Squid https?


Recommended Posts

Ok - so little break in real work.. So here you go, walked through the rest of that walktrhu I linked too and its pretty much spot on.

So in my .conf

did like in the walkthru

http_port 3128 intercept

https_port 3127 intercept ssl-bump generate-host-certificates=on dynamic_cert_mem_cache_size=4MB cert=/usr/local/squid/ssl_cert/myCA.pem

acl broken_sites dstdomain .example.com

ssl_bump none localhost

ssl_bump none broken_sites

ssl_bump server-first all

sslcrtd_program /usr/local/squid/libexec/ssl_crtd -s /usr/local/squid/var/lib/ssl_db -M 4MB

sslcrtd_children 5

Ran through his iptable commands to do the intercepts..

fired up squid and you see its listening and intercepting

2014/06/09 14:12:10| Accepting NAT intercepted HTTP Socket connections at local=[::]:3128 remote=[::] FD 25 flags=41

2014/06/09 14:12:10| Accepting NAT intercepted SSL bumped HTTPS Socket connections at local=[::]:3127 remote=[::] FD 26 flags=41

So squid is running on vm on 192.168.1.219, my actual gateway is .253

So my test vm on .13 I pointed its gateway to .219, installed the myCA.pem created in the walkthru and bing bang zoom

post-14624-0-50675700-1402343198.png

Notice the cert that google.com is using ;)

Let me fire up chrome on this vm.. but other than the conf change for enable cache and the first chown command needing to be up a dir that work thru looks pretty spot on.

edit: Ok installed chrome, and sslbump is working as designed.. Notice who the https chase.com cert is issued by ;)

post-14624-0-80587500-1402343814.png

Now one thing with chrome - it did not like the .pem, so just exported that from firefox as .crt and imported that into chromes trusted CA store.. And there you go MITM in like 10 minutes tops to set this up to be honest.

Oh one other thing I did different than the walkthru linked too was used 2048 vs 1024 when you create the myCA.pem

Link to comment
Share on other sites

Ok - so little break in real work.. So here you go, walked through the rest of that walktrhu I linked too and its pretty much spot on.

So in my .conf

did like in the walkthru

http_port 3128 intercept

https_port 3127 intercept ssl-bump generate-host-certificates=on dynamic_cert_mem_cache_size=4MB cert=/usr/local/squid/ssl_cert/myCA.pem

acl broken_sites dstdomain .example.com

ssl_bump none localhost

ssl_bump none broken_sites

ssl_bump server-first all

sslcrtd_program /usr/local/squid/libexec/ssl_crtd -s /usr/local/squid/var/lib/ssl_db -M 4MB

sslcrtd_children 5

Ran through his iptable commands to do the intercepts..

fired up squid and you see its listening and intercepting

2014/06/09 14:12:10| Accepting NAT intercepted HTTP Socket connections at local=[::]:3128 remote=[::] FD 25 flags=41

2014/06/09 14:12:10| Accepting NAT intercepted SSL bumped HTTPS Socket connections at local=[::]:3127 remote=[::] FD 26 flags=41

So squid is running on vm on 192.168.1.219, my actual gateway is .253

So my test vm on .13 I pointed its gateway to .219, installed the myCA.pem created in the walkthru and bing bang zoom

attachicon.gifsslbumpworking.png

Notice the cert that google.com is using ;)

Let me fire up chrome on this vm.. but other than the conf change for enable cache and the first chown command needing to be up a dir that work thru looks pretty spot on.

edit: Ok installed chrome, and sslbump is working as designed.. Notice who the https chase.com cert is issued by ;)

attachicon.gifchromesslbump.png

Now one thing with chrome - it did not like the .pem, so just exported that from firefox as .crt and imported that into chromes trusted CA store.. And there you go MITM in like 10 minutes tops to set this up to be honest.

Oh one other thing I did different than the walkthru linked too was used 2048 vs 1024 when you create the myCA.pem

Thanks I dont know what I am doing wrong then.... maybe i need to modifi and use his tables rather than my own problem is im not overly good with IP tables yet

 

 

I have eth0 as network and eth1 as "wan" so i just have to retry I guess :/ though like i said the proxy worked untill I configured for the SSL then everything just passed through the proxy, no blocking as if it had free reign to the internet

