much understand your said about connect to host
>>>> 10.64.12.100, I just find it in B (10.64.12.101) squid cache.log,
>>>>
>>>
>>> It is the reason your ssl-bump is not working. The SSL connection is not
>>> actually going to any relevant web server, but being connected back to
>>> the client IP.
>>>
>>> The ORIGINAL_DST indicates that it was the IP address details for server
>>> taken from the TCP packets on the client->server connection which was
>>> intercepted into Squid.
>>>
>>> These connections show up as client IP being server if you have one of
>>> these happening:
>>>
>>> * Linux TPROXY mechanism used to intercept, but "intercept" flag used on
>>> the port.
>>>
>>> * client making explicitly configured (PAC file, environment variable or
>>> browser config settings) connections directly to the proxy port.
>>>
>>>
>>>> 2) I do not add any other setting in squid.conf about interception.
>>>>
>>>
>>>
>>> I mean do you have iptables settings using DNAT, REDIRECT or TPROXY
>>> targets to point the port 443 traffic at the Squid https_port ?
>>>
>>>
>>>
>>>> 3) As you mentioned, https_port requires NAT interception, so in my
>>>> scenario, A, B are in the same LAN, and I want to A use B as HTTPS
>>>> proxy, and I want to use SSL bump to monitor A's HTTPS content. so is
>>>> there any way that can meet it?
>>>
>>> Yes. What you have shodul be enough for the Squid setup. However
>>> interceptio is done in teh networking layers...
>>>
>>> 1) you must first *route* the port 443 packets through the Squid box.
>>>
>>> 2) you must TPROXY/DNAT/REDIRECT *intercept* the packets into teh Squid
>>> listenign port.
>>>
>>> 3) catch the packets in Squid and ssl-bump.
>>>
>>>
>>> You have show that you are doing (3). The problem is happening somewhere
>>> at (1) or (2).
>>>
>>> Amos
>>>
>>
>>
>>
>> --
>> Rejoice,I Desire!
>
>
>
> --
> Rejoice,I Desire!

-- 
Rejoice,I Desire!
Received on Thu Feb 27 2014 - 09:22:49 MST

This archive was generated by hypermail 2.2.0 : Thu Feb 27 2014 - 12:00:07 MST