@@ -946,3 +946,222 @@ Warning: I wish NOT to receive e-mail advertising to this address.
946946Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
947947I wonder how much deeper the ocean would be without sponges.
948948
949+ From yves.martin at elca.ch Thu Dec 18 14:39:43 2025
950+ From: yves.martin at elca.ch (Yves MARTIN)
951+ Date: Thu, 18 Dec 2025 14:39:43 +0000
952+ Subject: [squid-users] How to do transparent rewrite with https requests?
953+ In-Reply-To: <GVAP278MB000597CE77AB7A15B49DE4F8EE64A@GVAP278MB0005.CHEP278.PROD.OUTLOOK.COM>
954+ References: <GVAP278MB000597CE77AB7A15B49DE4F8EE64A@GVAP278MB0005.CHEP278.PROD.OUTLOOK.COM>
955+ Message-ID: <GVAP278MB0005AFBC6F08E5F2EFC4F20DEEA8A@GVAP278MB0005.CHEP278.PROD.OUTLOOK.COM>
956+
957+ Hello,
958+
959+
960+
961+ Thanks to your answer Alex,
962+ https://ml-archives.squid-cache.org/squid-users/2025-May/027560.html
963+
964+ our team is running a Squid with HTTPS transparent interception and requests
965+ rewrite to cache services since months.
966+
967+
968+
969+ With recent OpenSSL v3 introduction in distributions like Debian 13, Python
970+ 3 requests or httpx modules (and probably soon more https client) now
971+ complains about missing AKID in squid mimic certificate with [SSL:
972+ CERTIFICATE_VERIFY_FAILED] certificate verify failed: Missing Authority Key
973+ Identifier.
974+
975+
976+
977+ We are investigating by adding logging to src/ssl/gadgets.cc and probably
978+ the ssl_bump sequence configured (step1/bump step2/stare step3/bump)
979+ prevents certificate generation to include these extensions.
980+
981+
982+
983+ Does this hypothesis sound plausible?
984+
985+ Is there a way to work-around this new issue thanks to configuration, or
986+ patching?
987+
988+
989+
990+ Thank you in advance for your help
991+
992+ Best regards,
993+
994+ Yves
995+
996+
997+
998+
999+
1000+ From: Yves MARTIN
1001+ Sent: Tuesday, May 27, 2025 4:37 PM
1002+ To: squid-users at lists.squid-cache.org
1003+ Subject: How to do transparent rewrite with https requests?
1004+
1005+
1006+
1007+ Hello,
1008+
1009+
1010+
1011+ My team expects to transparently rewrite requests through squid, replacing
1012+ original URL/hostname by another target URL/host.
1013+
1014+
1015+
1016+ Main objective is to redirect original HTTPS requests triggered by "docker
1017+ pull alpine" to a local mirrored registry without obvious information in
1018+ user client that the obtained image comes from mirror: original image
1019+ location is preserved, no specific proxy or mirror configuration in docker
1020+ client/daemon to set.
1021+
1022+
1023+
1024+ To do so, we have used squid-urlrewrite and it works well for HTTP request,
1025+ even if rewrite targets HTTPS URL.
1026+
1027+ But when original request is HTTPS, connection still goes to original
1028+ URL/hostname IP address
1029+ https://github.com/rchunping/squid-urlrewrite/issues/3
1030+
1031+ According to debug logs, the original request hostname is resolved to IP
1032+ early and kept in internal context after squid-urlrewrite is invoked.
1033+
1034+
1035+
1036+ Do you have recommendations how to implement such a rewrite? Any idea how to
1037+ improve/fix current squid behavior?
1038+
1039+
1040+
1041+ Thank you in advance for your help
1042+
1043+ Best regards,
1044+
1045+ Yves
1046+
1047+
1048+
1049+ -------------- next part --------------
1050+ An HTML attachment was scrubbed...
1051+ URL: <http://lists.squid-cache.org/pipermail/squid-users/attachments/20251218/958ba867/attachment.htm>
1052+ -------------- next part --------------
1053+ A non-text attachment was scrubbed...
1054+ Name: smime.p7s
1055+ Type: application/pkcs7-signature
1056+ Size: 6737 bytes
1057+ Desc: not available
1058+ URL: <http://lists.squid-cache.org/pipermail/squid-users/attachments/20251218/958ba867/attachment.bin>
1059+
1060+ From rousskov at measurement-factory.com Thu Dec 18 16:36:38 2025
1061+ From: rousskov at measurement-factory.com (Alex Rousskov)
1062+ Date: Thu, 18 Dec 2025 11:36:38 -0500
1063+ Subject: [squid-users] How to do transparent rewrite with https requests?