Link to comment
Share on other sites

FFS this is driving me NUTS! its stilld oing the stupid 

2014/06/10 10:27:23 kid1| ERROR: No forward-proxy ports configured.
2014/06/10 10:27:23 kid1| ERROR: No forward-proxy ports configured.
2014/06/10 10:27:23 kid1| ERROR: No forward-proxy ports configured.
2014/06/10 10:27:23 kid1| Finished loading MIME types and icons.
2014/06/10 10:27:23 kid1| HTCP Disabled.
2014/06/10 10:27:23 kid1| Squid plugin modules loaded: 0
2014/06/10 10:27:23 kid1| Adaptation support is off.
2014/06/10 10:27:23 kid1| Accepting NAT intercepted HTTP Socket connections at local=[::]:3128 remote=[::] FD 17 flags=41
2014/06/10 10:27:23 kid1| Done scanning /usr/local/squid/var/cache/squid dir (0 entries)
2014/06/10 10:27:23 kid1| Finished rebuilding storage from disk.
2014/06/10 10:27:23 kid1|         0 Entries scanned
2014/06/10 10:27:23 kid1|         0 Invalid entries.
2014/06/10 10:27:23 kid1|         0 With invalid flags.
2014/06/10 10:27:23 kid1|         0 Objects loaded.
2014/06/10 10:27:23 kid1|         0 Objects expired.
2014/06/10 10:27:23 kid1|         0 Objects cancelled.
2014/06/10 10:27:23 kid1|         0 Duplicate URLs purged.
2014/06/10 10:27:23 kid1|         0 Swapfile clashes avoided.
2014/06/10 10:27:23 kid1|   Took 0.10 seconds (  0.00 objects/sec).
2014/06/10 10:27:23 kid1| Beginning Validation Procedure
2014/06/10 10:27:23 kid1|   Completed Validation Procedure
2014/06/10 10:27:23 kid1|   Validated 0 Entries
2014/06/10 10:27:23 kid1|   store_swap_size = 0.00 KB
2014/06/10 10:27:24 kid1| storeLateRelease: released 0 objects
Link to comment
Share on other sites

where is your conf entries?  and why do you not having anything in cache?

 

2014/06/09 14:49:08| Squid plugin modules loaded: 0
2014/06/09 14:49:08| Adaptation support is off.
2014/06/09 14:49:08| Accepting NAT intercepted HTTP Socket connections at local=[::]:3128 remote=[::] FD 25 flags=41
2014/06/09 14:49:08| Accepting NAT intercepted SSL bumped HTTPS Socket connections at local=[::]:3127 remote=[::] FD 26 flags=41
2014/06/09 14:49:08| Done reading /usr/local/squid/var/cache/squid swaplog (430 entries)
2014/06/09 14:49:08| Finished rebuilding storage from disk.
2014/06/09 14:49:08|       430 Entries scanned
2014/06/09 14:49:08|         0 Invalid entries.
2014/06/09 14:49:08|         0 With invalid flags.
2014/06/09 14:49:08|       430 Objects loaded.
2014/06/09 14:49:08|         0 Objects expired.
2014/06/09 14:49:08|         0 Objects cancelled.
2014/06/09 14:49:08|         0 Duplicate URLs purged.
2014/06/09 14:49:08|         0 Swapfile clashes avoided.
2014/06/09 14:49:08|   Took 0.05 seconds (8380.11 objects/sec).
2014/06/09 14:49:08| Beginning Validation Procedure
2014/06/09 14:49:08|   Completed Validation Procedure
2014/06/09 14:49:08|   Validated 430 Entries
2014/06/09 14:49:08|   store_swap_size = 8536.00 KB
2014/06/09 14:49:09| storeLateRelease: released 0 objects

 

Lets see what your doing for iptables as well as your conf
 

Link to comment
Share on other sites

where is your conf entries?  and why do you not having anything in cache?

 


#
# Recommended minimum configuration:
#
 
# Example rule allowing access from your local networks.
# Adapt to list your (internal) IP networks from where browsing
# should be allowed
acl localnet src 10.0.0.0/8 # RFC1918 possible internal network
acl localnet src 172.16.0.0/12 # RFC1918 possible internal network
acl localnet src 192.168.0.0/16 # RFC1918 possible internal network
acl localnet src fc00::/7 # RFC 4193 local private network range
acl localnet src fe80::/10 # RFC 4291 link-local (directly plugged) machines
 
acl SSL_ports port 443
acl Safe_ports port 80 # http
acl Safe_ports port 21 # ftp
acl Safe_ports port 443 # https
acl Safe_ports port 70 # gopher
acl Safe_ports port 210 # wais
acl Safe_ports port 1025-65535 # unregistered ports
acl Safe_ports port 280 # http-mgmt
acl Safe_ports port 488 # gss-http
acl Safe_ports port 591 # filemaker
acl Safe_ports port 777 # multiling http
acl CONNECT method CONNECT
acl whitelist dstdomain "/var/whitelist.list"
 
