OPNsense Forum

English Forums => Web Proxy Filtering and Caching => Topic started by: porigromus on May 20, 2019, 09:00:28 pm

Title: Kindle Fire and Samsung Fire TV Transparent Proxy No Bump
Post by: porigromus on May 20, 2019, 09:00:28 pm

I apologize for the number of post. I have transparent proxy working and working well for most clients on my network. I was able to determine "no bump" urls for youtube/netflix apps on android phones/tablets.

However I can't get Amazon's Kindle Fire and Fire TV's youtube app working through the transparent proxy. I was able to no bump the netflix app on these devices. I would like to "no bump" the destination URLs for the youtube app which when launching squid gives me an error with an IP in the URL instead of an actual domain name which I thought was strange.

I searched the internet and this forum for possible url destinations to add to the "no bump" list without any luck. Like I said, the youtube app is working on the android phones/tablets but not on Amazon's products.

Is there a way to "no bump" the devices by source address if it comes to that? Anyone able to point me in the right direction on URLs to no bump for Amazon Kindle Fire/ Fire TV apps? Thanks

Title: Re: Kindle Fire and Samsung Fire TV Transparent Proxy No Bump
Post by: porigromus on May 21, 2019, 03:42:09 am

Here is the error message from squid when launching the Amazon Kindle Fire 5th gen youtube app:

error the requested url could not be retrieved
https://108.177.122.139/*

failed to establish a secure connection to 108.177.122.139

The system returned:
(92) protocol error (TLS code SQUID_ERR_SSL_HANDSHAKE)
Handshake with ssl server failed: error: 140920F8:SSL
routines:ssl3_get_server_hello: unknown cipher returned

squid access logs:

1558402364.793 50    192.168.1.10 TAG_NONE/200 0 CONNECT 108.177.122.139:443 - ORIGINAL_DST/108.177.122.139 -
1558402364.707 0    192.168.1.10 TAG_NONE/503 4284 GET https://m.youtube.com/ - HIER_NONE/- text/html
1558402364.524 92    192.168.1.10 TAG_NONE/200 0 CONNECT 108.177.122.139:443 - ORIGINAL_DST/108.177.122.139 -
1558402364.411 92    192.168.1.10 TCP_MISS/301 482 GET http://m.youtube.com/ - ORIGINAL_DST/108.177.122.139 text/html

If I remove the https proxy or configure sni only, it works without issue. Also the silk browser works with the transparent proxy on without issue, the imported self sign cert shows valid.

I have .youtube.com in my no bump list. The youtube app on my android device works after adding no bump sites. Only having issues with Amazon.

Anyone able to lead me in the right path? If unable to get working, is it possible to "no bump" the src IP of the device?

Title: Re: Kindle Fire and Samsung Fire TV Transparent Proxy No Bump
Post by: porigromus on May 21, 2019, 03:45:06 pm

I tried adding the source IP to the "no bump list", whitelist, unrestricted without luck.

Title: Re: Kindle Fire and Samsung Fire TV Transparent Proxy No Bump
Post by: porigromus on May 21, 2019, 07:50:09 pm

I was reading other sites in regards to SSL TAG_NONE/503 errors, and some mentioned to be less restrictive with the SSL cipher strengths. I am very familiar with Apache and how to do this, I assume it will easy to do this in Squid as well. However if I have to change these values I assume that the next time Opnsense updates Squid it will replace these values if I do it through the cli.

I am getting ahead of myself though, I don't know if this is the issue yet.

Title: Re: Kindle Fire and Samsung Fire TV Transparent Proxy No Bump
Post by: porigromus on May 21, 2019, 08:53:18 pm

If I wanted to "no bump" source IPs how would I do this? It didn't seem to work by adding 192.168.1.10 to the gui ssl no bump field. This is at this point one option I am considering to not MITM the Amazon devices

I started thinking about how I might do this but haven't figured it out.

The squid.conf file has this section, that appears to point to the no bump list entered in the gui:

# setup ssl bump acl's
acl bump_step1 at_step SslBump1
acl bump_step2 at_step SslBump2
acl bump_step3 at_step SslBump3
acl bump_nobumpsites ssl::server_name "/usr/local/etc/squid/nobumpsites.acl"

# configure bump
{% if helpers.exists('OPNsense.proxy.forward.sslurlonly') and OPNsense.proxy.forward.sslurlonly == '1' %}
ssl_bump peek bump_step1 all
ssl_bump splice all
ssl_bump peek bump_step2 all
ssl_bump splice bump_step3 all
ssl_bump bump

{% else %}
ssl_bump peek bump_step1 all
ssl_bump peek bump_step2 bump_nobumpsites
ssl_bump splice bump_step3 bump_nobumpsites
ssl_bump stare bump_step2
ssl_bump bump bump_step3
{% endif %}

How would I override squid.conf with a .conf file, could I add this or something similar to the pre-auth location? I haven't had much luck yet:

vi /usr/local/etc/squid/pre-auth/
acl no_bump src 192.168.1.10/32
ssl_bump peek bump_step1 all
ssl_bump peek bump_step2 no_bump
ssl_bump splice bump_step3 no_bump
ssl_bump stare bump_step2
ssl_bump bump bump_step3

Title: Re: Kindle Fire and Samsung Fire TV Transparent Proxy No Bump
Post by: firewall on May 31, 2019, 05:25:04 am

Quote from: porigromus on May 21, 2019, 08:53:18 pm

If I wanted to "no bump" source IPs how would I do this?

I just omit them from being redirected to squid altogether using counter rule on firewall forward (if not equal to no-bump-alias then forward).  Much easier this way.

Also easy: not using squid.  Talk about a time suck for marginal (if not questionable) return :(

Title: Re: Kindle Fire and Samsung Fire TV Transparent Proxy No Bump
Post by: Bismarck on January 22, 2021, 04:06:12 pm

Maybe a little late but anyway  ;D

https://forum.opnsense.org/index.php?topic=21045.0