leodexe
commented
1 year ago UPDATE: It seems some ssl_bump actions during certain steps will render the Network Unreachable. These are:
# Seems to be OK, but not useful for a functional urlpath_regex. Order matters.
#ssl_bump splice step1
#ssl_bump stare step1
#ssl_bump bump step2
#ssl_bump peek step2
#ssl_bump splice step2
#ssl_bump bump step3
#ssl_bump splice step3
#ssl_bump splice all steps
# OK if left alone, triggers code71 with some other actions
#ssl_bump peek step1 with stare step2
#ssl_bump stare step1 with stare step2
# Always triggers code71 and 114
#ssl_bump stare all
#ssl_bump stare step 2
# Always trigger code71 and 114 but urlpath_regex works correctly with https
#ssl_bump bump all
#ssl_bump bump step1The step I need to get working urlpath_regex for https is bump step1, but this renders a network unreachable for the targeted domain. After investigating more I found a workaround, that fixes this problem but may create a security risk later.
I will also change the title so it reflects more accurately the issue I'm dealing with.
UPDATE2: I found a workaround to deal with the error (71) code while also being able to bump on step1 and still access a fully functional website:
acl g_img urlpath_regex -i ^.*&tbm=isch.*$
acl ddg_l urlpath_regex -i ^\/lite.*$
acl bump_this dstdom_regex -i "/etc/squid/sslbumpers.txt"
acl err71 ssl_error X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY
sslproxy_cert_error allow err71
sslproxy_cert_error deny all
ssl_bump bump bump_thisIn sslbumpers.txt goes the websites I want to get bumped on step1, doesn't matter if you specify step1 or not because it ends there anyways. Because g_img (Google) and ddg_l (DuckDuckGo) uses a urlpath_regex they require a step1 bump so the rule can work properly. Doing so will trigger code 71 for these domains which is a Protocol/SSL Certificate Error as previously described.
The simplest way to "fix" code 71 is to simply allow this error through so you can access the website. But this can impose a security risk because the proxy will also ignore this error for other sites that aren't bumped on step1 but still it's the closest thing to fixing it and navigating without any more trouble until a better fix comes around.
Just to recap:
bump: Required for a fully functional urlpath_regex and other regex patterns, must bump in step1 or won't work. Causes error code 71, which can be ignored to continue navigation, does not cause other certificate issues. peek: Safe to use. Doesn't cause any certificate or connection issues. stare: Can cause certificate issues like preventing the certificate from being trusted, it's more problematic than bump. splice: Safe to use as it skips the proxy entirely. client-first: Has the same properties as bump. Like same error code and not causing other certificate issues. server-first: Has the same properties as stare. Same certificate issues as well, functionally worse than client-first. terminate: Just terminates the connection. Not very useful I guess.
I have succesfully set up Squid as a filtering proxy, but I have issues when trying to enable SSL Bump. Note that without SSL Bumping, the proxy works and my custom rules works just as fine, with the only difference that with SSL Bump enabled it displays the Squid error messages instead of the built-in browser error messages when connection isn't possible on HTTPS.
I followed the steps in this guide to enable SSL Bump, but doing so cuts the internet connection so only the http insecure websites shows (example: somesite.org is still accesible), displaying this error message: The system returned: (114) Network is unreachable.
My squid.conf:
Additional info: Sometimes I would get this error71 instead, but I think that's because of my deny all policy. It still does happen on allow all but less likely to appear than err114. I also used this other guide, because I use Arch Linux and Squid Proxy works there just fine.
I hope with this info I can get some troubleshooting.
OS: Win10x64 22H2
Attached cache.log and access.log when Err 114 occurs. cache.log access.log