#
# Recommended minimum Access Permission configuration:
#
# Deny requests to certain unsafe ports
http_access deny !Safe_ports
 
# Deny CONNECT to other than secure SSL ports
http_access deny CONNECT !SSL_ports
 
# Only allow cachemgr access from localhost
http_access allow localhost manager
http_access deny manager
 
# We strongly recommend the following be uncommented to protect innocent
# web applications running on the proxy server who think the only
# one who can access services on "localhost" is a local user
#http_access deny to_localhost
 
#
# INSERT YOUR OWN RULE(S) HERE TO ALLOW ACCESS FROM YOUR CLIENTS
#
 
# Example rule allowing access from your local networks.
# Adapt localnet in the ACL section to list your (internal) IP networks
# from where browsing should be allowed
http_access allow whitelist
http_access allow all
 
# And finally deny all other access to this proxy
http_access allow localnet
http_access allow localhost
 
# Squid normally listens to port 3128
http_port 3128 intercept
https_port 3127 intercept ssl-bump generate-host-certificates=on dynamic_cert_mem_cache_size=4MB cert=/usr/local/squid/ssl_cert/myCA.pem
acl broken_sites dstdomain .example.com
ssl_bump none localhost
ssl_bump none broken_sites
ssl_bump server-first all
sslcrtd_program /usr/local/squid/libexec/ssl_crtd -s /usr/local/squid/var/lib/ssl_db -M 4MB
sslcrtd_children 5
# Uncomment and adjust the following to add a disk cache directory.
cache_dir ufs /usr/local/squid/var/cache/squid 10000 16 256
 
# Leave coredumps in the first cache dir
coredump_dir /usr/local/squid/var/cache/squid
 
#
# Add any of your own refresh_pattern entries above these.
#
refresh_pattern ^ftp: 1440 20% 10080
refresh_pattern ^gopher: 1440 0% 1440
refresh_pattern -i (/cgi-bin/|\?) 0 0%
refresh_pattern . 20% 4320
cache_effective_user squid
cache_effective_group squid
 

Chain INPUT (policy ACCEPT)

target     prot opt source               destination         

ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:3128

ACCEPT     all  --  anywhere             anywhere            

ACCEPT     all  --  anywhere             anywhere             state RELATED,ESTABLISHED

 

Chain FORWARD (policy ACCEPT)

target     prot opt source               destination         

ACCEPT     all  --  anywhere             anywhere             state RELATED,ESTABLISHED

ACCEPT     all  --  anywhere             anywhere            

 

Chain OUTPUT (policy ACCEPT)

target     prot opt source               destination    

Link to comment
Share on other sites

where is your nat table?

Chain PREROUTING (policy ACCEPT)

target prot opt source destination

REDIRECT tcp -- anywhere anywhere tcp dpt:http redir ports 3128

REDIRECT tcp -- anywhere anywhere tcp dpt:https redir ports 3127

And I would remove your ACL whitelisting for testing.. Just run thru the guide i linked too.. And you should be up and running in like 10 minutes tops.

Also you need/want a 10GB cache??

What is the full output when you start in debug?

Link to comment
Share on other sites

where is your nat table?

Chain PREROUTING (policy ACCEPT)

target prot opt source destination

REDIRECT tcp -- anywhere anywhere tcp dpt:http redir ports 3128

REDIRECT tcp -- anywhere anywhere tcp dpt:https redir ports 3127

And I would remove your ACL whitelisting for testing.. Just run thru the guide i linked too.. And you should be up and running in like 10 minutes tops.

Also you need/want a 10GB cache??

What is the full output when you start in debug?

the cache is actually meant to be bigger ;D but I said 10gbs was way way way more then enough but I will probably be told to increase it.

 

also it would appear the iptables -L didnt show everything (newwwW)

 

:FORWARD ACCEPT [0:0]

:INPUT ACCEPT [0:0]

:OUTPUT ACCEPT [0:0]

-A INPUT -p tcp -m tcp --dport 3128 -j ACCEPT

-A INPUT -i eth0 -j ACCEPT

-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT

-A FORWARD -m state -i eth1 -o eth0 --state RELATED,ESTABLISHED -j ACCEPT

-A FORWARD -i eth0 -o eth1 -j ACCEPT

COMMIT

# Completed on Tue Jun 10 10:36:38 2014

# Generated by iptables-save v1.4.14 on Tue Jun 10 10:36:38 2014

*nat

:PREROUTING ACCEPT [608:64919]

