День добрый.
Добился полностью прозрачного Squid’a, с генерацией самоподписанных SSL, которые вполне себе жуют большинство сайтов, работающих по HTTPS.
Примерно разобрался, как выпустить Squid через parrent proxy.
Вот кусок Squid.conf дочернего сервера (Squid1), отвечающий за parrent proxy:
Код: Выделить всё
cache_peer 192.168.0.162 parent 8080 0 ssl no-query default no-digest no-netdb-exchange originserver
cache_peer_access 192.168.0.162 allow all
never_direct allow all
К сожалению, пока не осилил, как подружить два Squid’a через SSl.
В cache.log дочернего Squid’a вылезает ошибка:
Код: Выделить всё
2014/09/25 06:25:00 kid1| fwdNegotiateSSL: Error negotiating SSL connection on FD 13: error:140770FC:SSL routines:SSL23_GET_SERVER_HELLO:unknown protocol (1/-1/0)
2014/09/25 06:25:00 kid1| TCP connection to 192.168.0.162/8080 failedАналогичная ошибка вылезает и в браузере:
Код: Выделить всё
(92) Protocol error (TLS code: SQUID_ERR_SSL_HANDSHAKE)
Handshake with SSL server failed: error:140770FC:SSL routines:SSL23_GET_SERVER_HELLO:unknown protocol
В связи в этим вопрос — какие сертификаты надо подсовывать родительскому Squid’у, если надо именно это?
Или настроить ему точно такую же SSL-генерацию как и дочернему?
На всякий случай, вот куски конфигов, описывающие генерацию SSL:
Дочерний squid (Squid1):
Код: Выделить всё
#HTTPS SECTION
https_port 127.0.0.1:3128 intercept ssl-bump generate-host-certificates=on dynamic_cert_mem_cache_size=4MB cert=/usr/local/etc/squid/ssl/squid.pem key=/usr/local/etc/squid/ssl/root.key
http_port 127.0.0.1:3129 intercept
http_port 3130
ssl_bump server-first all
sslproxy_cert_error allow all
sslproxy_flags DONT_VERIFY_PEER
sslcrtd_program /usr/local/libexec/squid/ssl_crtd -s /usr/local/etc/squid/ssl/ssl_db -M 4MBРодительский squid (Squid2):
Код: Выделить всё
#HTTPS SECTION
http_port 8080 ssl-bump cert=/usr/local/etc/squid/root.cer key=/usr/local/etc/squid/root.key generate-host-certificates=on
ssl_bump client-first all
sslproxy_cert_error allow allИз одинакового у них только ключевой сертификат root.key
Сорри, раньше с сертификацией особо сталкиваться не приходилось.
День добрый.
Настраивал прозрачное проксирование Squid, + каскадирование, + SSL.
Схема такая клиент====>Squid1=====>Squid2=====>Интернет.
Добился полностью прозрачного Squid’a, с генерацией самоподписанных SSL, которые вполне себе жуют большинство сайтов, работающих по HTTPS.
Примерно разобрался, как выпустить Squid через parrent proxy.
Вот кусок Squid.conf дочернего сервера (Squid1), отвечающий за parrent proxy:
Код: Выделить всё
cache_peer 192.168.0.162 parent 8080 0 ssl no-query default no-digest no-netdb-exchange originserver
cache_peer_access 192.168.0.162 allow all
never_direct allow all
К сожалению, пока не осилил, как подружить два Squid’a через SSl.
В cache.log дочернего Squid’a вылезает ошибка:
Код: Выделить всё
2014/09/25 06:25:00 kid1| fwdNegotiateSSL: Error negotiating SSL connection on FD 13: error:140770FC:SSL routines:SSL23_GET_SERVER_HELLO:unknown protocol (1/-1/0)
2014/09/25 06:25:00 kid1| TCP connection to 192.168.0.162/8080 failed
Аналогичная ошибка вылезает и в браузере:
Код: Выделить всё
(92) Protocol error (TLS code: SQUID_ERR_SSL_HANDSHAKE)
Handshake with SSL server failed: error:140770FC:SSL routines:SSL23_GET_SERVER_HELLO:unknown protocol
В связи в этим вопрос — какие сертификаты надо подсовывать родительскому Squid’у, если надо именно это?
