Re: [squid-users] Configuring SSL Bump in transparent/intercept mode

From: Eliezer Croitoru <eliezer_at_ngtech.co.il>
Date: Mon, 17 Jun 2013 12:19:39 +0300

On 06/17/2013 12:01 PM, Nuno Fernandes wrote:
>> When I send traffic that I expect be be intercepted to Squid, I get
>> the following errors in the log file (and a TCP RST from squid):
>>
>> ERROR: No forward-proxy ports configured
>> NF getsockopt(SO_ORIGINAL_DST) failed on local=10.174.14.75:80
>> remote=107.3.142.99:60377 FD 10 flags=33: (92) Protocol not available
>>
>> I know I am missing something pretty simple here.
>>
>
> I wouldn't say it is simple. I may be wrong but i think it may not work. To my knowledge, squid in intercept mode will use the original destination of the tcp connection (as passed by netfilter in SO_ORIGINAL_DST) as the server address were it will fetch the x509 cert and mimic that.
> For what i've read in your email, the original destination is your amazon box so it can't connect to itself and fetch the certificate.
>
> Without transparent mode the browser explicits connect to the proxy and request a connection to some server. Then squid can fetch the certificate and mimic that.
>
> A working scenario would be to place a box at customer premisses that would do a GRE tunneling to the Amazon BOX.
>
> Best regards,
> Nuno Fernandes
>
GRE TUNNEL TO AMAZON BOX wouldn't work.
You will need some tunnel and prefer secured one if you are intercepting
any data.

The main idea is to route the traffic through the squid box and not
direct traffic to the squid box since squid logic is to "open the
packets and resolve data based on the packets on how to fake the
connection to the client" (too long).
But since the above is the idea what you have done is pretty useless.
SSL works mostly based on IP so you will need to keep the dst ip without
DNS thingy.
I was asked about it couple times and people just don't understand how
and what it does and there for making this specific mistake of
engineering in development of a product.

if your client has demands you can demand couple things too in order to
complete your task.
Intercepting SSL is not "yet just another thing" it's a very complex and
delicate task that should be handled carefully and smartly.

Eliezer
Received on Mon Jun 17 2013 - 09:20:08 MDT

This archive was generated by hypermail 2.2.0 : Mon Jun 17 2013 - 12:00:05 MDT