:INPUT ACCEPT [1393:114957]

:OUTPUT ACCEPT [137:8464]

:POSTROUTING ACCEPT [0:0]

-A PREROUTING -i eth0 -p tcp -m tcp --dport 80 -j REDIRECT --to-ports 3128

-A PREROUTING -i eth0 -p tcp -m tcp --dport 443 -j REDIRECT --to-ports 3127

-A POSTROUTING -o eth1 -j MASQUERADE

COMMIT

# Completed on Tue Jun 10 10:36:38 2014

# Generated by iptables-save v1.4.14 on Tue Jun 10 10:36:38 2014

*mangle

:PREROUTING ACCEPT [16953:6278577]

:INPUT ACCEPT [16510:6129319]

:FORWARD ACCEPT [443:149258]

:OUTPUT ACCEPT [14319:9474926]

:POSTROUTING ACCEPT [14762:9624184]

COMMIT

 

FORGIVE THE LONG AMOUNT OF DATA

2014/06/11 09:37:28| Set Current Directory to /usr/local/squid/var/cache/squid
2014/06/11 09:37:28| Starting Squid Cache version 3.4.5 for x86_64-unknown-linux-gnu...
2014/06/11 09:37:28| Process ID 4582
2014/06/11 09:37:28| Process Roles: master worker
2014/06/11 09:37:28| With 1024 file descriptors available
2014/06/11 09:37:28| Initializing IP Cache...
2014/06/11 09:37:28| DNS Socket created at [::], FD 5
2014/06/11 09:37:28| DNS Socket created at 0.0.0.0, FD 6
2014/06/11 09:37:28| Adding nameserver 192.168.0.254 from /etc/resolv.conf
2014/06/11 09:37:28| helperOpenServers: Starting 5/5 'ssl_crtd' processes
2014/06/11 09:37:28| Logfile: opening log daemon:/usr/local/squid/var/logs/access.log
2014/06/11 09:37:28| Logfile Daemon: opening log /usr/local/squid/var/logs/access.log
2014/06/11 09:37:28| Unlinkd pipe opened on FD 22
2014/06/11 09:37:28| Store logging disabled
2014/06/11 09:37:28| Swap maxSize 10240000 + 262144 KB, estimated 807857 objects
2014/06/11 09:37:28| Target number of buckets: 40392
2014/06/11 09:37:28| Using 65536 Store buckets
2014/06/11 09:37:28| Max Mem  size: 262144 KB
2014/06/11 09:37:28| Max Swap size: 10240000 KB
2014/06/11 09:37:28| Rebuilding storage in /usr/local/squid/var/cache/squid (dirty log)
2014/06/11 09:37:28| Using Least Load store dir selection
2014/06/11 09:37:28| Set Current Directory to /usr/local/squid/var/cache/squid
2014/06/11 09:37:28| ERROR: No forward-proxy ports configured.
2014/06/11 09:37:28| ERROR: No forward-proxy ports configured.
2014/06/11 09:37:28| ERROR: No forward-proxy ports configured.
2014/06/11 09:37:28| ERROR: No forward-proxy ports configured.
2014/06/11 09:37:28| ERROR: No forward-proxy ports configured.
2014/06/11 09:37:28| ERROR: No forward-proxy ports configured.
2014/06/11 09:37:28| ERROR: No forward-proxy ports configured.
2014/06/11 09:37:28| ERROR: No forward-proxy ports configured.
2014/06/11 09:37:28| ERROR: No forward-proxy ports configured.
2014/06/11 09:37:28| ERROR: No forward-proxy ports configured.
2014/06/11 09:37:28| ERROR: No forward-proxy ports configured.
2014/06/11 09:37:28| ERROR: No forward-proxy ports configured.
2014/06/11 09:37:28| ERROR: No forward-proxy ports configured.
2014/06/11 09:37:28| ERROR: No forward-proxy ports configured.
2014/06/11 09:37:28| ERROR: No forward-proxy ports configured.
2014/06/11 09:37:28| ERROR: No forward-proxy ports configured.
2014/06/11 09:37:28| ERROR: No forward-proxy ports configured.
2014/06/11 09:37:28| ERROR: No forward-proxy ports configured.
2014/06/11 09:37:28| ERROR: No forward-proxy ports configured.
2014/06/11 09:37:28| ERROR: No forward-proxy ports configured.
2014/06/11 09:37:28| ERROR: No forward-proxy ports configured.
2014/06/11 09:37:28| ERROR: No forward-proxy ports configured.
2014/06/11 09:37:28| ERROR: No forward-proxy ports configured.
2014/06/11 09:37:28| ERROR: No forward-proxy ports configured.
2014/06/11 09:37:28| ERROR: No forward-proxy ports configured.
2014/06/11 09:37:28| ERROR: No forward-proxy ports configured.