Или настроить ему точно такую же SSL-генерацию как и дочернему?
На всякий случай, вот куски конфигов, описывающие генерацию SSL:
Дочерний squid (Squid1):
Код: Выделить всё
#HTTPS SECTION
https_port 127.0.0.1:3128 intercept ssl-bump generate-host-certificates=on dynamic_cert_mem_cache_size=4MB cert=/usr/local/etc/squid/ssl/squid.pem key=/usr/local/etc/squid/ssl/root.key
http_port 127.0.0.1:3129 intercept
http_port 3130
ssl_bump server-first all
sslproxy_cert_error allow all
sslproxy_flags DONT_VERIFY_PEER
sslcrtd_program /usr/local/libexec/squid/ssl_crtd -s /usr/local/etc/squid/ssl/ssl_db -M 4MB
Родительский squid (Squid2):
Код: Выделить всё
#HTTPS SECTION
http_port 8080 ssl-bump cert=/usr/local/etc/squid/root.cer key=/usr/local/etc/squid/root.key generate-host-certificates=on
ssl_bump client-first all
sslproxy_cert_error allow all
Из одинакового у них только ключевой сертификат root.key
Сорри, раньше с сертификацией особо сталкиваться не приходилось.
Последний раз редактировалось f_andrey 2014-09-25 11:20:42, всего редактировалось 1 раз.
Причина: Автору. пожалуйста, выбирайте соответствующий раздел форума.
Hi folks,
Right off the bat I’d like to thank the pfSense guys, the Squid guys, the SquidGuard guys, the Shallalist guys and the people willing to help on this forum. Because of people like you we are able to filter pretty much anything we want, whether it be for a reasonable cause or just to make everyone at home mad because Facebook no longer works. God indeed exists.
Rather than just telling you how awesome you are, I do have some questions regarding this software and how exactly it should work. I was tasked with filtering adult/malware sites and would greatly appreciate your help. I also promise not to abuse this power for before-mentioned purposes, let God be my witness.
I have only a few desktop computers for now which need an active filter(thinking about all WiFi devices but that’s future-proofing and not relevant so much right now). I envisioned a simple proxy server running somewhere in my network. I would not be using this as a gateway between my ISP router and my network. If you think this is a grave mistake on my part, please let me know.
So, my setup right now is this:
VmWare VM, running on Workstation 12
Hardware on the host-side
CPU: AMD Athlon FX-4100 3.6GHz
RAM: 16GB
HDD: WD Black 1TB
Software on the host-side
OS: Windows 10 Professional LTSB N
Hardware on the guest VM
CPU: AMD Athlon FX-4100 3.6GHz (1 core)
RAM: 1GB
HDD: 20GB
Software on the VM (I'll just copy and paste the System Information info
Name pfSense. <classified>Version 2.2.6-RELEASE (amd64)
built on Mon Dec 21 14:50:08 CST 2015
FreeBSD 10.1-RELEASE-p25
Platform pfSense
CPU Type AMD FX(tm)-4100 Quad-Core Processor
Current: 452 MHz, Max: 3616 MHz
DNS server(s) 127.0.0.1
<classified><classified>8.8.8.8
Packages which are installed and running
Lightsquid Network Management 2.43
Open-VM-Tools System 1280544.13
squid3 Services 0.4.7
squidGuard Network Management 1.9.18</classified></classified></classified>
Current setup works like this:
- 2 network cards, one is used as WAN, the other is LAN, but both are really part of the same network
- Transparent HTTP proxy is enabled
- SSL middleman tactics are enabled
- Self-signed SSL certificate created, imported on some test machines
- SquidGuard setup with Shallalist blacklist, some common ACL categories setup(porn, warez), also setup a dummy target category so to make SquidGuard boot up
- SquidGuard is setup to just show a blank page. I did this because when an average user accesses a website which is blocked, they don’t really know what’s going on or what to do, and generally think the Internet is at fault. This approach suits me just fine
If any more info is required please let me know.
