Squid3 Proxy Server ssl-bump blocking Web Socket connections - squid

I have just set up Squid Server 3.5.26 on Ubuntu 16.04.2 LTS configured with SSL-bump. Http and Https is working fine but any web service that requires Web Sockets fails, for example, a speed test.
I have added the following lines to my squid configuration in an attempt to force a direct connection and prevent SSL caching for web socket connections.
#Temporarily allow all connections for debugging
http_access allow all
acl bump-bypass dstdomain 192.168.0.245 .speedtest.net
# URL's contains ws (most web socket urls do)
acl ssl-web-sockets SSL::server_name_regex \/ws
acl step1 at_step SslBump1
ssl_bump peek step1
ssl_bump splice bump-bypass ssl-web-sockets tcp-web-sockets
#I Read that there was a bug in bump that required !explicity
#for splice to work for web sockets
ssl_bump bump !ssl-web-sockets all
#just bump all doesn't work either
#ssl_bump bump all
If I disable ssl-bump and don't decrypt encrypted traffic everything works fine.
How can I configure squid to allow direct web socket connection?
Update
Updated to Squid Server 4.0.21 and added to config
on_unsupported_protocol tunnel all
The documentation says this should allow TCP tunnel connections
Sadly this did not fix the issue either, still getting Web socket error
Connection closed before receiving a handshake response

Related

Trouble making http request from lighttpd server to pm2 server

Background:
I have my personal website running on a lighttpd server on my raspberry pi. I have that server’s port (80) forwarded so it can be accessed publicly.
I’m in the process of making a project, and I want a node.js service to make requests to from the lighttpd server. I set up pm2 so the node.js server is always running. I have that port forwarded too (5000). I've verified that this server is working via postman and the browser
Problem:
I'm receiving the following error when making requests:
has been blocked by CORS policy: The request client is not a secure context and the resource is in more-private address space private.
Of note; I have Access-Control-Allow-Private-Network:true in the response header and Access-Control-Request-Private-Network:true in the request header. The only other solution I've found that might fix this is getting an SSL cert for the lighttpd server and using https for it, however I'm struggling setting that up to see if it would work
Questions:
Would getting an SSL cert for lighttpd allow me to make requests to my pm2 server?
Is there a different solution?
How secure is this setup? I don't expect a lot of traffic...

Can I use a reverse proxy for direct database connection?

Is it possible to setup a reverse proxy that would allow a database client to use a ssl port 443 connection and redirect to port 1521? I suspect it would not work. Can someone explain why or why not?
I'm assuming Oracle database based on port 1521.
There is no problem setting up Nginx TCP (L4) proxy for any TCP backend. Look here https://www.nginx.com/blog/tcp-load-balancing-udp-load-balancing-nginx-tips-tricks/ for example configuration.
When it comes to terminating SSL (L5) and sending data decrypted to TCP backend it's also technically possible with ngx_stream_ssl_module but I have never tested it and from what I can read people have problems setting this up for postgresql:
http://nginx.org/en/docs/stream/ngx_stream_ssl_module.html
Can nginx do TCP load balance with SSL termination
I have never seen Nginx setup as proxy for databases. Instead connection poolers (i.e. pgbouncer for postgresql) are often used not only for pooling but also as SSL offloading service. They are in fact L7 proxies for databases.
Oracle equivalent for pgbouncer seems to be Oracle Connection Manager and it supports SSL so I'd strongly recommend using it instead of Nginx or any other general purpose reverse proxy server:
https://docs.oracle.com/en/database/oracle/oracle-database/18/netag/configuring-oracle-connection-manager.html#GUID-AF8A511E-9AE6-4F4D-8E58-F28BC53F64E4

Rethinkdb connection with cloudflare

I am running Rethinkdb on a server that lays behind cloudflare. I cannot make connection with my server when using my hostname. (I can access other stuff on my server so i am almost sure the problem doesn't lies there)
I am also able to connect using my ip directly (without adding a cert to the .connect function of rethinkdb client)
I do use Nginx and my client is in java
What i have tried:
Using custom set ports (that were said to be open on cloudflare)
trying proxying location to certain port
Using a cert (Rethink client side)
I couldn't find any information about Rethinkdb behind CloudFlare, so i am open to any suggestions
If i need to post more information please ask, i'm not sure what i should share...
This is not a RethinkDB issue. Cloudflare only supports specific ports, as spelled out here:
https://support.cloudflare.com/hc/en-us/articles/200169156-Which-ports-will-Cloudflare-work-with-
80
8080
8880
2052
2082
2086
2095
And all traffic must be HTTP sessions. RethinkDB communicates via raw TCP sockets. You cannot run it behind Cloudflare.

Do HTTPS connections require HTTPS proxies or can I use HTTP proxies?

The question is about HTTP vs HTTPS.
If I want to anonymously load a website that forces HTTPS, like Google.com, do I need an HTTPS proxies, or can I get away with HTTP proxies?
If your proxy is SOCKS it will not care what kind of socket is connecting through it. It has its own handshake and it does not care about what happens after the handshake. Whether after the SOCKS handshake an SSL handshake (HTTPS) is started it is not a SOCKS proxy problem, it will just pass through.
Several HTTP proxies on the other hand expect HTTP headers to guide them, such a HTTP proxy will not allow HTTPS since it needs to read the headers.
On the third hand (ekhm... well, foot?), an HTTP proxy that supports HTTP CONNECT can also setup the transfer of arbitrary data. Therefore such a proxy can setup any type of socket, which can have an SSL handshake, which can then be used for HTTPS transfer.
HTTP Proxy Server supports CONNECT verb which supports HTTPS connections within HTTP Proxy. You don't need special HTTPS proxy server or any other setup.
CONNECT verb allows you to create binary socket tunnel to any given IP:Port address. So any HTTP client (all browsers), will open secure tunnel and communicate securely over proxy server. However, no one cant control or see anything that is going through the tunnel unless they implement man in middle attack by sending you self-signed certificates.
Most firewall these days automatically implement man in middle self signed certificates that are deployed in work network, so you have to probably dig more to identify whether it is really secure or not. So it may not be that anonymous.
If you're trying to access a service anonymously, you won't get this by running your own proxy. It's not clear from the original question what is meant by "proxy", e.g. local service, or remote service. You won't get anonymity by surfing through a proxy that's on your network, unless it's something like a TOR proxy which relays out through the TOR network.
As for whether proxies can support HTTPS or not, that's been covered here, it would be unusual to find a proxy that doesn't support CONNECT. However if it's a remote anonymizing service you're using, I doubt they would do MitM, since you'd need to install the signing cert into your trusted root store, so they couldn't do that surreptitiously.

Sending http request behind nginx

I am not sure how to formulate my question but here we go:
I have 2 servers, one is the nginx reverse proxy and one is the app server.
In my app server, I am developing a simple http client using jerseyclient that will send a request to another server. I can do this now but the traffic goes from the app server and directly to the destination. Is it possible to it from the app server, passes through the reverse proxy server and goes to the destination?
And, is this design ok or is it an abomination?
nginx reverse proxy works only for requests outside your network.
To configure your system works as you described you have to configure firewall NAT or caching HTTP proxy like squid etc.
If you have no reasons why your servers should look as single computer - your configuration is OK.

Resources