Date: Thu, 2 Feb 2017 03:46:44 +1300
From: Amos Jeffries <squid3@xxxxxxxxxxxxx>
To: squid-users@xxxxxxxxxxxxxxxxxxxxx
Subject: Re: transparent http and https filter with
white-list only
Message-ID: <1d01efe0-83f8-2a91-c0ac-fd8ef769276f@xxxxxxxxxxxxx>
Content-Type: text/plain; charset=utf-8
On 28/01/2017 12:36 a.m., Sergey Klusov wrote:
Hello. I'm trying to get working transparent setup allowing only certain
domains and have problem that in order to allow https "ssl_bump splice
allowed_domains" i have to "http_access allow all", thus allowing all
other http traffic through. Otherwise https traffic is not allowed at all.
Here is my config:
Some comments inline to improve it.
Also, what version of Squid are you using?
I will assume that you are following the best practice advice and using
at least 3.5.19. If not, please try to upgrade.
just installed from centos7 repo, using yum
Squid Cache: Version 3.5.20
=======config=======
http_port 10.96.243.1:3128 intercept options=NO_SSLv3:NO_SSLv2
http_port 10.96.243.1:3130 options=NO_SSLv3:NO_SSLv2
Setting SSL-related options on http_port's is not useful when they are
not doing SSL-Bump.
ok. just copy-pasted from some internet site about ssl_bump
https_port 10.96.243.1:3129 intercept ssl-bump
options=ALL:NO_SSLv3:NO_SSLv2 connection-auth=off
cert=/etc/squid/squidCA.pem
acl localnet src 10.0.0.0/8 # RFC1918 possible internal network
acl SSL_ports port 443
acl Safe_ports port 80 # http
acl Safe_ports port 443 # https
acl CONNECT method CONNECT
acl http_allow dstdomain "/etc/squid/http_allow_domains.txt"
acl https_allow ssl::server_name "/etc/squid/https_allow_domains.txt"
sslproxy_cert_error allow all
sslproxy_flags DONT_VERIFY_PEER
Not good. Remember this is a security protocol you are playing around with.
Both of the above lines hide critical details you need to figure out
what is going wrong. They can be useful as a spot-check (only!) to
figure out if the problem is related to cert verification or something
else. But DO NOT use them for regular traffic, not even testing traffic.
You may find that there are certain _specific_ errors that you need to
let through. Add the appropriate flags, SSL options, ACLs checks
sslproxy_cert_error lines for those as needed, dont just ignore all
possible errors like above does.
this setup only purpose is to just allow clients to connect only to
small set of certain sites
i suppose client's browser will do all checks?
acl step1 at_step SslBump1
ssl_bump peek step1
ssl_bump splice https_allow
ssl_bump terminate all
Looks okay. Just to be clear you understand that:
The above means that the TLS/SSL is spliced only if the client SNI
contains a domain in your whitelist.
All other traffic will be terminated ... maybe with an HTTP error page.
That's all i need. In fact i would prefer to not use squid at all for
that purpose, but can't find any good free DPI solution.
cache deny all
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
http_access allow localhost manager
http_access deny manager
http_access allow all http_allow
http_access allow all https_allow
The ssl::server_name ACL will not work outside of the ssl_bump
directive. Delete the above line.
Ok
Also, I am not seeing is any line which permits the raw-IP CONNECT
message which your Squid processes first to decide whether ssl_bump will
be applied to the intercepted TCP connections.
That is why the "allow all" makes things "work". It lets those CONNECT
request through.
You can read the details about how bumping happens at
<http://wiki.squid-cache.org/Features/SslPeekAndSplice#Processing_steps>
The CONNECT request mentioned in step 1.ii is your problem.
To fix it in a very targeted way add these lines (mind the wrap sorry):
acl rawIP dstdom_regex
^(([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)|(\[([0-9a-f]+)?:([0-9a-f:]+)?:([0-9a-f]+|0-9\.]+)?\])):443$
acl bumpPort myportname 10.96.243.1:3129
http_access allow CONNECT bumpPort rawIP
i've worked around like this:
acl http_proto proto http
http_access allow !http
but will try your variant too
thanks.
http_access deny all
always_direct allow all
That always_direct line is not useful. Remove it.
ok
_______________________________________________
squid-users mailing list
squid-users@xxxxxxxxxxxxxxxxxxxxx
http://lists.squid-cache.org/listinfo/squid-users