2014/06/11 09:37:28| ERROR: No forward-proxy ports configured.
2014/06/11 09:37:28| ERROR: No forward-proxy ports configured.
2014/06/11 09:37:28| ERROR: No forward-proxy ports configured.
2014/06/11 09:37:28| ERROR: No forward-proxy ports configured.
2014/06/11 09:37:28| ERROR: No forward-proxy ports configured.
2014/06/11 09:37:28| ERROR: No forward-proxy ports configured.
2014/06/11 09:37:28| ERROR: No forward-proxy ports configured.
2014/06/11 09:37:28| ERROR: No forward-proxy ports configured.
2014/06/11 09:37:28| ERROR: No forward-proxy ports configured.
2014/06/11 09:37:28| ERROR: No forward-proxy ports configured.
2014/06/11 09:37:28| ERROR: No forward-proxy ports configured.
2014/06/11 09:37:28| ERROR: No forward-proxy ports configured.
2014/06/11 09:37:28| ERROR: No forward-proxy ports configured.
2014/06/11 09:37:28| ERROR: No forward-proxy ports configured.
2014/06/11 09:37:28| ERROR: No forward-proxy ports configured.
2014/06/11 09:37:28| ERROR: No forward-proxy ports configured.
2014/06/11 09:37:28| ERROR: No forward-proxy ports configured.
2014/06/11 09:37:28| ERROR: No forward-proxy ports configured.
2014/06/11 09:37:28| ERROR: No forward-proxy ports configured.
2014/06/11 09:37:28| ERROR: No forward-proxy ports configured.
2014/06/11 09:37:28| ERROR: No forward-proxy ports configured.
2014/06/11 09:37:28| ERROR: No forward-proxy ports configured.
2014/06/11 09:37:28| ERROR: No forward-proxy ports configured.
2014/06/11 09:37:28| ERROR: No forward-proxy ports configured.
2014/06/11 09:37:28| ERROR: No forward-proxy ports configured.
2014/06/11 09:37:28| ERROR: No forward-proxy ports configured.
2014/06/11 09:37:28| ERROR: No forward-proxy ports configured.
2014/06/11 09:37:28| ERROR: No forward-proxy ports configured.
2014/06/11 09:37:28| ERROR: No forward-proxy ports configured.
2014/06/11 09:37:28| ERROR: No forward-proxy ports configured.
2014/06/11 09:37:28| ERROR: No forward-proxy ports configured.
2014/06/11 09:37:28| ERROR: No forward-proxy ports configured.
2014/06/11 09:37:28| ERROR: No forward-proxy ports configured.
2014/06/11 09:37:28| ERROR: No forward-proxy ports configured.
2014/06/11 09:37:28| ERROR: No forward-proxy ports configured.
2014/06/11 09:37:28| ERROR: No forward-proxy ports configured.
2014/06/11 09:37:28| ERROR: No forward-proxy ports configured.
2014/06/11 09:37:28| ERROR: No forward-proxy ports configured.
2014/06/11 09:37:28| ERROR: No forward-proxy ports configured.
2014/06/11 09:37:28| ERROR: No forward-proxy ports configured.
2014/06/11 09:37:28| ERROR: No forward-proxy ports configured.
2014/06/11 09:37:28| ERROR: No forward-proxy ports configured.
2014/06/11 09:37:28| ERROR: No forward-proxy ports configured.
2014/06/11 09:37:28| ERROR: No forward-proxy ports configured.
2014/06/11 09:37:28| ERROR: No forward-proxy ports configured.
2014/06/11 09:37:28| ERROR: No forward-proxy ports configured.
2014/06/11 09:37:28| ERROR: No forward-proxy ports configured.
2014/06/11 09:37:28| ERROR: No forward-proxy ports configured.
2014/06/11 09:37:28| ERROR: No forward-proxy ports configured.
2014/06/11 09:37:28| ERROR: No forward-proxy ports configured.
2014/06/11 09:37:28| ERROR: No forward-proxy ports configured.
2014/06/11 09:37:28| ERROR: No forward-proxy ports configured.
2014/06/11 09:37:28| ERROR: No forward-proxy ports configured.
2014/06/11 09:37:28| ERROR: No forward-proxy ports configured.
2014/06/11 09:37:28| ERROR: No forward-proxy ports configured.
2014/06/11 09:37:28| ERROR: No forward-proxy ports configured.
2014/06/11 09:37:28| ERROR: No forward-proxy ports configured.