So, time for questions!
1. Why on God’s green Earth do I get the following error message when I access only some HTTPS sites? For instance if I try to reach » https://palemoon.start.me/start » I get the following error message:
The following error was encountered while trying to retrieve the URL: ://54.230.94.85:443
Failed to establish a secure connection to 54.230.94.85
The system returned:
(92) Protocol error (TLS code: SQUID_ERR_SSL_HANDSHAKE)
Handshake with SSL server failed: error:14077410:SSL routines:SSL23_GET_SERVER_HELLO:sslv3 alert handshake failure
While Facebook, Google, Paypal work just fine and dandy. Ordinarily, when SquidGuard blocks a website, it’s SquidGuard who does it. This error message defaults back to Squid. Why does this happen? Show me my error and make me smarter.
2. For some reason, Squid likes to make fun of me and my filters. When accessing a blocked website which resides on HTTPS I don’t get the blank webpage which is supposed to be shown, but rather a certificate error. And if I accept said certificate, I get another error like the one above:
The following error was encountered while trying to retrieve the URL: ://141.101.118.194:443
Failed to establish a secure connection to 141.101.118.194
The system returned:
(92) Protocol error (TLS code: SQUID_ERR_SSL_HANDSHAKE)
Handshake with SSL server failed: error:14077438:SSL routines:SSL23_GET_SERVER_HELLO:tlsv1 alert internal error
This proxy and the remote host failed to negotiate a mutually acceptable security settings for handling your request. It is possible that the remote host does not support secure connections, or the proxy is not satisfied with the host security credentials.
Your cache administrator is admin@localhost.
The thing works just fine if I access a HTTP site. Blank webpage and everything. You probably already know what I’m doing wrong, please enlighten me.
3. Transparent vs. non-transparent – which is better and why? Discuss!!!
My understanding is this, transparent is great because it works on everything and requires almost no additional configuration on the network(except changing the gateway from the existing one(eg ISP router) to the pfSense LAN IP). It’s bad because it doesn’t work with self-signed SSL certificates, so whenever you access a HTTPS site, you get an error saying the certificate is not valid or some-such nonsense. Would this be remedied by a valid SSL certificate bought from a site such as GoDaddy or somesuch?
If I enable non-transparent, I didn’t really get any traffic on my setup, probably did something wrong. Are the SSL problems existent on non-transparent as well? I am open to non-transparent, thanks to this helpful answer: https://forum.pfsense.org/index.php?topic=107909.msg601236#msg601236
Enabling this WPAD thingy sounds like a lot of fun. But I read somewhere it doesn’t work with Android phones. Is this really true? Is really nothing perfect? Are there any other drawbacks of this approach?
4. In my current setup, Skype and Outlook do not work. I am unable to sign into Skype, and Outlook just asks for a bunch of certificates and refuses to connect to the server even after adding the certificates to trusted root. Why?
I think that’s pretty much it at this point. I guess what I’m really looking for are real-world examples and what would be the best way to go in regards to what I need – blocking a few categories of websites and a rudimentary report system(which LightSquid provides). If you made it this far, thanks! You’re a bro.
I have a Squid 3.5.23 running on Debian Stretch, recompiled from the deb source and configured as a transparent proxy. I changed the configuration in order to allow SSL proxying and it seems to be running OK when I install the generated Squid certificate as a trusted root authority. Facebook, Google, Kernel.org and most other HTTPS sites pass through OK, and the browser correctly thinks those sites’ certificate authority is the proxy’s. Now, SOME sites give me a certificate warning and then an error if I accept it as an exception.
