Search squid archive

Re: Filtering HTTPS URLs

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

Hi Panda,

Thanks for the suggestion. 

I'm assuming from Panda and Amos's responses that what I'm trying to achieve should actually be possible?

I tried adding what you suggested but unfortunately it didn't work.

New Config (based on Panda's suggestion):
acl localnet src 10.0.0.0/8 # RFC1918 possible internal network
acl localnet src 172.16.0.0/12 # RFC1918 possible internal network
acl localnet src 192.168.0.0/16 # RFC1918 possible internal network
acl localnet src fc00::/7       # RFC 4193 local private network range
acl localnet src fe80::/10      # RFC 4291 link-local (directly plugged) machines
acl localnet src 132.234.0.0/16 # ANDREWN: Griffith University network
acl SSL_ports port 443
acl Safe_ports port 80 # http
acl Safe_ports port 21 # ftp
acl Safe_ports port 443 # https
acl Safe_ports port 70 # gopher
acl Safe_ports port 210 # wais
acl Safe_ports port 1025-65535 # unregistered ports
acl Safe_ports port 280 # http-mgmt
acl Safe_ports port 488 # gss-http
acl Safe_ports port 591 # filemaker
acl Safe_ports port 777 # multiling http
acl CONNECT method CONNECT
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
http_access allow localhost manager
http_access deny manager
acl whitelist-regex url_regex -i reddit.com/r/news
http_port 3129 ssl-bump cert=/opt/squid-3.5.13/etc/squid3/ssl_cert/myCA.pem generate-host-certificates=on dynamic_cert_mem_cache_size=4MB

Browsing to https://www.reddit.com/r/news still gives the following in the access.log:
1455229976.342      0 132.234.20.39 TCP_DENIED/200 0 CONNECT www.reddit.com:443 - HIER_NONE/- -
1455229976.423      0 132.234.20.39 TAG_NONE/403 4011 GET https://www.reddit.com/r/news - HIER_NONE/- text/html
1455229976.537      0 132.234.20.39 TCP_DENIED/200 0 CONNECT www.reddit.com:443 - HIER_NONE/- -

Will now try Amos's suggestions of looking further into the ssl options and trying 4.0.5 release and email the list to say how it goes.

thanks.
Victor

On Thu, Feb 11, 2016 at 11:46 PM, Panda Admin <pandanonomous@xxxxxxxxx> wrote:
Try adding 
acl step1 at_step SslBump1
ssl_bump peek step1 bump_sites

This worked for me.  Just a suggestion:)


On Thu, Feb 11, 2016 at 3:59 AM, Amos Jeffries <squid3@xxxxxxxxxxxxx> wrote:
On 11/02/2016 1:05 p.m., Victor Hugo wrote:
> Hi,
>
> I was wondering if it is possible to filter HTTPS URLs using squid (for
> example to blacklist reddit.com but allow https://www.reddit.com/r/news/)?
>
> I thought this may be possible using ssl_bump and url_regex. I have been
> trying this using squid 3.5.13 but with no success.
>
> Here is the squid configuration that I have tried but doesn't seem to work
> (it works for http sites though):
>

<snip>
>
> acl whitelist-regex url_regex -i reddit.com/r/news
> http_port 3129 ssl-bump cert=/opt/squid-3.5.13/etc/squid3/ssl_cert/myCA.pem
> generate-host-certificates=on dynamic_cert_mem_cache_size=4MB
> acl bump_sites ssl::server_name .reddit.com
> ssl_bump bump bump_sites
> ssl_bump splice !bump_sites
> http_access allow whitelist-regex
> http_access allow localhost
> http_access deny all

> Relevant access.log output (IP addresses redacted to x.x.x.x):
> 1455145755.589      0 x.x.x.x TCP_DENIED/200 0 CONNECT www.reddit.com:443 -
> HIER_NONE/- -

So this is the bump happening, as you wanted.

> 1455145755.669      0 x.x.x.x TAG_NONE/403 4011 GET
> https://www.reddit.com/r/news - HIER_NONE/- text/html

And something else has 403 (Forbidden) the request. Your ACL and
http_access config looks fine. So I dont think its that.


The first oddity is that your ssl_bump rules are doing bump without
having fetched the clientHello details yet. So this is a "client-first"
bumping situation in which Squid first negotiates TLS / HTTPS with the
client, then completely separately negotiates TLS/HTTPS with the server.
 - any errors in the server TLS might result in something like this 403
(though it should be a 5xx status, it may not always be).
 - the sslproxy_* settings are entirely what controls the server
connection TLS.


Second oddity is that its saying DENIED/200. 200 is 'allowed' in CONNECT
actions. This could be a logging bug, or a sign of something going wrong
in the bumping stage that alters the CONNECT logging as well.


Are you able to experiment with using the Squid-4.0.5 release? there are
some bumping bug fixes that are only in that release series.

Amos

_______________________________________________
squid-users mailing list
squid-users@xxxxxxxxxxxxxxxxxxxxx
http://lists.squid-cache.org/listinfo/squid-users


_______________________________________________
squid-users mailing list
squid-users@xxxxxxxxxxxxxxxxxxxxx
http://lists.squid-cache.org/listinfo/squid-users


_______________________________________________
squid-users mailing list
squid-users@xxxxxxxxxxxxxxxxxxxxx
http://lists.squid-cache.org/listinfo/squid-users
[Index of Archives]     [Linux Audio Users]     [Samba]     [Big List of Linux Books]     [Linux USB]     [Yosemite News]

  Powered by Linux