1064+ In-Reply-To: <GVAP278MB0005AFBC6F08E5F2EFC4F20DEEA8A@GVAP278MB0005.CHEP278.PROD.OUTLOOK.COM>
1065+ References: <GVAP278MB000597CE77AB7A15B49DE4F8EE64A@GVAP278MB0005.CHEP278.PROD.OUTLOOK.COM>
1066+ <GVAP278MB0005AFBC6F08E5F2EFC4F20DEEA8A@GVAP278MB0005.CHEP278.PROD.OUTLOOK.COM>
1067+ 1068+
1069+ On 2025-12-18 09:39, Yves MARTIN wrote:
1070+
1071+ > our team is running a Squid with HTTPS transparent interception and
1072+ > requests rewrite to cache services since months.
1073+ >
1074+ > With recent OpenSSL v3 introduction in distributions like Debian 13,
1075+ > Python 3 requests or httpx modules (and probably soon more https client)
1076+ > now complains about missing AKID in squid mimic certificate with [SSL:
1077+ > CERTIFICATE_VERIFY_FAILED] certificate verify failed: Missing Authority
1078+ > Key Identifier.
1079+ >
1080+ > We are investigating by adding logging to src/ssl/gadgets.cc and
1081+ > probably the ssl_bump sequence configured (step1/bump step2/stare
1082+ > step3/bump) prevents certificate generation to include these extensions.
1083+ >
1084+ > Does this hypothesis sound plausible?
1085+
1086+ AFAICT, your ssl_bump configuration (i.e. "step1/bump step2/stare
1087+ step3/bump") contains unreachable rules; your Squid does not do what you
1088+ think it does. I tried to explain below, but for more information about
1089+ ssl_bump processing, please see
1090+ https://wiki.squid-cache.org/Features/SslPeekAndSplice
1091+
1092+
1093+ Bugs notwithstanding, when dealing with a successful transaction, the
1094+ following configuration should _prevent_ Squid from mimicking any server
1095+ certificate properties because, in this particular case, Squid should
1096+ generate a fake server certificate _before_ talking to the server:
1097+
1098+ ssl_bump bump step1
1099+ # game over: the "bump" action is final and
1100+ # other ssl_bump rules/steps should be ignored
1101+
1102+
1103+ > Is there a way to work-around this new issue thanks to configuration, or
1104+ > patching?
1105+
1106+ For the fake certificate to mimic the server certificate, including
1107+ server certificate AKID property, Squid must see the server certificate
1108+ before generating the fake certificate. To see the server certificate
1109+ before generating the fake certificate, Squid must not bump the client
1110+ at step1 or step2; Squid must proceed all the way to step3 where Squid
1111+ receives server certificate.
1112+
1113+ Bugs notwithstanding, the corresponding configuration is:
1114+
1115+ ssl_bump stare all
1116+
1117+ ... which may be spelled out as ...
1118+
1119+ ssl_bump stare step1
1120+ ssl_bump stare step2
1121+ ssl_bump bump step3
1122+
1123+
1124+ That configuration (both succinct and spelled out variants) may be
1125+ incompatible with your other needs (as hinted in the exchange quoted
1126+ below). Pick your poison.
1127+
1128+
1129+ HTH,
1130+
1131+ Alex.
1132+
1133+
1134+ > On 2025-05-27 12:19, Alex Rousskov wrote:
1135+ >> On 2025-05-27 10:37, Yves MARTIN wrote:
1136+ >>
1137+ >>> My team expects to transparently rewrite requests through squid,
1138+ >>> replacing original URL/hostname by another target URL/host.
1139+ >>>
1140+ >>> Main objective is to redirect original HTTPS requests triggered by
1141+ >>> ?docker pull alpine? to a local mirrored registry without obvious
1142+ >>> information in user client that the obtained image comes from mirror:
1143+ >>> original image location is preserved, no specific proxy or mirror
1144+ >>> configuration in docker client/daemon to set.
1145+ >>>
1146+ >>> To do so, we have used squid-urlrewrite and it works well for HTTP
1147+ >>> request, even if rewrite targets HTTPS URL.
1148+ >>>
1149+ >>> But when original request is HTTPS, connection still goes to original
1150+ >>> URL/hostname IP address
1151+ >>> https://github.com/rchunping/squid-urlrewrite/issues/3
1152+ >>> According to debug logs, the original request hostname is resolved to
1153+ >>> IP early and kept in internal context after squid-urlrewrite is invoked.
1154+ >>
1155+ >> In most cases, when bumping connections from a TLS client to Squid and
1156+ >> from Squid to TLS server, Squid "pins" (i.e. remembers) the
1157+ >> Squid-to-server connection and then (re)uses that pinned connection for
1158+ >> all requests received on the client-to-Squid connection.
1159+ >>
1160+ >> I have not checked, but speculate that rewriting request target does not
1161+ >> trigger opening a new Squid-to-server TLS connection and re-pinning.
1162+ >>
1163+ >> IIRC, a Squid that is configured to bump during SslBump step1 does not
1164+ >> pin. Such a configuration is rarely usable on a modern internet, but YMMV.
1165+
1166+
1167+
0 commit comments