https://elpais.com ->
The following error was encountered while trying to retrieve the URL: https://2.16.189.72/*
Failed to establish a secure connection to 2.16.189.72
The system returned:
(71) Protocol error (TLS code: SQUID_ERR_SSL_HANDSHAKE)
Handshake with SSL server failed: error:14077410:SSL routines:SSL23_GET_SERVER_HELLO:sslv3 alert handshake failure
This proxy and the remote host failed to negotiate a mutually acceptable security settings for handling your request. It is possible that the remote host does not support secure connections, or the proxy is not satisfied with the host security credentials.
https://wiki.squid-cache.org/ (Now that is ironic) ->
The following error was encountered while trying to retrieve the URL: https://master.squid-cache.org/*
Failed to establish a secure connection to 104.130.201.120
The system returned:
(71) Protocol error (TLS code: X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY)
SSL Certficate error: certificate issuer (CA) not known: /C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3
This proxy and the remote host failed to negotiate a mutually acceptable security settings for handling your request. It is possible that the remote host does not support secure connections, or the proxy is not satisfied with the host security credentials.
I generated the certificate with the following commands:
openssl req -new -newkey rsa:4096 -days 3650 -nodes -x509
-keyout mycompany.pem -out mycompany.pem
openssl x509 -in mycompany.pem -outform DER -out mycompany.der
/usr/lib/squid/ssl_crtd -c -s /etc/squid/certs/ssl_db -M 4MB
chown -R proxy.proxy ssl_db
Clues?
Topic: Proxy server error (Read 9653 times)
Dear all,
we are using a Proxy server , some website can’t be loaded even I added them to the white list the error keeps showing up.
we are running a Squid version 3.5.25 and https proxy
The following error was encountered while trying to retrieve the URL: https://192.116.242.10/*
Failed to establish a secure connection to 192.116.242.10
The system returned:
(92) Protocol error (TLS code: SQUID_ERR_SSL_HANDSHAKE)
Handshake with SSL server failed: error:14077102:SSL routines:SSL23_GET_SERVER_HELLO:unsupported protocol
This proxy and the remote host failed to negotiate a mutually acceptable security settings for handling your request. It is possible that the remote host does not support secure connections, or the proxy is not satisfied with the host security credentials.
Can you please advise what to do to get this fixed ?
« Last Edit: June 21, 2017, 03:05:29 pm by Julien »
Logged
An intelligent man is sometimes forced to be drunk to spend time with his fool.
Any one ?
we have the SSL proxy off until someone can point me to the right directions.
Logged
An intelligent man is sometimes forced to be drunk to spend time with his fool.
You should check the TLS settings and library (for example OpenSSL, GNUTLS) versions of the server. Your browser should tell you which version is used if you don’t use the proxy.
Logged
You should check the TLS settings and library (for example OpenSSL, GNUTLS) versions of the server. Your browser should tell you which version is used if you don’t use the proxy.
thank you for your answer
Can you please advise where exactly to check ?
much appreciate your support.
the errors now is
The following error was encountered while trying to retrieve the URL: https://195.8.209.120/*
Failed to establish a secure connection to 195.8.209.120
The system returned:
(92) Protocol error (TLS code: SQUID_ERR_SSL_HANDSHAKE)
Handshake with SSL server failed: error:14077102:SSL routines:SSL23_GET_SERVER_HELLO:unsupported protocol
This proxy and the remote host failed to negotiate a mutually acceptable security settings for handling your request. It is possible that the remote host does not support secure connections, or the proxy is not satisfied with the host security credentials.
Logged
An intelligent man is sometimes forced to be drunk to spend time with his fool.
You should check the web server for the supported ciphers and TLS versions. If you navigate to it without the proxy, you can get into the menu showing it by clicking the lock icon in the address bar, then click «>» and click «more information». The should be some info under technical details. (Note: This explanation is Firefox only)
Logged
You should check the web server for the supported ciphers and TLS versions. If you navigate to it without the proxy, you can get into the menu showing it by clicking the lock icon in the address bar, then click «>» and click «more information». The should be some info under technical details. (Note: This explanation is Firefox only)
the situation is happening with a lot of websites not only one.