2014/06/11 09:37:28| ERROR: No forward-proxy ports configured.
2014/06/11 09:37:28| ERROR: No forward-proxy ports configured.
2014/06/11 09:37:28| ERROR: No forward-proxy ports configured.
2014/06/11 09:37:28| ERROR: No forward-proxy ports configured.
2014/06/11 09:37:28| ERROR: No forward-proxy ports configured.
2014/06/11 09:37:28| ERROR: No forward-proxy ports configured.
2014/06/11 09:37:28| ERROR: No forward-proxy ports configured.
2014/06/11 09:37:28| ERROR: No forward-proxy ports configured.
2014/06/11 09:37:28| ERROR: No forward-proxy ports configured.
2014/06/11 09:37:28| ERROR: No forward-proxy ports configured.
2014/06/11 09:37:28| ERROR: No forward-proxy ports configured.
2014/06/11 09:37:28| ERROR: No forward-proxy ports configured.
2014/06/11 09:37:28| ERROR: No forward-proxy ports configured.
2014/06/11 09:37:28| ERROR: No forward-proxy ports configured.
2014/06/11 09:37:28| ERROR: No forward-proxy ports configured.
2014/06/11 09:37:28| ERROR: No forward-proxy ports configured.
2014/06/11 09:37:28| ERROR: No forward-proxy ports configured.
2014/06/11 09:37:28| ERROR: No forward-proxy ports configured.
2014/06/11 09:37:28| ERROR: No forward-proxy ports configured.
2014/06/11 09:37:28| ERROR: No forward-proxy ports configured.
2014/06/11 09:37:28| ERROR: No forward-proxy ports configured.
2014/06/11 09:37:28| ERROR: No forward-proxy ports configured.
2014/06/11 09:37:28| ERROR: No forward-proxy ports configured.
2014/06/11 09:37:28| ERROR: No forward-proxy ports configured.
2014/06/11 09:37:28| ERROR: No forward-proxy ports configured.
2014/06/11 09:37:28| ERROR: No forward-proxy ports configured.
2014/06/11 09:37:28| ERROR: No forward-proxy ports configured.
2014/06/11 09:37:28| ERROR: No forward-proxy ports configured.
2014/06/11 09:37:28| ERROR: No forward-proxy ports configured.
2014/06/11 09:37:28| ERROR: No forward-proxy ports configured.
2014/06/11 09:37:28| ERROR: No forward-proxy ports configured.
2014/06/11 09:37:28| ERROR: No forward-proxy ports configured.
2014/06/11 09:37:28| ERROR: No forward-proxy ports configured.
2014/06/11 09:37:28| ERROR: No forward-proxy ports configured.
2014/06/11 09:37:28| ERROR: No forward-proxy ports configured.
2014/06/11 09:37:28| ERROR: No forward-proxy ports configured.
2014/06/11 09:37:28| ERROR: No forward-proxy ports configured.
2014/06/11 09:37:28| ERROR: No forward-proxy ports configured.
2014/06/11 09:37:28| ERROR: No forward-proxy ports configured.
2014/06/11 09:37:28| ERROR: No forward-proxy ports configured.
2014/06/11 09:37:28| ERROR: No forward-proxy ports configured.
2014/06/11 09:37:28| ERROR: No forward-proxy ports configured.
2014/06/11 09:37:28| ERROR: No forward-proxy ports configured.
2014/06/11 09:37:28| ERROR: No forward-proxy ports configured.
2014/06/11 09:37:28| ERROR: No forward-proxy ports configured.
2014/06/11 09:37:28| ERROR: No forward-proxy ports configured.
2014/06/11 09:37:28| ERROR: No forward-proxy ports configured.
2014/06/11 09:37:28| ERROR: No forward-proxy ports configured.
2014/06/11 09:37:28| ERROR: No forward-proxy ports configured.
2014/06/11 09:37:28| ERROR: No forward-proxy ports configured.
2014/06/11 09:37:28| ERROR: No forward-proxy ports configured.
2014/06/11 09:37:28| ERROR: No forward-proxy ports configured.
2014/06/11 09:37:28| ERROR: No forward-proxy ports configured.
2014/06/11 09:37:28| ERROR: No forward-proxy ports configured.
2014/06/11 09:37:28| ERROR: No forward-proxy ports configured.
2014/06/11 09:37:28| ERROR: No forward-proxy ports configured.
2014/06/11 09:37:28| ERROR: No forward-proxy ports configured.
2014/06/11 09:37:28| ERROR: No forward-proxy ports configured.
