Hi, Actually if I remove http_access deny I works, squid is manage to terminate the connection for the https blocked sites, but this causes a new issue, even mange to block all https request without bump it, now all http request are allowed now. -----Mensagem original----- De: Alex Rousskov <rousskov@xxxxxxxxxxxxxxxxxxxxxxx> Enviada: 10 de dezembro de 2021 16:42 Para: André Bolinhas <andre.bolinhas@xxxxxxxxxxxxxx>; squid-users@xxxxxxxxxxxxxxxxxxxxx Assunto: Re: deny squid to bump deny_info On 12/10/21 11:01 AM, André Bolinhas wrote: > I put this code at the beginning of squid.conf, just after listen_ports: > > http_port 0.0.0.0:3128 name=MyPortNameID1 ssl-bump > generate-host-certificates=on dynamic_cert_mem_cache_size=4MB > cert=/etc/squid3/ssl/861be42112afac3b82f6b992bcc464aa.dyn > sslflags=VERIFY_CRL_ALL options=NO_SSLv3,No_Compression > tls-dh=/etc/squid3/ssl/dhparam.pem > > acl denybump dstdomain .xvideos.com > acl CONNECT1 method CONNECT > http_access deny CONNECT1 denybump > ssl_bump terminate denybump > http_access deny denybump > > but still don't work, squid continues to bump the error page. > > If I change the code to terminat all > acl denybump dstdomain .xvideos.com > acl CONNECT1 method CONNECT > http_access deny CONNECT1 denybump > ssl_bump terminate all > http_access deny denybump > > Squid is able to terminate all connections except the xvideos, because xvideos is denied, squid continues to bump it to shot the error page. AFAICT, your configuration denies CONNECT requests _before_ "ssl_bump terminate" logic kicks in. The existing SslBump documentation can be interpreted as matching what is going on in your tests; see steps 1.ii and 1.iii at https://wiki.squid-cache.org/Features/SslPeekAndSplice We probably should document that a step1 http_access denial (which happens during step 1.ii) blocks/prevents ssl_bump rules evaluation (which happens in step 1.iii). My recommendation from the very first response on this email thread still stands: Close the offending client connection using an "ssl_bump terminate" rule instead[1] of blocking client access using "http_access". [1] It may be a good idea to also/still block client access using http_access rules, as an additional safety layer, but it has to be done carefully so that "ssl_bump terminate" rule matches _before_ any of the corresponding "http_access deny" rules may match. For example, the two rules cannot have exactly the same condition because step 1.ii happens before step 1.iii. HTH, Alex. > You can see the result images here: > gmail bump terminated - https://ibb.co/3MsMt0C Xvideos bump not > terminated - https://ibb.co/b24hL44 > > > -----Mensagem original----- > De: Alex Rousskov <rousskov@xxxxxxxxxxxxxxxxxxxxxxx> > Enviada: 8 de dezembro de 2021 16:02 > Para: André Bolinhas <andre.bolinhas@xxxxxxxxxxxxxx>; > squid-users@xxxxxxxxxxxxxxxxxxxxx > Assunto: Re: deny squid to bump deny_info > > On 12/8/21 10:40 AM, André Bolinhas wrote: >> where I need to add the ssl_bump terminate rule? Inside ssl.conf or >> http_access.conf? >> I have tried in both both but continues to bump the error page. > > Unfortunately, I cannot edit your configuration right now, but others > on the mailing list may be able to help you. Please note that we do > not know how those two files are included into your primary > configuration file and whether that primary configuration file > contains