Search squid archive

Re: HTTPS issues with squidguard after upgrading from squid 2.7 to 3.5

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Good to hear!!!
Indeed Amos is correct and now I think this thread will be used for many users as a very good example.
Eventually as I mentioned, if it works for you and others then great.
I have encountered couple cases which the squidGuard update was too "expensive" and riskey but it seems that squidGuard is still kicking despite to not being maintain.

I have a non-public question but if you can share it will be nice.
What is the users size\capacity of the system?
I am asking since I have seen that many squidGuard based systems have acted slower then with ICAP.
By slower I mean that the initial squidGuard lookup response caused slower page display by ms to couple secs.
I have not researched the exact reasons since I will not try to fix what is already fine for many.

Thanks,
Eliezer

----
Eliezer Croitoru
Linux System Administrator
Mobile: +972-5-28704261
Email: eliezer@xxxxxxxxxxxx


-----Original Message-----
From: squid-users [mailto:squid-users-bounces@xxxxxxxxxxxxxxxxxxxxx] On Behalf Of reqman
Sent: Thursday, June 16, 2016 10:55 AM
To: squid-users@xxxxxxxxxxxxxxxxxxxxx
Subject: Re:  HTTPS issues with squidguard after upgrading from squid 2.7 to 3.5

Hello Eliezer,

first let me thank you for providing a complete and detailed explanation, I think I understand now what gives here.

Minor note: Amos is correct in stating that url_rewrite_access basically controls what is thrown into the redirector.

Now, before I opened this discussion I also came to the conclusion that to get rid of these issues, I had to avoid throwing HTTPS through a rewrite with squidguard. Indeed, setting the following solved the
issue...:

========================
url_rewrite_program /usr/local/bin/squidGuard url_rewrite_children 8
startup=4 idle=4 concurrency=0
url_rewrite_access deny CONNECT
url_rewrite_access allow all
========================

... only to introduce another one: all HTTPS passes unfiltered.

So I tried to follow your advice to implement the same things, without using url_rewrite_program. I have tested and have the patched version of squidGuard (or so it seems). In doing so, I stumbled upon a couple of issues that complicate the solution, specifically:

* My error redirect page can not be used when the original request was a CONNECT one
* Even if it did, it would be complicated a bit to try and extract additional information (ie class that registered a hit with) from squidguard back to squid.

With your information, I was able to happily combine both the functionality of url_rewrite_program, as well as using an external acl.

In not so many words, the modifications to my original.
url_rewrite-based approach is to:
1) first do not use url_rewrite at all for CONNECT methods
2) modify http_access when made via CONNECT, to take into account the external acl rule (again based on squidguard), and block via TCP_RESET

In coding this means that:
1) The initial handling with:
========================
url_rewrite_program /usr/local/bin/squidGuard url_rewrite_children 8
startup=4 idle=4 concurrency=0
url_rewrite_access allow all
========================

... now becomes:
========================
url_rewrite_program /usr/local/bin/squidGuard url_rewrite_children 8
startup=4 idle=4 concurrency=0
url_rewrite_access deny CONNECT
url_rewrite_access allow all
========================

2) To handle CONNECT, the existing block that handles CONNECT logic:
========================
acl CONNECT method CONNECT

http_access deny CONNECT !SSL_ports
http_access allow CONNECT
========================

becomes:

========================
acl CONNECT method CONNECT
external_acl_type filter_url ipv4 concurrency=0 ttl=3 %URI %SRC %{-} %un %METHOD /usr/local/bin/squidGuard acl filter_url_acl external filter_url

# Important: When an unwanted site appears in HTTPS, just forcefully close the TCP connection!
deny_info TCP_RESET filter_url_acl

http_access deny CONNECT filter_url_acl
http_access deny CONNECT !SSL_ports

http_access allow CONNECT
========================

With this approach, some squidguard children are spawned as redirectors (via url_rewrite_program), whereas some more are spawned from "external_acl_type filter_url".

