Search squid archive

Re: ssl_bump - peek & splice logging IP rather than server name

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

Alex/Eliezer,

Thanks for you earlier comments and apologies for not responding (and saying thank you previously, squid got back-burnered unfortunately)

Getting logging working with transparent proxying was my initial step prior to looking at restricting specific sites via either ACLs or a URL rewriter (ufdbGuard, SquidGuard etc - although I don’t think SquidGuard works with SNI) 

To reiterate, my desire is to have Squid running and capable of blocking access to http and https sites primarily based on the server name requested by the client (so no need to go beyond a peek)
For HTTP requests this is obviously out of the box stuff but for HTTPS it seems more complicated.

From everything I’ve read, it looks like the following ssl_bump lines should provide access to the SNI server name requested by the client. 
ssl_bump peek all
ssl_bump splice all

I can’t help thinking that I must have something wrong with my config:
- Log output correctly shows 
- SNI server name via ssl::>sni 
- Bump mode via ssl::bump_mode 
- Implies my ssl_bump config is working
- Restricting access via a squid ACL doesn’t use the SNI server name for an HTTPS request 
- Works fine for HTTP

Example ACL:
    acl blocked_sites ssl::server_name .apple.com
    http_access deny blocked_sites

Example access log output:
%ts.%03tu   %6tr  %>a        %Ss/%03>Hs    %<st  %rm      %ru                         %ssl::>sni        %ssl::bump_mode %[un  %Sh/%<a                     %mt
1485468402.401  575   10.1.0.1  TCP_TUNNEL/200 592  CONNECT  23.63.86.92:443          store.apple.com  peek           -    ORIGINAL_DST/23.63.86.92  -
1485469054.633  51    10.1.0.1  TCP_DENIED/403 3962 GET      http://store.apple.com/  -                -              -    HIER_NONE/-               text/html

Example cache log output:
2017/01/26 21:54:21.745 kid1| 28,5| Acl.cc(138) matches: checking blocked_sites
2017/01/26 21:54:21.745 kid1| 28,3| ServerName.cc(42) match: checking '23.63.86.92'
2017/01/26 21:54:21.745 kid1| 28,7| ServerName.cc(32) aclHostDomainCompare: Match:23.63.86.92 <>  .apple.com
2017/01/26 21:54:21.745 kid1| 28,3| ServerName.cc(47) match: '23.63.86.92' NOT found
2017/01/26 21:54:21.745 kid1| 28,3| ServerName.cc(42) match: checking 'none'
2017/01/26 21:54:21.745 kid1| 28,7| ServerName.cc(32) aclHostDomainCompare: Match:none <>  .apple.com
2017/01/26 21:54:21.745 kid1| 28,3| ServerName.cc(47) match: 'none' NOT found
2017/01/26 21:54:21.745 kid1| 28,3| Acl.cc(158) matches: checked: blocked_sites = 0
2017/01/26 21:54:21.745 kid1| 28,3| Acl.cc(158) matches: checked: http_access#5 = 0
2017/01/26 21:54:21.745 kid1| 28,5| Checklist.cc(400) bannedAction: Action 'ALLOWED/0is not banned

squid -v output:
Squid Cache: Version 3.5.20
Service Name: squid
configure options:  '--build=x86_64-redhat-linux-gnu' '--host=x86_64-redhat-linux-gnu' '--program-prefix=' '--prefix=/usr' '--exec-prefix=/usr' '--bindir=/usr/bin' '--sbindir=/usr/sbin' '--sysconfdir=/etc' '--datadir=/usr/share' '--includedir=/usr/include' '--libdir=/usr/lib64' '--libexecdir=/usr/libexec' '--sharedstatedir=/var/lib' '--mandir=/usr/share/man' '--infodir=/usr/share/info' '--disable-strict-error-checking' '--exec_prefix=/usr' '--libexecdir=/usr/lib64/squid' '--localstatedir=/var' '--datadir=/usr/share/squid' '--sysconfdir=/etc/squid' '--with-logdir=$(localstatedir)/log/squid' '--with-pidfile=$(localstatedir)/run/squid.pid' '--disable-dependency-tracking' '--enable-eui' '--enable-follow-x-forwarded-for' '--enable-auth' '--enable-auth-basic=DB,LDAP,MSNT-multi-domain,NCSA,NIS,PAM,POP3,RADIUS,SASL,SMB,SMB_LM,getpwnam' '--enable-auth-ntlm=smb_lm,fake' '--enable-auth-digest=file,LDAP,eDirectory' '--enable-auth-negotiate=kerberos' '--enable-external-acl-helpers=file_userip,LDAP_group,time_quota,session,unix_group,wbinfo_group' '--enable-cache-digests' '--enable-cachemgr-hostname=localhost' '--enable-delay-pools' '--enable-epoll' '--enable-ident-lookups' '--enable-linux-netfilter' '--enable-removal-policies=heap,lru' '--enable-snmp' '--enable-ssl-crtd' '--enable-storeio=aufs,diskd,ufs' '--enable-wccpv2' '--enable-esi' '--enable-ecap' '--with-aio' '--with-default-user=squid' '--with-dl' '--with-openssl' '--with-pthreads' '--disable-arch-native' '--disable-icap-client' 'build_alias=x86_64-redhat-linux-gnu' 'host_alias=x86_64-redhat-linux-gnu' 'CFLAGS=-O2 -g -pipe -Wall -Wp,-D_FORTIFY_SOURCE=2 -fexceptions -fstack-protector-strong --param=ssp-buffer-size=4 -grecord-gcc-switches   -m64 -mtune=generic -fpie' 'LDFLAGS=-Wl,-z,relro  -pie -Wl,-z,relro -Wl,-z,now' 'CXXFLAGS=-O2 -g -pipe -Wall -Wp,-D_FORTIFY_SOURCE=2 -fexceptions -fstack-protector-strong --param=ssp-buffer-size=4 -grecord-gcc-switches   -m64 -mtune=generic -fpie' 'PKG_CONFIG_PATH=:/usr/lib64/pkgconfig:/usr/share/pkgconfig'