2014/06/11 09:37:28| ERROR: No forward-proxy ports configured.
2014/06/11 09:37:28| ERROR: No forward-proxy ports configured.
2014/06/11 09:37:28| ERROR: No forward-proxy ports configured.
2014/06/11 09:37:28| ERROR: No forward-proxy ports configured.
2014/06/11 09:37:28| ERROR: No forward-proxy ports configured.
2014/06/11 09:37:28| ERROR: No forward-proxy ports configured.
2014/06/11 09:37:28| ERROR: No forward-proxy ports configured.
2014/06/11 09:37:28| ERROR: No forward-proxy ports configured.
2014/06/11 09:37:28| ERROR: No forward-proxy ports configured.
2014/06/11 09:37:28| ERROR: No forward-proxy ports configured.
2014/06/11 09:37:28| ERROR: No forward-proxy ports configured.
2014/06/11 09:37:28| ERROR: No forward-proxy ports configured.
2014/06/11 09:37:28| ERROR: No forward-proxy ports configured.
2014/06/11 09:37:28| ERROR: No forward-proxy ports configured.
2014/06/11 09:37:28| ERROR: No forward-proxy ports configured.
2014/06/11 09:37:28| ERROR: No forward-proxy ports configured.
2014/06/11 09:37:28| ERROR: No forward-proxy ports configured.
2014/06/11 09:37:28| ERROR: No forward-proxy ports configured.
2014/06/11 09:37:28| ERROR: No forward-proxy ports configured.
2014/06/11 09:37:28| ERROR: No forward-proxy ports configured.
2014/06/11 09:37:28| ERROR: No forward-proxy ports configured.
2014/06/11 09:37:28| ERROR: No forward-proxy ports configured.
2014/06/11 09:37:28| ERROR: No forward-proxy ports configured.
2014/06/11 09:37:28| ERROR: No forward-proxy ports configured.
2014/06/11 09:37:28| ERROR: No forward-proxy ports configured.
2014/06/11 09:37:28| ERROR: No forward-proxy ports configured.
2014/06/11 09:37:28| ERROR: No forward-proxy ports configured.
2014/06/11 09:37:28| ERROR: No forward-proxy ports configured.
2014/06/11 09:37:28| ERROR: No forward-proxy ports configured.
2014/06/11 09:37:28| ERROR: No forward-proxy ports configured.
2014/06/11 09:37:28| ERROR: No forward-proxy ports configured.
2014/06/11 09:37:28| ERROR: No forward-proxy ports configured.
2014/06/11 09:37:28| ERROR: No forward-proxy ports configured.
2014/06/11 09:37:28| ERROR: No forward-proxy ports configured.
2014/06/11 09:37:28| ERROR: No forward-proxy ports configured.
2014/06/11 09:37:28| ERROR: No forward-proxy ports configured.
2014/06/11 09:37:28| Finished loading MIME types and icons.
2014/06/11 09:37:28| HTCP Disabled.
2014/06/11 09:37:28| Squid plugin modules loaded: 0
2014/06/11 09:37:28| Adaptation support is off.
2014/06/11 09:37:28| Accepting NAT intercepted HTTP Socket connections at local=[::]:3128 remote=[::] FD 25 flags=41
2014/06/11 09:37:28| Accepting NAT intercepted SSL bumped HTTPS Socket connections at local=[::]:3127 remote=[::] FD 26 flags=41
2014/06/11 09:37:28| Done reading /usr/local/squid/var/cache/squid swaplog (154 entries)
2014/06/11 09:37:28| Finished rebuilding storage from disk.
2014/06/11 09:37:28|       154 Entries scanned
2014/06/11 09:37:28|         0 Invalid entries.
2014/06/11 09:37:28|         0 With invalid flags.
2014/06/11 09:37:28|       154 Objects loaded.
2014/06/11 09:37:28|         0 Objects expired.
2014/06/11 09:37:28|         0 Objects cancelled.
2014/06/11 09:37:28|         0 Duplicate URLs purged.
2014/06/11 09:37:28|         0 Swapfile clashes avoided.
2014/06/11 09:37:28|   Took 0.05 seconds (2907.53 objects/sec).
2014/06/11 09:37:28| Beginning Validation Procedure
2014/06/11 09:37:28|   Completed Validation Procedure
2014/06/11 09:37:28|   Validated 154 Entries
2014/06/11 09:37:28|   store_swap_size = 3112.00 KB
2014/06/11 09:37:29| storeLateRelease: released 0 objects