any relevant settings itself. The primary configuration file > is what Squid parses first (e.g., it may be specified using "squid -f"). > > >> Also tried ssl_bump terminate all in the top of both files and always >> bump ther error_page. > > I am not sure, but AFAICT, Squid bugs notwithstanding, if "ssl_bump > terminate all" is the very first ssl_bump rule in the entire Squid > configuration, and Squid still bumps traffic, then you may be denying > explicit CONNECT requests _before_ SslBump kicks in. > > Alex. > > >> This is my current files: >> http_access.conf >> #### tcp_outgoing_tos #### >> #### tcp_outgoing_tos 0 Rules #### >> # webfilters_sqacls HaClusterClient=0 2 rules [202] >> [class.squid.acls.groups.inc] # webfilters_sqacls #10 : aclport=0 ( >> ) [212] [class.squid.acls.groups.inc] # [L.268]: rule id: 10 >> access_allow Port Direction=0 () # [L.303]: >> class.squid.acls.groups.inc buildacls_bytype_items(10,..) http_access >> allow Group17 # webfilters_sqacls #5 : aclport=0 ( ) [212] >> [class.squid.acls.groups.inc] # [L.268]: rule id: 5 access_deny Port >> Direction=0 () # [L.303]: class.squid.acls.groups.inc >> buildacls_bytype_items(5,..) # Template Enabled for this ACL. >> # Final acl is all, Template ID=1 >> deny_info TEMPLATE_5 all >> http_access deny all >> # >> # >> # ------------------ HTTP ACCESS -------------------- # 0 rule(s) >> from engine (Line 2170) >> >> >> # SquidStandardLDAPAuth = 0 >> # EnableOpenLDAP = 0 >> # SquidRadiusAuth = 0 >> # LDAP_AUTH = 0 caused by EnableOpenLDAP acl MyBlockedIPs src >> "/etc/squid3/acls/DenyIPSrc" >> http_access allow WindowsUpdates >> >> # LDAP Auth = 0 >> http_access deny HTTP !Safe_ports all http_access deny CONNECT >> !SSL_ports all http_access deny MyBlockedIPs http_access deny >> blockedsites http_access deny DomainsBlackLists http_access deny >> NetworksBlackLists include /etc/squid3/http_access_final.conf >> # END http_access (defaults) >> >> # Allow all networks to finally pass trough proxy. >> http_access allow all >> >> ssl.conf >> # SSL used for port ID 1, :3128 on >> # Patch 2020 - 08 - 03 SquidMikrotikEnabled = 0 # SSL Proxy options >> Proxy version:5.2 [134] sslcrtd_program >> /lib/squid3/security_file_certgen -s >> /var/lib/squid/session/ssl/ssl_db -M 32MB sslcrtd_children 32 >> startup=5 idle=1 queue-size=64 #The AppStore application in IOS >> (iPhone, iPad, MacOS) uses SSL Certificate Pinning, #it means the >> application knows what certificate to expect when accessing AppStore. >> #When you enable SSL Bump of HTTPS connections Squid replaces the >> default certificate with a ^`^xmimicked ^`^y one; #the application >> detects that and refuses to function. >> # >> acl FakeCert ssl::server_name .apple.com acl FakeCert >> ssl::server_name .icloud.com acl FakeCert ssl::server_name >> .mzstatic.com acl FakeCert ssl::server_name .dropbox.com acl FakeCert >> ssl::server_name .bnpparisbas acl ssl_step1 at_step SslBump1 acl >> ssl_step2 at_step >> SslBump2 acl ssl_step3 at_step SslBump3 ssl_bump peek ssl_step1 >> ssl_bump splice GlobalWhitelistDSTNet ssl_bump splice >> GlobalWhitelistDomainsRx ssl_bump splice GlobalWhitelistDomains >> ssl_bump splice FakeCert >> >> # SNI Group google_sni/ssl_sni >> # id:16 Type: ssl_sni >> acl SNIGroup16 ssl::server_name_regex -i accounts\.google\.com >> >> # 0 Splice rules... >> acl KeepSSL ssl::server_name "/etc/squid3/acls_whitelist.dstdomain.conf" >> ssl_bump splice KeepSSL >> ssl_bump splice GlobalWhitelistDSTNet >> >> # Rules (spliced) added by admins.... >> >> # 1 BUMP rules... >> #ssl_bump stare all >> ssl_bump bump ssl_step2 SNIGroup16 >> ssl_bump splice all >> >> tls_outgoing_options options=NO_SSLv3,NO_TICKET >> cipher=ALL:!SSLv2:!SSLv3:!ADH:!DSS:!MD5:!EXP:!DES:!PSK:!SRP:!RC4:!IDE >> A :!SEED:!aNULL:!eNULL flags=DONT_VERIFY_PEER sslproxy_cert_error >> allow all on_unsupported_protocol tunnel all >> >> >> -----Mensagem original----- >> De: Alex Rousskov <rousskov@xxxxxxxxxxxxxxxxxxxxxxx> >> Enviada: 8 de dezembro de 2021 15:13 >> Para: André Bolinhas <andre.bolinhas@xxxxxxxxxxxxxx>; >> squid-users@xxxxxxxxxxxxxxxxxxxxx >> Assunto: Re: deny squid to bump deny_info >> >> On 12/7/21 8:39 PM, André Bolinhas wrote: >> >>> We use Squid v5 with ssl_bump to decrypt only google domains. With a >>> special configuration we also need to deny important websites. Squid >>> tries to bump returned error pages >> >> Yes, when SslBump encounters an error, it tries to bump the client >> connection to deliver the error response. >> >> One way to prevent that error handling algorithm from kicking in is >> to close the offending client connection using an "ssl_bump >> terminate" rule (instead[1] of blocking client access using "http_access"). >> >> >>> We have tried using a TCP_RESET deny_info but this does not fix the >>> bump operation >> >> I suspect the TCP_RESET feature is checked at error delivery time, >> after the client connection is bumped to prepare it for error >> delivery. This suspect behavior should be considered a Squid >> bug/deficiency IMO -- Squid should not be bumping the TLS connection >> to deliver a TCP RST or FIN packet. >> >> HTH, >> >> Alex. >> [1] It may be a good idea to also/still block client access using >> http_access rules, as an additional safety layer, but it has to be >> done carefully so that "ssl_bump terminate" rule matches _before_ any >> of the corresponding "http_access deny" rules may match. >> >> >> >>> In this peace of log, you can see that squid is forcing bump for >>> Access Denied website under https: >>> 2021/12/08 05:05:53.774 kid2| 85,5| client_side_request.cc(769) >>> clientAccessCheckDone: Access Denied: beacons2.gvt2.com:443 >>> 2021/12/08 05:05:53.774 kid2| 85,5| client_side_request.cc(770) >>> clientAccessCheckDone: AclMatchedName = all >>> 2021/12/08 05:05:53.774 kid2| 83,7| LogTags.cc(57) update: TAG_NONE >>> to TCP_DENIED >>> 2021/12/08 05:05:53.774 kid2| 28,4| FilledChecklist.cc(67) >>> ~ACLFilledChecklist: ACLFilledChecklist destroyed 0x7ffc945c5b40 >>> 2021/12/08 05:05:53.774 kid2| 28,4| Checklist.cc(197) ~ACLChecklist: >>> ACLChecklist::~ACLChecklist: destroyed 0x7ffc945c5b40 >>> 2021/12/08 05:05:53.774 kid2| 85,5| client_side_request.cc(1461) >>> sslBumpAccessCheck: SslBump applies. Force bump action on error >>> UNKNOWN >>> 2021/12/08 05:05:53.774 kid2| 83,3| client_side_request.cc(1562) >>> sslBumpNeed: sslBump required: bump >>> 2021/12/08 05:05:53.774 kid2| 73,3| HttpRequest.cc(683) storeId: >>> sent back >>> effectiveRequestUrl: beacons2.gvt2.com:443 >>> 2021/12/08 05:05:53.774 kid2| 24,7| SBuf.cc(160) rawSpace: reserving >>> 1 for >>> SBuf77493929 >>> 2021/12/08 05:05:53.774 kid2| 24,7| SBuf.cc(866) reAlloc: >>> SBuf77493929 new store capacity: 40 >>> 2021/12/08 05:05:53.774 kid2| 