Tuesday, April 25, 2017

Enabling SSL Tunneling through a Squid Proxy Server with authentication

This post will describe how we can proxy our outgoing requests through ESB using a Squid Proxy Server. For more information on the scenario, you can refer the WSO2 ESB documentation.

Step 1 - Setting up Squid Proxy Server

To setup a Squid Proxy Server locally, you can follow the instructions available here.

Step 2 - Configuring Squid Proxy Server - updating the squid.conf file

Add the following line under the acl section

acl squid.proxy.server src appserver.wso2.com

Note: If you will not be able to start the squid server with the above config, you might have to set an /etc/hosts entry for the host appserver.wso2.com.

The following should be added before the http_access TAG

http_access allow squid.proxy.server

Note: We will be referring to this proxy server instance by the name squid.proxy.server. Hence, you need to add this entry to the /etc/hosts file which resides in your local instance as well as to the instance where the Squid server is running.

Add the following port information before the https_port TAG section

http_port 8888

Once the above is added to the squid.conf file, restart the Squid server

sudo service squid3 restart

Step 3 - Enabling the proxy configuration in WSO2 ESB

To do this, add the below configuation to the axis2.xml under the PassThroughHttpSender, PassThroughHttpSSLSender configuration

<parameter name="http.proxyHost" locked="false">squid.proxy.server</parameter> <parameter name="http.proxyPort" locked="false">8888</parameter>

Step 4 - Creating a Proxy Service

Once the above configurations are done and the WSO2 ESB server is restarted, you can create a simple Passthrough Proxy service to test the scenario.
Note that as the endpoint, I am using a backend where I'm referring to from a host name called appserver.wso2.com. This was the hostname which we added to the squid.conf file above under the acl section.

<proxy name="SSLTunnelingProxy"
          transports="https http"
                  <address uri="https://appserver.wso2.com/services/SimpleStockQuoteService"/>

Step 5 - Setting up the backend
For this scenario, you can take an WSO2 Application Server instance and start it up with ports 443 and 80 as default ports. Then, set the HostName parameter in carbon.xml to appserver.wso2.com. Deploy the SimpleStockQuoteService and you are ready to go.

Step 6 - Invoking the Proxy Service

Using a preferred client of yours you can test the scenario. If the message is sent through the Proxy server, you should see logs as shown below in /var/logs/squid/access.log file.

1493112155.126  49234 TCP_MISS/200 2335 CONNECT appserver.wso2.com:443 - HIER_DIRECT/ -
1493112888.241      0 TCP_DENIED_REPLY/403 3429 CONNECT appserver.wso2.com:443 - HIER_NONE/- text/html

Step 7 - Configure authentication in Squid

To enable authentication in Squid, the following configuration needs to be done.

Add the following to the squid.conf profile under  TAG: auth_param

auth_param basic program /usr/lib/squid3/ncsa_auth /etc/squid3/passwords
auth_param basic realm proxy

Note: In ubuntu 12 - the file should be ncsa_auth & in ubuntu 14 - the file is basic_ncsa_auth.

Next, under the TAG: acl add the following

acl authenticated proxy_auth REQUIRED

The following should be added under the TAG: http_access.

http_access allow authenticated

Step 8 - Setting up a user

As a pre-requisite Apache2 Utils will have to be installed.

sudo apt-get install apache2-utils

To create a new user, use the following command.

sudo htpasswd -c /etc/squid3/passwords <>

When it prompts for the password, specify a password of your choice.

Reason for "PasswordInvalidAsk Password Feature is disabled" error when adding through RemoteUserStoreManager

When trying to add users from RemoteUserStoreManager it returned the following SOAP fault.

<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/">
            <faultstring>PasswordInvalidAsk Password Feature is disabled</faultstring>

The reason for this issue is that I have forgotten to add the element in the SOAP message.  Once this element was added, I was able to successfully create the user.