I am trying to setup squid3 as an HTTPS proxy using the tutorial given here. I have properly setup the proxy settings in my browser and when I try to hit HTTP web sites, I am able to connect successfully. However, I keep getting a "Connection timed out error" whenever I hit an HTTPS protocol web site and the following error in my /var/log/squid3/cache.log:
2016/06/20 19:12:47| NF getsockopt(SO_ORIGINAL_DST) failed on local=<local_ip_address>:3129 remote=<remote_ip_address>:55209 FD 8 flags=33: (92) Protocol not available
Here is my /etc/squid3/squid.conf file (commented lines removed for brevity):
auth_param basic program /usr/lib/squid3/basic_ncsa_auth /usr/etc/passwd
auth_param basic casesensitive off
auth_param basic credentialsttl 2 hours
acl user_auth proxy_auth REQUIRED
http_access allow user_auth
acl SSL_ports port 443
acl Safe_ports port 80 # http
acl Safe_ports port 21 # ftp
acl Safe_ports port 443 # https
acl Safe_ports port 70 # gopher
acl Safe_ports port 210 # wais
acl Safe_ports port 1025-65535 # unregistered ports
acl Safe_ports port 280 # http-mgmt
acl Safe_ports port 488 # gss-http
acl Safe_ports port 591 # filemaker
acl Safe_ports port 777 # multiling http
acl CONNECT method CONNECT
http_access allow localhost
http_access allow all
http_port 3127
https_port 3129 intercept ssl-bump generate-host-certificates=on dynamic_cert_mem_cache_size=4MB key=/etc/squid3/example.com.private cert=/etc/squid3/example.com.cert
ssl_bump server-first all
sslproxy_flags DONT_VERIFY_PEER
sslproxy_cert_error deny all
sslcrtd_program /usr/lib/squid3/ssl_crtd -s /var/lib/ssl_db -M 4MB sslcrtd_children 8 startup=1 idle=1
coredump_dir /var/spool/squid3
refresh_pattern ^ftp: 1440 20% 10080
refresh_pattern ^gopher: 1440 0% 1440
refresh_pattern -i (/cgi-bin/|\?) 0 0% 0
refresh_pattern (Release|Packages(.gz)*)$ 0 20% 2880
refresh_pattern . 0 20% 4320
always_direct allow all
Here is the output of my squid3 -v:
Squid Cache: Version 3.3.8
(Ubuntu)
configure options: '--build=i686-linux-gnu' '--prefix=/usr' '--includedir=${prefix}/include' '--mandir=${prefix}/share/man' '--infodir=${prefix}/share/info' '--sysconfdir=/etc' '--localstatedir=/var' '--libexecdir=${prefix}/lib/squid3' '--srcdir=.' '--disable-maintainer-mode' '--disable-dependency-tracking' '--disable-silent-rules' '--datadir=/usr/share/squid3' '--sysconfdir=/etc/squid3' '--mandir=/usr/share/man' '--enable-inline' '--enable-async-io=8' '--enable-ssl' '--enable-ssl-crtd' '--enable-storeio=ufs,aufs,diskd,rock' '--enable-removal-policies=lru,heap' '--enable-delay-pools' '--enable-cache-digests' '--enable-underscores' '--enable-icap-client' '--enable-follow-x-forwarded-for' '--enable-auth-basic=DB,fake,getpwnam,LDAP,MSNT,MSNT-multi-domain,NCSA,NIS,PAM,POP3,RADIUS,SASL,SMB' '--enable-auth-digest=file,LDAP' '--enable-auth-negotiate=kerberos,wrapper' '--enable-auth-ntlm=fake,smb_lm' '--enable-external-acl-helpers=file_userip,kerberos_ldap_group,LDAP_group,session,SQL_session,unix_group,wbinfo_group' '--enable-url-rewrite-helpers=fake' '--enable-eui' '--enable-esi' '--enable-icmp' '--enable-zph-qos' '--enable-ecap' '--disable-translation' '--with-swapdir=/var/spool/squid3' '--with-logdir=/var/log/squid3' '--with-pidfile=/var/run/squid3.pid' '--with-filedescriptors=65536' '--with-large-files' '--with-default-user=proxy' '--enable-linux-netfilter' 'build_alias=i686-linux-gnu' 'CFLAGS=-g -O2 -fPIE -fstack-protector --param=ssp-buffer-size=4 -Wformat -Werror=format-security -Wall' 'LDFLAGS=-Wl,-Bsymbolic-functions -fPIE -pie -Wl,-z,relro -Wl,-z,now' 'CPPFLAGS=-D_FORTIFY_SOURCE=2' 'CXXFLAGS=-g -O2 -fPIE -fstack-protector --param=ssp-buffer-size=4 -Wformat -Werror=format-security'
I have spent a lot of time googling this error but could not arrive at a solution which would configure squid as an HTTP proxy. How do I get this working?
May be you need to consider using
http_portdirective withssl-bumpand nothttps_port, since you have your browsers configured with proxy (CONNECT method).Intercept mode is appropriate for transparent proxy (no browser settings needed), when packets are automatically forwarded to the proxy using iptables.
https_portdirective is used to intercept and handle such traffic arriving at proxy.ssl-bump: http://www.squid-cache.org/Doc/config/ssl_bump/
For ssl-bump example: http://wiki.squid-cache.org/ConfigExamples/Intercept/SslBumpExplicit
The error "NF getsockopt(SO_ORIGINAL_DST)" is a NAT error. It has nothing to do with the encryption.
Since you have configured your browser to use the proxy explicitly:
you are not intercepting anything. Using the "intercept" option is wrong and leads to the NAT error.
the browser would not be using TLS to connect to the proxy. That is the real reason why https_port is wrong to use.
the browser will be sending CONNECT messages to port 3127 of the proxy. These are what need to be "bumped".
So what you need to do to is simply to move the ssl-bump settings to your existing http_port line. It should become like this:
Other things you should do to correctly setup SSL-Bump is remove the following lines:
They do more harm than good and are not even useful for debugging.
Also, upgrade your proxy to the latest upstream release. TLS and SSL-Bump are involved in a fast changing arms race to do better security, and to decrypt that better security. Using older versions than latest is guaranteed to hit problems one way or another. Squid-3.3 specifically has issues with Elliptic Curve and other recent ciphers, breaks when TLS session resume is used, cannot bypass cert pinning using SNI, generates SHA-1 certificates, etc.