OpenSSL update possibly breaks transparent proxy to Gmail?


(Charlie Lehardy) #1

This is a bit weird and perhaps farfetched, so apologies in advance. I’m trying to track down a problem where a few of my clients have been unable to access Google at https addresses since the OpenSSL update was applied on June 16. The only way I have been able to restore access to those clients has been to turn off transparent proxy in NethServer. Creating a host-without-proxy exception didn’t work. Most clients are unaffected. No problems were experienced before the update. Other https connections work fine. Weird, as I said. Will gladly listen to any wild and crazy theories.


(Artem Fedai) #2

Sorry for my stupid question , WHY do U Use proxy in 21 century ? TC would be enough to people speed limit ! And Layer7 proto to close Bit Torrent!


(Charlie Lehardy) #3

Excellent question, Artem. Not for bandwidth speed limits or traffic shaping, but for content filtering. If you want to filter web content (and I must), the easiest way is to divert web traffic through a proxy server in NethServer before sending it to the Internet.


(Filippo Carletti) #4

Transparent SSL proxy? I’ve seen something similar in the past. When chrome didn’t work, firefox did. Could you try to add exception to /etc/squid/acls/ssl_bypass.acl?


(Charlie Lehardy) #5

It looks like adding the exception made IE work again. Firefox worked all along. Chrome doesn’t work at all when going to https. Message at the bottom says it’s waiting for the proxy tunnel.


(Artem Fedai) #6

Use L7 proto it has an opptunity to filter web phrases !


(Artem Fedai) #7

And dnsmasq could block ADS


(Charlie Lehardy) #8

Does anyone still use L7 in the 21st century? :slight_smile:


(Artem Fedai) #9

yep , coz how to fully block torrent ?


(Artem Fedai) #10

Use OpenDNS!

OpenDNS Settings
After you sign-up, you can go the page called Web Content Filtering and check the boxes for the categories you would like to filter. I have the following checkmarks on:

Academic Fraud, Gambling, Humor, Lingerie/Bikini, P2P/File Sharing, Sexuality, Sports, Web Spam, Adult Themes, Anime/Manga/Webcomic, Games, Movies, Proxy/Anonymizer, Visual search engines, Adware, Dating, Nudity, Pornography


(Stefano) #11

I disagree… I don’t want to delegate to anyone my navigation/traffic filtering

L7 can stop apps like torrent and P2P
proxy can filter traffic usin my personal rules
bandwidth control is used to optimize traffic

different tools with different aims

finally, I won’t use proxy on https sites…


(Charlie Lehardy) #12

I appreciate your good ideas, Artem, but we’re getting a bit off topic. Yes, OpenDNS works great, but NethServer has filtering built in, so for me it seems better to have everything I need in one package.

Stefano, I don’t want to filter https, and none of the options to filter SSL are checked in the proxy module. Yet, Chrome https requests are failing with a message that says it is waiting for the proxy tunnel, and in the Chrome network logs I can see that it is connecting through port 3128, which is the proxy. I need to look at my Firefox logs to see if the same thing is happening. It comes down to this: when the proxy is on, Chrome https requests die, Firefox https requests go through. This issue began 3 days ago, and there were no Chrome updates, but one OpenSSL update on NethServer. There might be a connection, but I’m not sure yet what it is.


(Filippo Carletti) #13

Run

tail -f /var/log/squid/access.log

and use chrome, see what gets logged.


(Charlie Lehardy) #14

Filippo: What I see are a number of 503 errors when trying to access *.google.com:443

For example:

1434734399.295 60177 10.3.0.x TCP_MISS/503 0 CONNECT accounts.google.com:443 - HIER_NONE/- -


(Artem Fedai) #15

U right Chrome doesnot work befor he send some info to google and some of this info could not passthrough Squid ! Use German version of chrome , they throw out garbage from Chome !
http://www.srware.net/en/software_srware_iron.php
or U should recompile Openssl :frowning: or update Squid from other REPO


(Stefano) #16

not an option, on a server


(Artem Fedai) #17

Why? Or only downgrade OpenSSL , or make some custom template config in /etc/e-smith for option in Squid


(Stefano) #18

downgrade openssl is not an option (bugs)

if issue is resolvable with a custom configuration of squid, this is the way to go.

we’re talking about a enterprise class server distribution… security and stability come before than clients


(Artem Fedai) #19

For stability and so on use Gentoo :slight_smile: there are a lot of oldest modules but no bugs :slight_smile: if U are going to to produce enterprise u should update all system modules up to date for proper work… So let’s see config files at first than make some decisions!


(Artem Fedai) #20

The SQUID shows the TCP_MISS/503 in SQUID Log (/var/log/squid/access.log) file. This means the Permission is denied for the request made by the Client.

check in Squid.conf :

acl Safe_ports port 443

Show output of comand : squid -v