Squid proxy "Connection reset" on HTTPS sites

0

I'm using a Linode and Squid3 as proxy, but can't get it to work with https sites. It's working over http, but when I try to visit a site that has https, say https://google.com/, I just get a:

The connection was reset
The connection to the server was reset while the page was loading.

Update: It appears that I'm only having these issues on my home network. Trying by sharing to my phone and on another network (on a different ISP) it works. Not really sure how to debug that. Check the router? Can the ISP block proxy traffic? (Seems nuts)

I'm using Ubuntu 12.10, and was initially using the squid3 installed with apt-get install squid3. squid -v showed:

Squid Cache: Version 3.1.20
configure options:  '--build=i686-linux-gnu' '--prefix=/usr' '--includedir=${prefix}/include' '--mandir=${prefix}/share/man' '--infodir=${prefix}/share/info' '--sysconfdir=/etc' '--localstatedir=/var' '--libexecdir=${prefix}/lib/squid3' '--srcdir=.' '--disable-maintainer-mode' '--disable-dependency-tracking' '--disable-silent-rules' '--datadir=/usr/share/squid3' '--sysconfdir=/etc/squid3' '--mandir=/usr/share/man' '--with-cppunit-basedir=/usr' '--enable-inline' '--enable-async-io=8' '--enable-storeio=ufs,aufs,diskd' '--enable-removal-policies=lru,heap' '--enable-delay-pools' '--enable-cache-digests' '--enable-underscores' '--enable-icap-client' '--enable-follow-x-forwarded-for' '--enable-auth=basic,digest,ntlm,negotiate' '--enable-basic-auth-helpers=LDAP,MSNT,NCSA,PAM,SASL,SMB,YP,DB,POP3,getpwnam,squid_radius_auth,multi-domain-NTLM' '--enable-ntlm-auth-helpers=smb_lm,' '--enable-digest-auth-helpers=ldap,password' '--enable-negotiate-auth-helpers=squid_kerb_auth' '--enable-external-acl-helpers=ip_user,ldap_group,session,unix_group,wbinfo_group' '--enable-arp-acl' '--enable-esi' '--enable-zph-qos' '--enable-wccpv2' '--disable-translation' '--with-logdir=/var/log/squid3' '--with-pidfile=/var/run/squid3.pid' '--with-filedescriptors=65536' '--with-large-files' '--with-default-user=proxy' '--enable-linux-netfilter' 'build_alias=i686-linux-gnu' 'CFLAGS=-g -O2 -fPIE -fstack-protector --param=ssp-buffer-size=4 -Wformat -Werror=format-security -Wall' 'LDFLAGS=-Wl,-Bsymbolic-functions -fPIE -pie -Wl,-z,relro -Wl,-z,now' 'CPPFLAGS=-D_FORTIFY_SOURCE=2' 'CXXFLAGS=-g -O2 -fPIE -fstack-protector --param=ssp-buffer-size=4 -Wformat -Werror=format-security' --with-squid=/build/buildd/squid3-3.1.20

In my attempts at solving these issues I noted that squid3 wasn't compiled with --enable-ssl. So I built from source with --enable-ssl, and now squid3 -v shows:

