On Mon, Apr 4, 2016 at 6:23 PM, Amos Jeffries <squid3@xxxxxxxxxxxxx> wrote:
>>>
>>> If i remove *all* the http_access lines, then the behavior appears
>> correct
>>> (from a "splicing/bumping" standpoint).
>>>
>>
>> Strange. Squid without any http_access lines should be denying traffic
>> 100%.
>>
>>
> I do not see this behavior. Traffic appears to be allowed, and bumped
> (though with the wrong certificate, depending on the config, as explained
> before).
>
>
always_direct has not been necessary with SSL-Bump sice 3.1 series. You>
> my apologies for trying to show only the relevant parts. Find below the
> current config.
> It appears to be bumping everything rather than splicing any of the config
> (which may be due to the limitations documented on the wiki)
>
> acl Safe_ports port 80 # http
> acl Safe_ports port 443 # https
> acl SSL_ports port 443
> acl CONNECT method CONNECT
> http_port 3129 intercept
> https_port 8443 intercept ssl-bump generate-host-certificates=on
> dynamic_cert_mem_cache_size=64MB \
> cert=/etc/squid/ssl/proxy.pem \
> key=/etc/squid/ssl/proxy.key \
> cafile=/etc/squid/ssl/proxy.pem
> always_direct allow all
should remove it.
> acl step1 at_step SslBump1
> acl step2 at_step SslBump2
> acl step3 at_step SslBump3
> acl SniBypass ssl::server_name_regex \.slashdot\.org
> acl SniBypass ssl::server_name_regex \.fsdn\.com
I have moved those "SniBypass" acl into a separate files and replaced this with an include, as that list will end up growing.
> acl http_bypass dstdomain .slashdot.org
> acl http_bypass dstdomain .fsdn.com
and similarly here, replaced by an include...
> acl https_bypass all-of CONNECT SniBypass
This https_bypass ACL definition is a bit weird. It requires a single
message to match both TLS and HTTP properties simultaneously.
As you might imagine it is difficult for a TLS messages to match HTTP
properties, and vice versa. So it wont ever match.
I don't understand. SniBypass is based on ssl::server_name_regex which shouldn't apply to http at all...
Would that not be coming from the (client|server)Hello?
Note: SNI is *not* equivalent to Host or URL domain name. They can
contain very different values. The only thing they have in common is
that they both are supposed to point at the IP of the server being
contacted.
> acl http_ok all-of http_bypass Safe_ports
> ssl_bump peek step1
> ssl_bump splice SniBypass step2
This splice will work if (and only if) the client sends TLS SNI values
to Squid. It will ignore the server cert details.
For clients which do not send SNI or for all connections where the SNI
does not match your ACL the bump rule below will do client-first bumping
(without the server cert).
> ssl_bump bump all
I suggets you try these ssl_bump rules instead:
[snip]
OK
[snip]
Okay. That sort of matches your policy. Except that you are missing the
security defaults. Those lines are carefully tuned for the specific
behaviour to protect against security attacks:
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
.. and should be above your custom rules.
I added those at the top as requested...
cache allow all
cache deny all
... pick one.
done - the deny one is the one left in there now.
> shutdown_lifetime 3 seconds
for clarification, I also moved the two sets of ACLs into separate files, as those will eventually be maintained externally (SniBypass and http_bypass).
The config file is now:
acl SSL_ports port 443
acl Safe_ports port 80 # http
acl Safe_ports port 21 # ftp
acl Safe_ports port 443 # https
acl Safe_ports port 70 # gopher
acl Safe_ports port 210 # wais
acl Safe_ports port 1025-65535 # unregistered ports
acl Safe_ports port 280 # http-mgmt
acl Safe_ports port 488 # gss-http
acl Safe_ports port 591 # filemaker
acl Safe_ports port 777 # multiling http
acl CONNECT method CONNECT
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
http_port 3128
http_port 3129 intercept
https_port 8443 intercept ssl-bump generate-host-certificates=on dynamic_cert_mem_cache_size=64MB \
cert=/etc/squid/ssl/proxy.pem \
key=/etc/squid/ssl/proxy.key \
cafile=/etc/squid/ssl/proxy.pem
workers 6
always_direct allow all
acl step1 at_step SslBump1
acl step2 at_step SslBump2
acl step3 at_step SslBump3
include "/etc/squid/snibypass.acl"
include "/etc/squid/dstbypass.acl"
acl https_ok all-of CONNECT SniBypass
acl http_ok all-of http_bypass Safe_ports
ssl_bump splice SniBypass
ssl_bump peek step1
ssl_bump stare step2
ssl_bump bump all
sslproxy_options NO_SSLv2,NO_SSLv3,SINGLE_ECDH_USE
sslproxy_cert_sign_hash sha256
sslcrtd_program /usr/lib/squid/ssl_crtd -s /var/lib/ssl_db -M 4MB
sslcrtd_children 8 startup=1 idle=1
http_access allow http_ok
http_access allow https_ok
http_access deny all
cache deny all
shutdown_lifetime 3 seconds
Note that with that config, the http_access deny all (couple lines before the end) appears to deny the TLS/SSL connection before the ssl_bump steps have a chance to match, so i get certs that are not mimic'ed (they have CN=<ip>). If i remove all 3 http_access at the end, then the splicing/bumping behavior appears to work as expected, but then i'm not denying anything...
that seems to confirm my suspicion that the access control (http_access) apply too early for me to match anything related to the ssl::server_name or ssl::server_name_regex.
I keep thinking that what i'm missing is that the http_access applies too early. I played with "terminate" instead of "bump" at the last ssl_bump command, but i really need the error message. I keep wanting to have something like this:
ssl_bump splice SniBypass
ssl_bump peek step1
ssl_bump stare step2
ssl_bump deny all
where the last one would effectively bump the connection, and provide the ERR_ACCESS_DENIED page.
Thank you so much for your help.
Jok
_______________________________________________ squid-users mailing list squid-users@xxxxxxxxxxxxxxxxxxxxx http://lists.squid-cache.org/listinfo/squid-users
