Re: HTTPS sites specifics URL

"Dante F. B. Colò" <dante01010@xxxxxxxxx> · Tue, 7 Feb 2017 13:04:11 -0200

Hi Leonardo,

Thanks for your reply,I tried SSL Bump under client-first and 
server-first modes both didn't work, Squid version is 3.4.14 running 
under OpenBSD 5.6 and 5.7 test boxes, i also increased verbosity log to 
9 of the URL Parsing debug section to see if shows something useful , i 
'll post here my squid.conf and debug output from cache.log, if you  
have some suggestion tell me please.

2016/12/06 19:32:39.446 kid1| src/cache_manager.cc(89) registerProfile: 
skipped duplicate profile: asndb
2016/12/06 19:32:39.446 kid1| src/cache_manager.cc(89) registerProfile: 
skipped duplicate profile: carp
2016/12/06 19:32:39.446 kid1| src/cache_manager.cc(89) registerProfile: 
skipped duplicate profile: userhash
2016/12/06 19:32:39.446 kid1| src/cache_manager.cc(89) registerProfile: 
skipped duplicate profile: sourcehash
2016/12/06 19:32:39.446 kid1| src/cache_manager.cc(89) registerProfile: 
skipped duplicate profile: server_list
2016/12/06 19:32:39.446 kid1| Finished loading MIME types and icons.
2016/12/06 19:32:39.469 kid1| src/base/AsyncCallQueue.cc(51) fireNext: 
entering clientListenerConnectionOpened(local=172.17.198.19:3128 
remote=[::] FD 18 flags=9, err=0, HTTP Socket port=0x8b3fb9ff418)
2016/12/06 19:32:39.470 kid1| src/base/AsyncCall.cc(30) make: make call 
clientListenerConnectionOpened [call27542]
2016/12/06 19:32:39.470 kid1| Accepting SSL bumped HTTP Socket 
connections at local=172.17.198.19:3128 remote=[::] FD 18 flags=9
2016/12/06 19:32:39.470 kid1| src/base/AsyncCallQueue.cc(53) fireNext: 
leaving clientListenerConnectionOpened(local=172.17.198.19:3128 
remote=[::] FD 18 flags=9, err=0, HTTP Socket port=0x8b3fb9ff418)
2016/12/06 19:33:05.727 kid1| src/comm/TcpAcceptor.cc(220) doAccept: New 
connection on FD 18
2016/12/06 19:33:05.727 kid1| src/comm/TcpAcceptor.cc(295) acceptNext: 
connection on local=172.17.198.19:3128 remote=[::] FD 18 flags=9
2016/12/06 19:33:05.727 kid1| src/client_side.cc(2407) parseHttpRequest: 
HTTP Client local=172.17.198.19:3128 remote=172.17.200.11:50974 FD 9 flags=1
2016/12/06 19:33:05.727 kid1| src/client_side.cc(2408) parseHttpRequest: 
HTTP Client REQUEST:
---------
CONNECT www.sans.org:443 HTTP/1.1
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.11; rv:45.0) 
Gecko/20100101 Firefox/45.0
Proxy-Connection: keep-alive
Connection: keep-alive
Host: www.sans.org:443
Proxy-Authorization: Basic amVjYS50YXR1OjEyMzQ=

----------
2016/12/06 19:33:05.727 kid1| src/url.cc(386) urlParse: urlParse: Split 
URL 'www.sans.org:443' into proto='', host='www.sans.org', port='443', 
path=''
2016/12/06 19:33:05.727 kid1| Starting new basicauthenticator helpers...
2016/12/06 19:33:05.727 kid1| helperOpenServers: Starting 1/8 
'basic_ncsa_auth' processes
2016/12/06 19:33:05.762 kid1| src/auth/User.cc(342) addIp: user 
'jeca.tatu' has been seen at a new IP address (172.17.200.11:50974)
2016/12/06 19:33:05.763 kid1| src/client_side_request.cc(759) 
clientAccessCheckDone: The request CONNECT www.sans.org:443 is DENIED; 
last ACL checked: all
2016/12/06 19:33:05.763 kid1| src/errorpage.cc(1278) BuildContent: No 
existing error page language negotiated for ERR_ACCESS_DENIED. Using 
default error file.
2016/12/06 19:33:05.764 kid1| src/store.cc(1011) checkCachable: 
StoreEntry::checkCachable: NO: not cachable
2016/12/06 19:33:05.764 kid1| src/client_side.cc(785) setAuth: Adding 
connection-auth to local=172.17.198.19:3128 remote=172.17.200.11:50974 
FD 9 flags=1 from SSL-bumped CONNECT
2016/12/06 19:33:05.767 kid1| src/client_side.cc(3562) 
clientNegotiateSSL: clientNegotiateSSL: Session 0x8b414f73400 reused on 
FD 9 (172.17.200.11:50974)
2016/12/06 19:33:05.768 kid1| src/client_side.cc(2407) parseHttpRequest: 
HTTP Client local=172.17.198.19:3128 remote=172.17.200.11:50974 FD 9 flags=1
2016/12/06 19:33:05.768 kid1| src/client_side.cc(2408) parseHttpRequest: 
HTTP Client REQUEST:
---------
GET /programs HTTP/1.1
Host: www.sans.org
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.11; rv:45.0) 
Gecko/20100101 Firefox/45.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Cookie: 
QSI_HistorySession=http%3A%2F%2Fwww.sans.org%2Fprograms~1486478958014
Connection: keep-alive