2016-06-15 21:12 GMT+03:00 Eliezer Croitoru <eliezer@xxxxxxxxxxxx>:
> Hey Michael,
>
>
>
> Well I have not tested FreeBSD dependencies and patches and I am not 
> following them daily.
>
> The issue itself with SquidGuard and the url_rewrite interface is more 
> of an issue in most cases with CONNECT requests as you mentioned.
>
> Since you are not using ssl_bump then you need to deny the 
> traffic\requests in a way that will not leave squid or the clients and 
> the session in an unknown or unexpected situation.
>
> When the url_rewrite interface is used to "Deny" something it's not 
> really denying but rather "rewriting" something due to it's nature.
>
>
>
> On regular plain http requests some mangling to the request(affecting 
> the
> response) is possible but when handling CONNECT requests it's a whole 
> new story.
>
> We don't know how the client will respond to a malformed response or 
> squid to a malformed rewritten request, and it is possible that the 
> client will expect a specific 50x\40x response code.
>
>
>
> The external_acl interface was built as an ACL extension with the 
> basic ability to overcome the limits of the url_rewrite interface.
>
> Content or url filtering is an ACL level operation and not url 
> rewriting\mangling and there for it is better(in squid) to do it in a 
> way that the client can identify(30x).
>
>
>
> The best possible way to deny such a connection(CONNECT) is using a 
> 50x or 40x code.
> I do not remember which one is accepted better by browsers and clients 
> and you will be able to find it yourself easily adding couple lines or 
> using the scripts I wrote before.
>
>
>
> And more directly to the subject, I will say that if these network "issues"
> are might be because of any squid side of wrongly handling CONNECT 
> requests that was mangled with a url_rewrite.
> I would say that these specific cases is the proof of the wrongly used 
> interface.
>
>
>
> The url_rewrite might contain a bug when handling a CONNECT request 
> but the bug is that it is handling these connections at all and not otherwise.
>
> My suggestion is that you would try to see if you can use something 
> like
> that:
>
> ## START
>
> url_rewrite_program /usr/local/bin/squidGuard url_rewrite_children 8
> startup=4 idle=4 concurrency=0
>
> url_rewrite_access deny CONNECT
>
> url_rewrite_access allow all
>
> ## END
>
>
>
> And  add another external_acl helper with the wrapper I gave you 
> without any special deny_info for the ACL.
> Squid will be able to handle these probably fine and will deny the 
> connections using some right access deny code(don't expect fancy 
> warning pages without using some level of ssl_bump).
>
>
>
> I do not know if you need a fast solution or you are planning 
> carefully with the available options.
>
> The options are to either use a "fast" solution to mitigate an 
> annoying issue or to find the right path.
>
> The solution to either of the options is in your hands..
>
> If for your squidGuard setup offers you the right solution from all 
> the right aspects despite to the fact that it's working slower then 
> other solutions then it is the solution for you!!
>
>
>
> The technology of black and white listing was enhanced in the last 
> decade but not too drastically.
>
> The basic concept is that there are query and analysis components 
> which are not forced to be one software.
>
> There will always be false positives to this or another way but some 
> categorizing systems are much stricter and sensitive about the subject 
> then others.
>
> All this leaving aside the sources of the lists you and since only you 
> have a definition of the wanted\desired results with the available options.
>
>
>
> You also stated that you have some funding issues, but just as a side note:
> the wanted result is eventually forcing the final product of work and 
> the expense(any if at all).
>
> I mean with these words that if you do not care about false positives 
> and using some product satisfy the desire or need then I think it's ok 
> for your case.

I am taking care of false positives by whitelisting sites over this last decade. My whitelisted sites are basically non-growing.

At some point I *will* have to look at something else. But first, I'll have to examine:
1) Which software to use: e2guardian and ufdbguard were referenced.
I'll have to delve into some study here
2) Same thing on which free *lists* to use. Will definitely need some reading here too.

Again, thanks for taking all this time to respond. HUGELY appreciated :)

