Search squid archive

Re: How to block a https website with squid 3.5.3

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On 11/01/18 23:39, minh hưng đỗ hoàng wrote:
Dear all, i using squid as a transparent proxy. But i can't deny a https website like
https://remitano.com


The first step is to upgrade your Squid. TLS hijacking is a very volatile area and things are changing often 3.5.3 is a very old Squid release now.
 The current Squid-3 version is 3.5.27.


My squid is compiled on ubuntu14 with this configure option
Squid Cache: Version 3.5.3
Service Name: squid
configure options:  '--prefix=/usr' '--includedir=/usr/include' '--infodir=/usr/share/info' '--sysconfdir=/etc' '--localstatedir=/var' '--libexecdir=/usr/lib/squid' '--srcdir=.' '--datadir=/usr/share/squid' '--sysconfdir=/etc/squid' '--mandir=/usr/share/man' '--enable-inline' '--enable-async-io=24' '--enable-storeio=ufs,aufs,diskd,rock' '--enable-removal-policies=lru,heap' '--enable-gnuregex' '--enable-cache-digests' '--enable-underscores' '--enable-icap-client' '--enable-follow-x-forwarded-for' '--enable-eui' '--enable-esi' '--enable-icmp' '--enable-zph-qos' '--enable-http-violations' '--enable-ssl-crtd' '--enable-linux-netfilter' '--enable-ltdl-install' '--enable-ltdl-convenience' '--enable-x-accelerator-vary' '--disable-maintainer-mode' '--disable-dependency-tracking' '--disable-silent-rules' '--disable-translation' '--disable-ipv6' '--disable-ident-lookups' '--enable-delay-pools' '--with-swapdir=/var/spool/squid' '--with-logdir=/var/log/squid' '--with-pidfile=/var/run/squid.pid' '--with-aufs-threads=24' '--with-filedescriptors=65536' '--with-large-files' '--with-maxfd=65536' '--with-openssl' '--with-default-user=proxy' '--with-included-ltdl'

And here is my squid.conf

acl localnet src 192.168.10.0/24 <http://192.168.10.0/24> #LAN
acl localnet src 10.10.10.0/24 <http://10.10.10.0/24> #WIFI
acl localnet src 10.10.20.0/24 <http://10.10.20.0/24> #WIFI
acl localnet src 172.18.18.0/24 <http://172.18.18.0/24> #WIFI
acl localnet src 172.17.0.0/16 <http://172.17.0.0/16>
acl localnet src 10.10.1.0/24 <http://10.10.1.0/24>

acl Safe_ports port 21 # ftp
acl Safe_ports port 443 # https


acl Safe_ports port 70 # gopher
acl Safe_ports port 210 # wais
acl Safe_ports port 1025-65535 # unregistered ports
acl Safe_ports port 280 # http-mgmt
acl Safe_ports port 488 # gss-http
acl Safe_ports port 591 # filemaker
acl Safe_ports port 777 # multiling http
acl CONNECT method CONNECT

http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
http_access allow localhost manager
http_access deny manager
http_access allow localnet
http_access allow localhost
http_access deny all


acl step1 at_step SslBump1
ssl_bump peek step1
ssl_bump terminate blockregexurl


TLS does not have URLs. So this will never work.


You need to use ssl::server_name ACLs instead of dstdomain for this directive.

ALso, maybe ssl::server_name_regex for the regex patterns *if* any are relevant after considering how URLs dont exist.

You are doing peek first, which should make the SNI details available for ssl::server_name* to use.



ssl_bump terminate domain
ssl_bump terminate block_domain
ssl_bump splice all


sslproxy_options NO_SSLv2,NO_SSLv3,No_Compression
sslproxy_cipher ALL:!SSLv2:!SSLv3:!ADH:!DSS:!MD5:!EXP:!DES:!PSK:!SRP:!RC4:!IDEA:!SEED:!aNULL:!eNULL
sslproxy_cert_error deny all
sslproxy_flags  DONT_VERIFY_PEER

Remove that DONT_VERIFY_PEER flag. It is only hiding problems from *you* the admin - while letting them still be problems for all your clients.

sslproxy_cafile /etc/squid/intermediate_ca.pem


This is a bit dangerous. Any non-intermediates Ca certs in that PEM file will allow remote hijacking of your proxy outbound connections by clients of that root CA.

That said, you already completely disabled *ALL* verify checks on the server certs with DONT_VERIFY_PEER - so anyone can already hijack your traffic without needing to go to the trouble of even having their certs signed. All they need is some garbage bytes that use the correct X.509 _format_ used by certs.

After you upgrade your Squid, change that to sslproxy_foreign_intermediate_certs which will only load intermediate certs for use. If your upgraded Squid does not accept that directive it is still too old to use safely for SSL-Bump.



sslcrtd_program /usr/lib/squid/ssl_crtd -s /var/lib/squid/ssl_db -M 4MB
sslcrtd_children 8 startup=1 idle=1


What are the http_port and https_port lines you are using?

-----------------------
First , i can block facebook by use this command :
acl facebook dstdomain .facebook.com <http://facebook.com>
http_access deny CONNECT facebook


You can only block domains like that if;
a) you are using explicit proxy and the client sent a CONNECT with a domain name, or b) its IP address rDNS points back to the domain you are naming in the ACL, or c) the client sends TLS SNI details *and* your ssl_bump rules make that detail available to Squid (eg. peek).


see <https://wiki.squid-cache.org/Features/SslPeekAndSplice#Processing_steps> for details on what SSL-Bump actually does at each step of the TLS handshake.

Pay particular attention to what info is available at each "step" - and also what is *not* available.



But it is not effect with https://remitano.com
I try to use these command but it's not work:

acl blockregexurl url_regex -i ^http[s]?:\/\/.*\.remitano\.com\/(/vn)
http_access deny blockregexurl
http_access deny CONNECT blockregexurl

The regex pattern is looking for an absolute-form URL which will never exist in any CONNECT messages, since they always use authority-form URL.

That first http_access line might work *if* you already bumped the HTTPS traffic. The second never will.



acl block_domain dstdomain remitano.com <http://remitano.com>
acl domain dstdomain sso.remitano.com <http://sso.remitano.com> socket.remitano.com <http://socket.remitano.com> cdn.remitano.com <http://cdn.remitano.com>
http_access deny block_domain
http_access deny CONNECT block_domain
http_access deny domain
http_access deny CONNECT domain


Same issues mentioned above about the facebook dstdomain ACL as to when these dstdomain ACLs will match.

Except that here the "deny foo" lines that go first without mentioning CONNECT will match all the same things as the CONNECT line would - meaning they already block all traffic even stuff not using CONNECT tunnels. So the mention of CONNECT in these lines is pointless, and you can completely remove the lines which use it without changing the proxy behaviour.


Amos
_______________________________________________
squid-users mailing list
squid-users@xxxxxxxxxxxxxxxxxxxxx
http://lists.squid-cache.org/listinfo/squid-users




[Index of Archives]     [Linux Audio Users]     [Samba]     [Big List of Linux Books]     [Linux USB]     [Yosemite News]

  Powered by Linux