Link to comment
Share on other sites

well looks like https is bumped

2014/06/11 09:37:28| Accepting NAT intercepted HTTP Socket connections at local=[::]:3128 remote=[::] FD 25 flags=41

2014/06/11 09:37:28| Accepting NAT intercepted SSL bumped HTTPS Socket connections at local=[::]:3127 remote=[::] FD 26 flags=41

And you loaded stuff from cache, so that kind of looks to be working.

so your doing a mangle - so this box is already the actual gateway? Or just a proxy your trying to up on the local network. Where the firewall only allows the proxy out?

edit also you can get rid of those errors by setting up a forward port, say 8080 or something else that is open.

2014/06/11 07:32:16| Accepting HTTP Socket connections at local=[::]:8080 remote=[::] FD 25 flags=9

2014/06/11 07:32:16| Accepting NAT intercepted HTTP Socket connections at local=[::]:3128 remote=[::] FD 26 flags=41

2014/06/11 07:32:16| Accepting NAT intercepted SSL bumped HTTPS Socket connections at local=[::]:3127 remote=[::] FD 27 flags=41

See here http socket is on 8080.. This gets rid of those errors..

Link to comment
Share on other sites

well looks like https is bumped

2014/06/11 09:37:28| Accepting NAT intercepted HTTP Socket connections at local=[::]:3128 remote=[::] FD 25 flags=41

2014/06/11 09:37:28| Accepting NAT intercepted SSL bumped HTTPS Socket connections at local=[::]:3127 remote=[::] FD 26 flags=41

And you loaded stuff from cache, so that kind of looks to be working.

so your doing a mangle - so this box is already the actual gateway? Or just a proxy your trying to up on the local network. Where the firewall only allows the proxy out?

 

I have routed using linux route command to ensure everything can be seen, then the Ip tables finishes it off yes the server is the gateway for a side network i set up eth1 acts as the wan (can be any internet connection) though I should stop using route comand as it uses specific IP addresses, but that is a different problem for a different day

Link to comment
Share on other sites

well looks like https is bumped

2014/06/11 09:37:28| Accepting NAT intercepted HTTP Socket connections at local=[::]:3128 remote=[::] FD 25 flags=41

2014/06/11 09:37:28| Accepting NAT intercepted SSL bumped HTTPS Socket connections at local=[::]:3127 remote=[::] FD 26 flags=41

And you loaded stuff from cache, so that kind of looks to be working.

so your doing a mangle - so this box is already the actual gateway? Or just a proxy your trying to up on the local network. Where the firewall only allows the proxy out?

edit also you can get rid of those errors by setting up a forward port, say 8080 or something else that is open.

2014/06/11 07:32:16| Accepting HTTP Socket connections at local=[::]:8080 remote=[::] FD 25 flags=9

2014/06/11 07:32:16| Accepting NAT intercepted HTTP Socket connections at local=[::]:3128 remote=[::] FD 26 flags=41

2014/06/11 07:32:16| Accepting NAT intercepted SSL bumped HTTPS Socket connections at local=[::]:3127 remote=[::] FD 27 flags=41

See here http socket is on 8080.. This gets rid of those errors..

 

hey, sorry to reopen :P I have not got rid of that error yet but you are right it appears to be caching and its using https... but as mentioned before its basically a man in the middle attack and my systems know that, is there anyway to intercept the certificate and then pass it on with the same signing or have a cert that will appear to be genuine, I need good user experience (I hope you can understand what I mean, I am renowned on this forum for making little sense) 

  • Like 1
Link to comment
Share on other sites

"basically a man in the middle attack and my systems know that"

 

How does your system know that..  If your browser trusts the CA, then the user would not be notified - other then the cert showing your info on it, see my budman example.

 

Dude I am not going to show you how to do an actual MITM attack ;)  where the cert looks like the say verisign signed for chase.com not signed by budman CA ;)

 

That was not the point of your post - you were having issues getting it working.  It now is working from what I can tell.  So thread /closed.  Doing an actual MITM with valid looking certs is so outside the area of discussion for this forum its not even funny ;)

 

You have a good user experience this way - the user is not bugged about not trusted cert, and https can be decrypted at the proxy.  Users should clearly be aware that this is happening -- it is bad bad juju to sniff users ssl traffic without their knowing about it.  Most companies don't even intercept ssl because of the BS that can be had from..

Link to comment
Share on other sites

This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.