> I will add that from my tests there are different results to basic 
> pages\objects loading\access speed when using one software or another, 
> and\or one protocol\interface or another.
>
>
>
> Here if you need more help\advice handling the situation.
>
> Eliezer
>
>
>
> ----
>
> Eliezer Croitoru
>
> Linux System Administrator
>
> Mobile: +972-5-28704261
>
> Email: eliezer@xxxxxxxxxxxx
>
>
>
>
>
> -----Original Message-----
> From: michail.pappas@xxxxxxxxx [mailto:michail.pappas@xxxxxxxxx] On 
> Behalf Of reqman
> Sent: Wednesday, June 15, 2016 2:19 PM
> To: Eliezer Croitoru
> Cc: squid-users@xxxxxxxxxxxxxxxxxxxxx
>
> Subject: Re:  HTTPS issues with squidguard after 
> upgrading from squid 2.7 to 3.5
>
>
>
> Hello Eliezer,
>
>
>
> 2016-06-15 11:45 GMT+03:00 Eliezer Croitoru <eliezer@xxxxxxxxxxxx>:
>
>> Hey Michael,
>
>>
>
>> I am missing couple details about the setup which might affect the 
>> way we would be able to understand what is causing the issue and how to resolve it.
>
>> There are changes from squid 2.7 to 3.5 and to my opinion these are 
>> mandatory to resolve and to not go one step back.
>
>
>
> Yes, I saw that 3.5 effectively disabled/obsoleted/deactivated various 
> options. I believe I took care in following through those requirements.
>
>
>
>> What version of SquidGuard 1.4 did you installed? The patched for 
>> squid 3.4+ compatibility?
>
>
>
> I installed a ready to use package from FreeBSD. I presume that is is 
> ok with squid 3.4, according to its dependencies:
>
>
>
> # pkg query "%do%dv" squidGuard
>
> www/squid3.5.19
>
> databases/db55.3.28_3
>
>
>
> Other information for squidGuard:
>
>
>
> # pkg info squidGuard
>
> squidGuard-1.4_15
>
> Name           : squidGuard
>
> Version        : 1.4_15
>
> Installed on   : Mon May 30 08:24:17 2016 EEST
>
> Origin         : www/squidguard
>
> Architecture   : freebsd:10:x86:64
>
> Prefix         : /usr/local
>
> Categories     : www
>
> Licenses       : GPLv2
>
> Maintainer     : garga@xxxxxxxxxxx
>
> WWW            : http://www.squidguard.org/
>
> Comment        : Fast redirector for squid
>
> Options        :
>
>        DNS_BL         : off
>
>        DOCS           : on
>
>        EXAMPLES       : on
>
>        LDAP           : off
>
>        QUOTE_STRING   : off
>
>        STRIP_NTDOMAIN : off
>
> Shared Libs required:
>
>        libdb-5.3.so.0
>
> Annotations    :
>
>        repo_type      : binary
>
>        repository     : FreeBSD
>
> Flat size      : 2.24MiB
>
>
>
>> More details about it here:
>
>> http://bugs.squid-cache.org/show_bug.cgi?id=3978
>
>> Now if it is indeed patched and works as expected it from the 3.4+ 
>> computability level of things then lets move on.
>
>
>
> Checking the bug and if I understand correctly, if my squidGuard was 
> not patched then it wouldn't work. This is not the case. It works ok 
> for http urls, ie blocks fine and the user is correctly redirected to 
> the block page setup for this purpose. It's HTTPS I'm having issues
>
> with: according to some talks, if something gets blocked by 
> squidguard, something is miscommunicated (or not communicated at all) with squid.
> Instead of a block, the users waits endlessly for the page.
>
>
>
>> Are you using Squid in intercept\transparent\trpoxy mode or is it 
>> defined in the browsers directly?
>
>> If you are using intercept mode, what have you defined on the FreeBSD 
>> pf\ipfw?
>
>
>
> Squid operates in normal mode. I've configured a 10year old proxy 
> autodiscovery script, which is published through DHCP. All browsers 
> are set to configure everything automatically.
>
>
>
>> And about the quote from the mailing list:
>
>> SquidGuard was written to operate under the url_rewrite 
>> interface\protocol and not external_acl.
>
>
>
> I've lost you here: why do I need squidGuard to operate under external_acl?
> Can't I leave it running with url_rewrite?
>
>
>
>> Due to this it has some disadvantages and the advised details are to 
>> modify the helper(SquidGuard or another) to operate in another way.
>
>> It is possible to use the patched version of SquidGuard under the 
>> external_acl interface and use squid options to deny\redirect the request.
>
>
>
> I saw your other email, but I again have to ask. My own squidguard "seems"
> to work. What are the merits of doing things with external_acl instead 
> of the way I am doing things right now?
>
>
>
>> It removes some things from the complexity of the issue.
>
>> I have just written an example on how to use use my software 
>> SquidBlocker under external_acl and here the adapted example that can 
>> be used with a patched SquidGuard:
>
>> ## START OF SETTINGS
>
>> external_acl_type filter_url ipv4 concurrency=0 ttl=3 %URI %SRC/-
>
>> %LOGIN %METHOD /usr/local/bin/squidGuard url_rewrite_children acl