----------
2016/12/06 19:33:05.768 kid1| src/url.cc(386) urlParse: urlParse: Split 
URL 'https://www.sans.org/programs' into proto='https', 
host='www.sans.org', port='443', path='/programs'
2016/12/06 19:33:05.768 kid1| src/client_side_reply.cc(1969) 
processReplyAccessResult: The reply for GET 
https://www.sans.org/programs is ALLOWED, because it matched 
'(access_log daemon:/var/squid/logs/access.log line)'
2016/12/06 19:33:05.769 kid1| src/client_side.cc(1459) 
sendStartOfMessage: HTTP Client local=172.17.198.19:3128 
remote=172.17.200.11:50974 FD 9 flags=1
2016/12/06 19:33:05.769 kid1| src/client_side.cc(1460) 
sendStartOfMessage: HTTP Client REPLY:
---------
HTTP/1.1 403 Forbidden
Server: squid/3.4.12
Mime-Version: 1.0
Date: Tue, 06 Dec 2016 21:33:05 GMT
Content-Type: text/html
Content-Length: 3342
X-Squid-Error: ERR_ACCESS_DENIED 0
Vary: Accept-Language
Content-Language: en
X-Cache: MISS from openbsd57vm01
Via: 1.1 openbsd57vm01 (squid/3.4.12)
Connection: close

#################################################################

my squid.conf

cache_dir ufs /var/squid/cache 2048 16 256
cache_log /var/squid/logs/cache.log
cache_store_log daemon:/var/squid/logs/store.log
cache_mem 256 mb
max_filedescriptors 32768
acl eu src 172.17.200.11
acl SSL_ports port 443
acl CONNECT method CONNECT
debug_options ALL,2 23,9
http_access deny !Safe_ports

http_access deny CONNECT !SSL_ports

http_access allow localhost manager
http_access deny manager
auth_param basic program /usr/local/libexec/squid/basic_ncsa_auth 
/etc/squid/squid-passwd
auth_param basic children 8
auth_param basic realm Squid proxy-caching web server
auth_param basic credentialsttl 2 hours
acl password proxy_auth REQUIRED
acl jeca.tatu proxy_auth jeca.tatu
acl restrito url_regex -i  "/etc/squid/acl/restrito"
http_access allow password jeca.tatu restrito
http_access deny all

http_port 172.17.198.19:3128 ssl-bump generate-host-certificates=on 
dynamic_cert_mem_cache_size=8MB key=/etc/squid/pki/test.private 
cert=/etc/squid/pki/test.cert
acl BadSite ssl_error SQUID_X509_V_ERR_DOMAIN_MISMATCH
always_direct allow all
ssl_bump client-first all
sslproxy_cert_error allow all
sslproxy_cert_error allow BadSite
sslproxy_flags DONT_VERIFY_PEER
sslcrtd_program /usr/local/libexec/squid/ssl_crtd -s /var/squid/ssl_db 
-M 8MB
sslcrtd_children 7 startup=1 idle=1

coredump_dir /var/squid/cache

refresh_pattern ^ftp:           1440    20%     10080
refresh_pattern ^gopher:        1440    0%      1440
refresh_pattern -i (/cgi-bin/|\?) 0     0%      0
refresh_pattern .               0       20%     4320

On 2/6/17 2:28 PM, Leonardo Rodrigues wrote:

    That's correct, when not using SSL-Bump feature (that's the one 
you're looking for), squid will only see the domain part. All the rest 
of the URL is crypted and visible only to the client (browser) and the 
server on the other side, the only two parts involved on that crypto 
session.

    To enable squid to see the whole URL and be able to do full 
filtering on HTTPS requests, you're looking for SSL-Bump feature. 
Google for it, there's a LOT of tutorials and mailing list messages on 
that.

Em 06/02/17 12:40, Dante F. B. Colò escreveu:
Hello Everyone

I have a question , probably a noob one , i 'm trying to allow some 
https sites with specific URL's  (i mean 
https://domain.tld/blablabla) but https sites are working  only with 
the domain part , what i have to do to make this work ?

_______________________________________________
squid-users mailing list
squid-users@xxxxxxxxxxxxxxxxxxxxx
http://lists.squid-cache.org/listinfo/squid-users