20,3| store.cc(769) storeCreatePureEntry: >>> storeCreateEntry: 'beacons2.gvt2.com:443' >>> 2021/12/08 05:05:53.774 kid2| 20,5| store.cc(349) StoreEntry: >>> StoreEntry constructed, this=0x5561d9347e90 >>> 2021/12/08 05:05:53.774 kid2| 20,3| MemObject.cc(100) MemObject: >>> MemObject constructed, this=0x5561d5e66f50 >>> 2021/12/08 05:05:53.774 kid2| 55,7| HttpHeader.cc(155) HttpHeader: >>> init-ing >>> hdr: 0x5561d80af128 owner: 3 >>> 2021/12/08 05:05:53.774 kid2| 88,3| MemObject.cc(83) setUris: >>> 0x5561d5e66f50 >>> storeId: beacons2.gvt2.com:443 >>> 2021/12/08 05:05:53.774 kid2| 24,7| SBuf.cc(85) assign: assigning >>> SBuf77493930 from SBuf77493860 >>> 2021/12/08 05:05:53.774 kid2| 20,3| store.cc(443) lock: >>> storeCreateEntry locked key [null_store_key] e:=V/0x5561d9347e90*1 >>> 2021/12/08 05:05:53.774 kid2| 20,3| store.cc(569) setPrivateKey: 01 >>> e:=V/0x5561d9347e90*1 >>> 2021/12/08 05:05:53.774 kid2| 20,3| store.cc(421) hashInsert: >>> StoreEntry::hashInsert: Inserting Entry e:=XIV/0x5561d9347e90*1 key >>> '71570400000000002412000002000000' >>> 2021/12/08 05:05:53.774 kid2| 83,3| client_side_request.cc(1562) >>> sslBumpNeed: sslBump required: client-first >>> 2021/12/08 05:05:53.774 kid2| 33,4| ServerBump.cc(28) ServerBump: >>> will peek at beacons2.gvt2.com:443 >>> 2021/12/08 05:05:53.774 kid2| 20,3| store.cc(443) lock: >>> Ssl::ServerBump locked key 71570400000000002412000002000000 >>> e:=XIV/0x5561d9347e90*2 >>> 2021/12/08 05:05:53.774 kid2| 4,4| errorpage.cc(720) errorAppendEntry: >>> storing TEMPLATE_5 in e:=XIV/0x5561d9347e90*2 >>> 2021/12/08 05:05:53.774 kid2| 55,7| HttpHeader.cc(155) HttpHeader: >>> init-ing >>> hdr: 0x5561d66a8078 owner: 3 >>> 2021/12/08 05:05:53.774 kid2| 4,2| errorpage.cc(1389) buildBody: No >>> existing error page language negotiated for TEMPLATE_5. Using >>> default error file. >>> >>> Ssl.conf >>> # SSL used for port ID 1, :3128 on >>> # Patch 2020 - 08 - 03 SquidMikrotikEnabled = 0 # SSL Proxy options >>> Proxy >>> version:5.2 [134] sslcrtd_program /lib/squid3/security_file_certgen >>> sslcrtd_children 32 startup=5 idle=1 queue-size=64 #The AppStore >>> application in IOS (iPhone, iPad, MacOS) uses SSL Certificate >>> Pinning, #it means the application knows what certificate to expect >>> when accessing AppStore. >>> #When you enable SSL Bump of HTTPS connections Squid replaces the >>> default certificate with a ^`^xmimicked ^`^y one; >>> >>> #the application detects that and refuses to function. >>> # >>> acl FakeCert ssl::server_name .apple.com acl FakeCert >>> ssl::server_name .icloud.com acl FakeCert ssl::server_name >>> .mzstatic.com acl FakeCert ssl::server_name .dropbox.com acl >>> FakeCert ssl::server_name .bnpparisbas acl notbump ssl::server_name >>> .redtube.com acl ssl_step1 at_step SslBump1 acl >>> ssl_step2 at_step SslBump2 acl ssl_step3 at_step SslBump3 >>> >>> acl Me dst 127.0.0.1 192.168.58.11 >>> acl GlobalWhitelistDSTNet dst "/etc/squid3/acls_whitelist.dst.conf" >>> >>> ssl_bump splice notbump all >>> ssl_bump splice GlobalWhitelistDSTNet >>> >>> ssl_bump splice ssl_step1 Me >>> ssl_bump splice ByPassRBL >>> ssl_bump splice FakeCert >>> >>> # SNI Group sni_domains/ssl_sni >>> # id:7 Type: ssl_sni >>> acl SNIGroup7 ssl::server_name_regex -i account\.google\.com acl >>> SNIGroup7 ssl::server_name_regex -i accounts\.google\.com ssl_bump >>> peek ssl_step1 all # 0 Splice rules... >>> ssl_bump