I check them using TLS SSL but can’t seem to troubleshoot the errors,
the only solutions now is to disable the proxy SSL until I can find a proper solution.
am I the only one with this error using the proxy server ?
Logged
An intelligent man is sometimes forced to be drunk to spend time with his fool.
Not able to see the localhost https page properly in chrome . It says :
**This site can’t provide a secure connection**
localhost sent an invalid response.
Try running Windows Network Diagnostics.
ERR_SSL_PROTOCOL_ERROR
I tried -deleting domain localhost from — chrome://net-internals/#hsts
But not helped.
asked Jan 3, 2018 at 11:21
3
Instead of
localhost:8000
Write
http://localhost:8000/
Note: replace 8000 with your port number
answered Jul 14, 2020 at 15:29
Gabriel ArghireGabriel Arghire
1,7031 gold badge16 silver badges33 bronze badges
0
Go to chrome://net-internals in the Chrome and switch to the Domain Security Policy tab.
In the «Delete domain security policies» section at the bottom, write «localhost» in Domain field and press the «Delete» button.
Note, this is a temporary fix.
answered Feb 18, 2022 at 19:24
MehmetMehmet
3062 silver badges5 bronze badges
1
Try clearing your website data and cache from chrome. Old htaccess files can cause problems on localhost.
answered May 29, 2019 at 22:52
tomstan11tomstan11
9376 silver badges9 bronze badges
2
If you’re using Visual Studio
Then go to project properties => enable SSL as True and select the SSL URL with port number
Showed as per the properties
answered Sep 25, 2018 at 21:00
Arun EArun E
611 silver badge4 bronze badges
1
Changing https to http worked for me.
answered Nov 20, 2020 at 16:13
vvlnvvvlnv
3843 silver badges9 bronze badges
answered Feb 1, 2022 at 21:56
mattybmattyb
9212 gold badges9 silver badges25 bronze badges
- I cleared Google Cache on Chrome://settings/privacy
- Instead of using the ‘https://localhost:4200’ or ‘http://localhost:4200’, I just used ‘localhost:4200’ and that worked well.
answered May 12, 2021 at 15:14
0
In my case, my antivirus was the culprit. Somehow the site was considered unsafe and it replaced the response with the ‘website blocked’ page of the antivirus application. This information, however, was not sent with TLS so the browser interpreted that as an ERR_SSL_PROTOCOL_ERROR
answered May 16, 2018 at 10:37
KlausKlaus
211 bronze badge
If for any reason your localhost keep being redirected to https this answer might help you.
- Change https to http (But do not hit enter)
- Click and hold the reload icon
- Choose the 3rd option Empty Cache and Hard Reload
answered Nov 2, 2022 at 21:54
crgcrg
3,9862 gold badges28 silver badges52 bronze badges
Instead of
localhost:8000
Replace
127.0.0.1:8000
you try to use the local port number
answered Nov 17, 2022 at 11:08
I solved my case with Justice Bringer’s solution, but additionally I had to add a correction to a code on the front that redirects http to https.
if (window.location.protocol !== '4200') {
forceHttps();
};
// force-to-https.js v1
function forceToHttps() {
if (location.protocol == 'http:') {
var linkHttps = location.href.replace('http', 'https');
// via location
window.location.protocol = 'https:';
window.location.href = linkHttps;
// via click
var a = document.createElement('a');
a.setAttribute('href', linkHttps);
a.setAttribute('style', 'display: none !important;');
a.click();
// reinforce
setInterval(function() {
window.location.href = linkHttps;
a.click();
}, 3500);
// via meta
var meta = document.createElement('meta');
meta.setAttribute('content', '0;URL=' + linkHttps);
meta.setAttribute('http-equiv', 'refresh');
(document.head || document.getElementsByTagName('head')[0]).append(meta);
};
};
answered Aug 18, 2020 at 13:21
Luis LoboLuis Lobo
4394 silver badges7 bronze badges
chrome://flags -> https and then set it to enable
works to me
Tyler2P
2,28118 gold badges23 silver badges29 bronze badges
answered May 18, 2022 at 23:18
1