>
>> filter_url_acl external filter_url deny_info
>
>> http://ngtech.co.il/block_page/?url=%u&domain=%H filter_url_acl #or #
>
>> deny_info 302:http://ngtech.co.il/block_page/?url=%u&domain=%H
>
>> filter_url_acl http_access deny !filter_url_acl http_access allow
>
>> localnet filter_url_acl ## END OF SETTINGS
>
>>
>
>> I have not tested this request format but if it doesn't work this way 
>> then a little cosmetics will make it work.
>
>>
>
>> When more information will be available we can try to see where the 
>> issue is from.
>
>>
>
>> Eliezer
>
>>
>
>> ----
>
>> Eliezer Croitoru
>
>> Linux System Administrator
>
>> Mobile: +972-5-28704261
>
>> Email: eliezer@xxxxxxxxxxxx
>
>>
>
>>
>
>> -----Original Message-----
>
>> From: squid-users [mailto:squid-users-bounces@xxxxxxxxxxxxxxxxxxxxx]
>
>> On Behalf Of reqman
>
>> Sent: Wednesday, June 15, 2016 10:22 AM
>
>> To: squid-users@xxxxxxxxxxxxxxxxxxxxx
>
>> Subject:  HTTPS issues with squidguard after upgrading
>
>> from squid 2.7 to 3.5
>
>>
>
>> Hello all,
>
>>
>
>> I have been running squid 2.7.X alongside squidguard 1.4 on a FreeBSD 
>> 8.x box for years.
>
>> Started out some 10 years ago, with a much older 
>> squid/squidguard/FreeBSD combination.
>
>>
>
>> Having to upgrade to FreeBSD 10.3, I examined my option regarding squid.
>
>> 3.5.19 was available which I assumed would behave the same as 2.7, 
>> regarding compatibility.
>
>> Squidguard 1.4 was also installed.
>
>>
>
>> - Squid was configured to behave along the lines of what I had on 2.7.
>
>> - For squidguard I used the exact same blocklists and configurations.
>
>> Note that I do not employ an URL rewriting in squidguard, only 
>> redirection.
>
>> - no SSL-bump or other SSL interception takes place
>
>> - the squidguard-related lines on squid are the following:
>
>>
>
>> url_rewrite_program /usr/local/bin/squidGuard url_rewrite_children 8
>
>> startup=4 idle=4 concurrency=0 url_rewrite_access allow all
>
>>
>
>> - In squidGuard.conf, the typical redirect section is like:
>
>>
>
>>  default {
>
>>                 pass local-ok !block1 !block2 !blockN all
>
>>                 redirect
>
>>
>> 301:http://localsite/block.htm?clientaddr=%a+clientname=%n+clientiden
>> t=%i+srcclass=%s+targetclass=%t+url=%u
>
>>         }
>
>>
>
>> I am now experiencing problems that I did not have. Specifically, 
>> access to certain but *not* all HTTPS sites seems to timeout.
>
>> Furthermore, I see entries similar to the following in cache.log:
>
>>
>
>> 2016/06/15 09:27:59 kid1| abandoning local=192.168.0.1:3128
>
>> remote=192.168.2.239:3446 FD 591 flags=1
>
>> 2016/06/15 09:27:59 kid1| abandoning local=192.168.0.1:3128
>
>> remote=192.168.2.239:3448 FD 592 flags=1
>
>> 2016/06/15 09:27:59 kid1| abandoning local=192.168.0.1:3128
>
>> remote=192.168.2.239:3452 FD 594 flags=1
>
>> 2016/06/15 09:27:59 kid1| abandoning local=192.168.0.1:3128
>
>> remote=192.168.2.239:3456 FD 596 flags=1
>
>> 2016/06/15 09:27:59 kid1| abandoning local=192.168.0.1:3128
>
>> remote=192.168.2.239:3454 FD 595 flags=1
>
>> 2016/06/15 09:27:59 kid1| abandoning local=192.168.0.1:3128
>
>> remote=192.168.2.239:3458 FD 597 flags=1
>
>> 2016/06/15 09:27:59 kid1| abandoning local=192.168.0.1:3128
>
>> remote=192.168.2.239:3462 FD 599 flags=1
>
>>
>
>> Searching around, the closest I have come to an answer is the
>
>> following:
>
>> http://www.squid-cache.org/mail-archive/squid-users/201211/0165.html
>
>> I am not sure though whether I am plagued by the same issue, 
>> considering that the thread refers to a squid version dated 4 years 
>> ago. And I definitely do not understand what the is meant by the poster's proposal:
>
>>
>
>> "If you can't alter the re-writer to perform redirection you can work 
>> around that by using:
>
>>
>
>>   acl foo ... some test to match the re-written URL ...
>
>>   deny_info 302:%s foo
>
>>   adapted_http_access deny foo "
>
>>
>
>> Can someone help resolve this?
>
>> Is the 2.7 series supported at all?
>
>> As is if everything fails, I'll have to go back to it if there's some 
>> support.
>
>>
>
>> BR,
>
>>
>
>>
>
>> Michael.-
>
>> _______________________________________________
>
>> squid-users mailing list
>
>> squid-users@xxxxxxxxxxxxxxxxxxxxx
>
>> http://lists.squid-cache.org/listinfo/squid-users
>
>>
_______________________________________________
squid-users mailing list
squid-users@xxxxxxxxxxxxxxxxxxxxx
http://lists.squid-cache.org/listinfo/squid-users

_______________________________________________
squid-users mailing list
squid-users@xxxxxxxxxxxxxxxxxxxxx
http://lists.squid-cache.org/listinfo/squid-users




[Index of Archives]     [Linux Audio Users]     [Samba]     [Big List of Linux Books]     [Linux USB]     [Yosemite News]

  Powered by Linux