Is there anything obvious that I am missing as I’m a bit stumped now.

Thanks again

Mark

On 3 Jan 2017, at 23:35, Alex Rousskov <rousskov@xxxxxxxxxxxxxxxxxxxxxxx> wrote:

On 01/03/2017 04:11 PM, Mark Hoare wrote:

I think these are hangovers from earlier syntax (ssl_bump
server-first all) which shouldn't be required under 3.5.

Please note that the depricated server-first is a "bumping" (not
splicing!) action, and you may see a lot more information in the
bumping-Squid logs, naturally.

Alex.


On 3 Jan 2017, at 23:10, Alex Rousskov <rousskov@xxxxxxxxxxxxxxxxxxxxxxx> wrote:

On 01/03/2017 03:41 PM, Eliezer  Croitoru wrote:

Squid in intercept or tproxy mode will know one thing about the tunnel\connection: IP+port.

... and SSL handshake information when peeking or staring at client/server.


Since you are using:
ssl_bump peek all
ssl_bump splice all

The connections will always be spliced and you will never see any
url.(are you expecting only the SNI or also the url?)

AFAICT, Mark is expecting Squid to log one of the server names, not the
HTTP request URL.


I do not know but there might be a code that can report the SNI if exists in the logs.

According to squid.conf.documented, the following logformat %code is
supported in modern Squids:

ssl::>sni       SSL client SNI sent to Squid. Available only
               after the peek, stare, or splice SSL bumping
               actions.

This %code is not in the default access.log line format, naturally.

Squid can also analyze CN and other server certificate fields, but there
is no code to log them IIRC.


Please note that the intercepted server IP address, the client-supplied
SNI name, the server-supplied common name (CN), the server-supplied
alternative names, and the host info in the encrypted client HTTP
request, may all be different.

Given the variety of information sources that might supply different
information, it is not clear to me whether %ru should be based on SNI
information when both TCP-level and SNI information is available. Or
should it be based on CN? Or perhaps on CN _unless_ SNI matches one of
the alternative names?? This is a complicated issue; even the smart
server_name ACL needs parameters to clarify what "server name(s)" the
admin really wants to use/trust...

According to Mark's email, %ru uses TCP-level info. We could either
change %ru to use the "latest" info (like the server_name ACL does) or
add a new logformat code that does that while leaving the old %ru and
friends alone. Given the complexity of the issue, the latter may be a
better approach.


HTH,

Alex.

-----Original Message-----
From: squid-users [mailto:squid-users-bounces@xxxxxxxxxxxxxxxxxxxxx] On Behalf Of Mark Hoare
Sent: Saturday, December 31, 2016 4:38 PM
To: squid-users@xxxxxxxxxxxxxxxxxxxxx
Subject: ssl_bump - peek & splice logging IP rather than server name

Extract from access log:
1483193882.790    870 <local ip removed> TCP_TUNNEL/200 5620 CONNECT 64.41.200.100:443 - ORIGINAL_DST/64.41.200.100 -

From the output above I would have expected some of the server name info to get into the access log.

http_port 3128

https_port 3130 intercept ssl-bump cert=/etc/squid/ssl_cert/squidCA.pem generate-host-certificates=on dynamic_cert_mem_cache_size=4MB

http_port 3131 intercept ssl-bump cert=/etc/squid/ssl_cert/squidCA.pem generate-host-certificates=on dynamic_cert_mem_cache_size=4MB

ssl_bump peek all
ssl_bump splice all


_______________________________________________
squid-users mailing list
squid-users@xxxxxxxxxxxxxxxxxxxxx
http://lists.squid-cache.org/listinfo/squid-users
[Index of Archives]     [Linux Audio Users]     [Samba]     [Big List of Linux Books]     [Linux USB]     [Yosemite News]

  Powered by Linux