Squid Cache: Version 3.1.20
configure options:  '--build=i686-linux-gnu' '--prefix=/usr' '--includedir=${prefix}/include' '--mandir=${prefix}/share/man' '--infodir=${prefix}/share/info' '--sysconfdir=/etc' '--localstatedir=/var' '--libexecdir=${prefix}/lib/squid3' '--srcdir=.' '--disable-maintainer-mode' '--disable-dependency-tracking' '--disable-silent-rules' '--datadir=/usr/share/squid3' '--sysconfdir=/etc/squid3' '--mandir=/usr/share/man' '--with-cppunit-basedir=/usr' '--enable-inline' '--enable-async-io=8' '--enable-storeio=ufs,aufs,diskd' '--enable-removal-policies=lru,heap' '--enable-delay-pools' '--enable-cache-digests' '--enable-underscores' '--enable-icap-client' '--enable-follow-x-forwarded-for' '--enable-auth=basic,digest,ntlm,negotiate' '--enable-basic-auth-helpers=LDAP,MSNT,NCSA,PAM,SASL,SMB,YP,DB,POP3,getpwnam,squid_radius_auth,multi-domain-NTLM' '--enable-ntlm-auth-helpers=smb_lm,' '--enable-digest-auth-helpers=ldap,password' '--enable-negotiate-auth-helpers=squid_kerb_auth' '--enable-external-acl-helpers=ip_user,ldap_group,session,unix_group,wbinfo_group' '--enable-arp-acl' '--enable-esi' '--enable-zph-qos' '--enable-wccpv2' '--enable-ssl' '--disable-translation' '--with-logdir=/var/log/squid3' '--with-pidfile=/var/run/squid3.pid' '--with-filedescriptors=65536' '--with-large-files' '--with-default-user=proxy' '--with-open-ssl=/etc/ssl/openssl.cnf' '--enable-linux-netfilter' 'build_alias=i686-linux-gnu' 'CFLAGS=-g -O2 -fPIE -fstack-protector --param=ssp-buffer-size=4 -Wformat -Werror=format-security -Wall' 'LDFLAGS=-Wl,-Bsymbolic-functions -fPIE -pie -Wl,-z,relro -Wl,-z,now' 'CPPFLAGS=-D_FORTIFY_SOURCE=2' 'CXXFLAGS=-g -O2 -fPIE -fstack-protector --param=ssp-buffer-size=4 -Wformat -Werror=format-security' --with-squid=/root/squid3-3.1.20

And I still get the same error. My config file looks like this:

via off
forwarded_for delete
follow_x_forwarded_for deny all
acl SSL method CONNECT
auth_param basic program /usr/lib/squid3/ncsa_auth /etc/squid3/passwd
acl theUser proxy_auth myuser
http_access allow theUser
acl manager proto cache_object
acl localhost src 127.0.0.1/32 ::1
acl to_localhost dst 127.0.0.0/8 0.0.0.0/32 ::1
acl SSL_ports port 443
acl Safe_ports port 80      # http
acl Safe_ports port 21      # ftp
acl Safe_ports port 443     # https
acl Safe_ports port 70      # gopher
acl Safe_ports port 210     # wais
acl Safe_ports port 1025-65535  # unregistered ports
acl Safe_ports port 280     # http-mgmt
acl Safe_ports port 488     # gss-http
acl Safe_ports port 591     # filemaker
acl Safe_ports port 777     # multiling http
acl CONNECT method CONNECT
http_access allow manager localhost
http_access deny manager
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
http_access allow localhost
http_access deny all
http_port 1153
coredump_dir /var/spool/squid3
refresh_pattern ^ftp:       1440    20% 10080
refresh_pattern ^gopher:    1440    0%  1440
refresh_pattern -i (/cgi-bin/|\?) 0 0%  0
refresh_pattern (Release|Packages(.gz)*)$      0       20%     2880
refresh_pattern .       0   20% 4320
cache_effective_user proxy
cache_effective_group proxy
https_port 1153 cert=/etc/squid3/ssl/squid.crt key=/etc/squid3/ssl/squid.key vhost

I have played around with the https_port number, and all ports are open, as I can telnet <IP> 1153, and get a connection.

I'm not really sure what to try or do. I just want to be able to visit https/ssl sites with the proxy. Do I need other modules or is this a config issue? I don't need any caching or anything, as this is just a plain browser proxy setup.

Here are the proxy settings in firefox: Firefox proxy settings

ErikPerik

Posted 2013-01-05T12:05:49.860

Reputation: 101

Does it work if you comment out the line beginning https_port 1153 (this is for accessing squid over ssl rather than accessing ssl sites, so can be disabled for this test), and use http in the browser proxy settings? – Paul – 2013-01-05T13:05:29.007

I removed the https_port line and I'm still getting the same issue. I have updated the post with a screenshot of Firefox proxy settings. – ErikPerik – 2013-01-05T13:31:14.923

Perhaps switch off the user auth? It looks like it should work, do you have any clues in the squid logs? – Paul – 2013-01-06T02:43:42.263

