Search squid archive

Re: How to completely blacklist a domain + subdomains, including HTTPS?

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On 10/03/21 12:57 am, roee klinger wrote:
Hey,

I have found a lot of outdated or conflicting information about this online, and since this is a really important matter, I wanted to make sure I am doing this correctly.

I am attempting to block some websites completely, including all HTTPS traffic and subdomains.


Basically there are two protocols that need to be considered for this. HTTP and TLS.

In HTTP the "website" is identified by a domain name in the request-target (aka URI, sometimes called URL).
 * The 'dstdomain' ACL type matches URI domain name.
* The http_access directive is where that domain name becomes available for Squid to check.


In TLS the "website" is identified by the TLS SNI sent by the client, or a field in the server X.509 certificate.
 * The 'ssl::server_name' ACL type matches those details.
 * The ssl_bump directive


Next thing is to be aware that there are many ways to layer protocols. Do expect to see vastly different proxy behaviours for each permutation of those.
 * port 443 "HTTPS" is TLS then HTTP
 * port 80 "HTTPS" is HTTP then TLS (quite rare)
 * forward-proxy "HTTPS" is HTTP then TLS then HTTP



Squid.conf:

    acl domain_blacklist dstdomain "/etc/squid/domain_blacklist.txt"
    http_access deny all domain_blacklist

The "all" here is pointless.


    http_reply_access deny domain_blacklist

Use of reply access directive for blacklisting by request details is not useful.

The request already got blocked. So any response reaching here is just the error page saying forbidden. Blocking that error page would just change it to a slightly different error page saying the *response* was forbidden - which is a bit confusing for any user trying to understand why their request didn't work.


    http_access deny CONNECT domain_blacklist


This line is useless here.

squid.conf lines are interpreted top-down. The "deny all domain_blacklist" already stopped all requests that could possibly match the second condition of this line.



/etc/squid/domain_blacklist.txt:

    .ph
    .somepornwebsite.com
    .facebook.com

...

Am I doing this the right way?


Sort of. Your http_access denial will catch all the HTTP and decrypted HTTP(S) traffic. It will not be able to block any HTTP(S) requests that are not able to decrypt.

To catch and block these domains without needing the decrypt you should also use:

 acl server_blacklist ssl::server_name "/etc/squid/domain_blacklist.txt"
 ssl_bump terminate server_blacklist

Of course there is always the failure case where traffic cannot decrypt and the TLS details use different server names.


Amos
_______________________________________________
squid-users mailing list
squid-users@xxxxxxxxxxxxxxxxxxxxx
http://lists.squid-cache.org/listinfo/squid-users




[Index of Archives]     [Linux Audio Users]     [Samba]     [Big List of Linux Books]     [Linux USB]     [Yosemite News]

  Powered by Linux