splice ByPassRBL >>> ssl_bump splice GlobalWhitelistDSTNet >>> >>> # Rules (spliced) added by admins.... >>> >>> # 1 BUMP rules... >>> ssl_bump bump ssl_step2 SNIGroup7 >>> ssl_bump splice all >>> >>> tls_outgoing_options options=NO_SSLv3,NO_TICKET >>> cipher=ALL:!SSLv2:!SSLv3:!ADH:!DSS:!MD5:!EXP:!DES:!PSK:!SRP:!RC4:!ID >>> E A :!SEED :!aNULL:!eNULL flags=DONT_VERIFY_PEER sslproxy_cert_error >>> allow all >>> >>> http_access.conf >>> #### tcp_outgoing_tos #### >>> #### tcp_outgoing_tos 0 Rules #### >>> # SquidUrgency = 0 exec.squid.global.access.php[2233] >>> # HaClusterClient=0 class.squid.acls.groups.inc/buildacls_order >>> # mysql_for_port='' aclgpid=0 [L.174] >>> # [3] rules [220] >>> >>> >>> # webfilters_sqacls #2 : aclport=0 ( ) [239] >>> [class.squid.acls.groups.inc] # [L.292]: rule id: 2 access_allow >>> Port >>> Direction=0 () # [L.320]: >>> class.squid.acls.groups.inc buildacls_bytype_items(2,..) acl >>> AnnotateRule2 annotate_transaction accessrule=Rule2 http_access >>> allow >>> Group2 AnnotateRule2 # webfilters_sqacls #4 : aclport=0 ( ) [239] >>> [class.squid.acls.groups.inc] # [L.292]: rule id: 4 access_allow >>> Port >>> Direction=0 () # [L.320]: >>> class.squid.acls.groups.inc buildacls_bytype_items(4,..) acl >>> AnnotateRule4 annotate_transaction accessrule=Rule4 http_access >>> allow >>> Group8 AnnotateRule4 # webfilters_sqacls #3 : aclport=0 ( ) [239] >>> [class.squid.acls.groups.inc] # [L.292]: rule id: 3 access_deny Port >>> Direction=0 () # [L.320]: >>> class.squid.acls.groups.inc buildacls_bytype_items(3,..) # Template >>> Enabled for this ACL. >>> # Final acl is all, Template ID=1 >>> acl AnnotateRule3 annotate_transaction accessrule=Rule3 http_access >>> deny CONNECT AnnotateRule3 deny_info TCP_RESET AnnotateRule3 >>> >>> acl MyAll dst 0.0.0.0/0 >>> http_access deny Myall >>> deny_info 302:http://artica/me Myall # # # ------------------ HTTP >>> ACCESS -------------------- # 0 rule(s) from engine (Line 2240) >>> >>> >>> # >>> # SquidStandardLDAPAuth = 0 >>> # EnableOpenLDAP = 0 >>> # SquidRadiusAuth = 0 >>> # LDAP_AUTH = 0 caused by EnableOpenLDAP acl MyBlockedIPs src >>> "/etc/squid3/acls/DenyIPSrc" >>> acl AnnotateWindowsUpdates annotate_transaction >>> accessrule=AllowWindowsUpdates http_access allow WindowsUpdates >>> AnnotateWindowsUpdates # # -------------------- AUTH Schemes Squid >>> v5.2----------------------- >>> >>> # ---------------------------------------------------------- >>> >>> # LDAP Auth = 0 >>> acl AnnotateSafePorts annotate_transaction >>> accessrule=deny_remote_ports http_access deny HTTP !Safe_ports all >>> AnnotateSafePorts http_access deny CONNECT !SSL_ports all >>> AnnotateSafePorts deny_info TCP_RESET all >>> >>> acl AnnotateBLK annotate_transaction accessrule=global_blacklist >>> http_access deny MyBlockedIPs AnnotateBLK http_access deny >>> blockedsites AnnotateBLK http_access deny DomainsBlackLists >>> AnnotateBLK http_access deny NetworksBlackLists AnnotateBLK include >>> /etc/squid3/http_access_final.conf >>> # END http_access (defaults) >>> >>> _______________________________________________ >>> squid-users mailing list >>> squid-users@xxxxxxxxxxxxxxxxxxxxx >>> http://lists.squid-cache.org/listinfo/squid-users >>> >> > _______________________________________________ squid-users mailing list squid-users@xxxxxxxxxxxxxxxxxxxxx http://lists.squid-cache.org/listinfo/squid-users