@Paul I switched off the user auth - nothing different happened. I have checked the access.log and cache.log for squid, and nothing is logged when visiting https sites (which fail). If I visit any other http site lines are added to the access.log. Are there any other logs I can check? – ErikPerik – 2013-01-06T09:48:12.323

Hang on, do you have openssl installed? – Paul – 2013-01-06T10:36:26.940

which openssl returns /usr/bin/openssl. Is that what you mean? – ErikPerik – 2013-01-06T11:02:35.690

Yeah, well I wanted to confirm /etc/ssl/openssl.cnf existed like in the squid -v. Could you try adding debug_options ALL,9 to the conf? – Paul – 2013-01-06T11:13:09.573

I added the debug_options ALL,9 and instantly got more output in cache.log when trying to visit an https site. This is some output I captured from when trying a https site. It was really shooting out output, so it's a lot. https://gist.github.com/742b7320b7055f18304c

– ErikPerik – 2013-01-06T11:53:30.430

Yeah, but nothing related to SSL I can see. Lets just confirm ssl is working in general: openssl s_client -connect google.com:443 will do the cert negotiation, and then GET / HTTP/1.0 to get the first page. – Paul – 2013-01-06T20:43:20.863

Running that returned the HTML for google.com. I noticed today that I'm only having problems when I'm on my home network. Trying the proxy from my phone internet, and it works, and trying from another apartment and it works. So it has to be something with my router or ISP. Have updated post with info. – ErikPerik – 2013-01-06T20:50:11.210

Answers

1

As this proxy server is external to the network you are testing from, it seems likely your ISP (more likely) or router is blocking any traffic that contains the CONNECT directive, which is what you need for an SSL session via a proxy.

If you connect to the proxy using SSL (putting that https_port line back), then they wouldn't see the contents of the session and so wouldn't see the CONNECT.

Connecting to a proxy server over https is difficult however. One approach would be to establish a VPN or SSL tunnel to the proxy server and access the proxy over the tunnel, avoiding the need to get https proxying working. This would also serve as a good test to confirm that it is your ISP causing the disconnect. You can do this using ssh:

ssh -L1153:127.0.0.1:1153 proxy

Then set your browser proxy server to 127.0.0.1 and port 1153. Any traffic sent to the local port 1153 will get sent down the ssh tunnel to port 1153 on the proxy.

There are ways to access a proxy server over ssl, there is an extension for Firefox. There are also a couple of ways to do this with Chrome, either run it using:

chrome --proxy-server=https://proxy:1153

Or use proxy auto config script which has an https proxy defined:

function FindProxyForURL(url, host) { return "HTTPS proxy:1153"; }

You can use the same trick as in the comments to make sure the squid ssl certs are ok:

openssl s_client -connect proxy:1153

Paul

Posted 2013-01-05T12:05:49.860

Reputation: 52 173

So I opened the tunnel, ssh -L1153:127.0.0.1:1153 proxyip, and set proxy to 127.0.0.1 and 1153, but still got the same result. Connection reset when visiting https sites. What could this indicate? Could it still be the ISP or router? – ErikPerik – 2013-01-08T18:28:32.920

Unfortunately no, the traffic is encrypted using this method. Do you get the same thing with other devices on the same network? – Paul – 2013-01-08T20:34:34.897

Using the http proxy on my iphone connected to the same wifi, and had the same problem. This is just getting weird. – ErikPerik – 2013-01-09T19:56:06.330

Am I right in my understanding that the proxy server is not on the network we are talking about, it is external somewhere? Is there any reference to this networks IP range in the squid.conf? – Paul – 2013-01-09T20:39:24.333

Yes, the proxy server is a linode located in the US. No, I haven't added anything regarded the networks IP in the squid.conf. Do you mean the proxy servers IP or my home networks IP? – ErikPerik – 2013-01-10T11:26:00.337

It is weird, because if you are correctly tunnelling (in the ssh test), squid see's you as coming from localhost, if you are incorrectly tunnelling, then it sees you coming from your public IP. Do you have iptables running on this box as well? – Paul – 2013-01-10T12:08:29.000

Asked: 2013-01-05T12:05:49.860

Viewed: 12 380 times

Active: 2013-01-06T23:11:12.533