Search squid archive

Re: deny squid to bump deny_info

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Hi, 
Actually if I remove http_access deny I works, squid is manage to terminate the connection for the https blocked sites, but this causes a new issue, even mange to block all https request without bump it, now all http request are allowed now.


-----Mensagem original-----
De: Alex Rousskov <rousskov@xxxxxxxxxxxxxxxxxxxxxxx> 
Enviada: 10 de dezembro de 2021 16:42
Para: André Bolinhas <andre.bolinhas@xxxxxxxxxxxxxx>; squid-users@xxxxxxxxxxxxxxxxxxxxx
Assunto: Re:  deny squid to bump deny_info

On 12/10/21 11:01 AM, André Bolinhas wrote:

> I put this code at the beginning of squid.conf, just after listen_ports:
> 
> http_port 0.0.0.0:3128  name=MyPortNameID1 ssl-bump  
> generate-host-certificates=on dynamic_cert_mem_cache_size=4MB 
> cert=/etc/squid3/ssl/861be42112afac3b82f6b992bcc464aa.dyn 
> sslflags=VERIFY_CRL_ALL options=NO_SSLv3,No_Compression 
> tls-dh=/etc/squid3/ssl/dhparam.pem
> 
> acl denybump dstdomain .xvideos.com
> acl CONNECT1 method CONNECT
> http_access deny CONNECT1 denybump
> ssl_bump terminate denybump
> http_access deny denybump
> 
> but still don't work, squid continues to bump the error page.
> 
> If I change the code to terminat all
> acl denybump dstdomain .xvideos.com
> acl CONNECT1 method CONNECT
> http_access deny CONNECT1 denybump
> ssl_bump terminate all
> http_access deny denybump
> 
> Squid is able to terminate all connections except the xvideos, because xvideos is denied, squid continues to bump it to shot the error page.

AFAICT, your configuration denies CONNECT requests _before_ "ssl_bump terminate" logic kicks in. The existing SslBump documentation can be interpreted as matching what is going on in your tests; see steps 1.ii and 1.iii at https://wiki.squid-cache.org/Features/SslPeekAndSplice

We probably should document that a step1 http_access denial (which happens during step 1.ii) blocks/prevents ssl_bump rules evaluation (which happens in step 1.iii).

My recommendation from the very first response on this email thread still stands: Close the offending client connection using an "ssl_bump terminate" rule instead[1] of blocking client access using "http_access".

[1] It may be a good idea to also/still block client access using http_access rules, as an additional safety layer, but it has to be done carefully so that "ssl_bump terminate" rule matches _before_ any of the corresponding "http_access deny" rules may match. For example, the two rules cannot have exactly the same condition because step 1.ii happens before step 1.iii.


HTH,

Alex.

> You can see the result images here:
> gmail bump terminated - https://ibb.co/3MsMt0C Xvideos bump not 
> terminated - https://ibb.co/b24hL44
> 
> 
> -----Mensagem original-----
> De: Alex Rousskov <rousskov@xxxxxxxxxxxxxxxxxxxxxxx>
> Enviada: 8 de dezembro de 2021 16:02
> Para: André Bolinhas <andre.bolinhas@xxxxxxxxxxxxxx>; 
> squid-users@xxxxxxxxxxxxxxxxxxxxx
> Assunto: Re:  deny squid to bump deny_info
> 
> On 12/8/21 10:40 AM, André Bolinhas wrote:
>> where I need to add the ssl_bump terminate rule? Inside ssl.conf or 
>> http_access.conf?
>> I have tried in both both but continues to bump the error page.
> 
> Unfortunately, I cannot edit your configuration right now, but others 
> on the mailing list may be able to help you. Please note that we do 
> not know how those two files are included into your primary 
> configuration file and whether that primary configuration file 
> contains any relevant settings itself. The primary configuration file 
> is what Squid parses first (e.g., it may be specified using "squid -f").
> 
> 
>> Also tried ssl_bump terminate all in the top of both files and always 
>> bump ther error_page.
> 
> I am not sure, but AFAICT, Squid bugs notwithstanding, if "ssl_bump 
> terminate all" is the very first ssl_bump rule in the entire Squid 
> configuration, and Squid still bumps traffic, then you may be denying 
> explicit CONNECT requests _before_ SslBump kicks in.
> 
> Alex.
> 
> 
>> This is my current files:
>> http_access.conf
>> #### tcp_outgoing_tos ####
>> #### tcp_outgoing_tos 0 Rules ####
>> # webfilters_sqacls HaClusterClient=0 2 rules [202] 
>> [class.squid.acls.groups.inc] # webfilters_sqacls #10 : aclport=0 (  
>> ) [212] [class.squid.acls.groups.inc] # [L.268]: rule id: 10 
>> access_allow Port Direction=0 () # [L.303]:
>> class.squid.acls.groups.inc buildacls_bytype_items(10,..) http_access 
>> allow Group17 # webfilters_sqacls #5 : aclport=0 (  ) [212] 
>> [class.squid.acls.groups.inc] # [L.268]: rule id: 5 access_deny Port
>> Direction=0 () # [L.303]: class.squid.acls.groups.inc
>> buildacls_bytype_items(5,..) # Template Enabled for this ACL.
>> # Final acl is all, Template ID=1
>> deny_info TEMPLATE_5 all
>> http_access deny all
>> #
>> #
>> # ------------------ HTTP ACCESS -------------------- # 0 rule(s) 
>> from engine (Line 2170)
>>
>>
>> # SquidStandardLDAPAuth = 0
>> # EnableOpenLDAP = 0
>> # SquidRadiusAuth = 0
>> # LDAP_AUTH = 0 caused by EnableOpenLDAP acl MyBlockedIPs src 
>> "/etc/squid3/acls/DenyIPSrc"
>> http_access allow WindowsUpdates
>>
>> # LDAP Auth = 0
>> http_access deny HTTP !Safe_ports all http_access deny CONNECT 
>> !SSL_ports all http_access deny MyBlockedIPs http_access deny 
>> blockedsites http_access deny DomainsBlackLists http_access deny 
>> NetworksBlackLists include /etc/squid3/http_access_final.conf
>> # END http_access (defaults)
>>
>> # Allow all networks to finally pass trough proxy.
>> http_access allow all
>>
>> ssl.conf
>> # SSL used for port ID 1, :3128 on
>> # Patch 2020 - 08 - 03 SquidMikrotikEnabled = 0 # SSL Proxy options 
>> Proxy version:5.2 [134] sslcrtd_program 
>> /lib/squid3/security_file_certgen -s 
>> /var/lib/squid/session/ssl/ssl_db -M 32MB sslcrtd_children 32 
>> startup=5 idle=1 queue-size=64 #The AppStore application in IOS 
>> (iPhone, iPad, MacOS) uses SSL Certificate Pinning, #it means the 
>> application knows what certificate to expect when accessing AppStore.
>> #When you enable SSL Bump of HTTPS connections Squid replaces the 
>> default certificate with a  ^`^xmimicked ^`^y one; #the application 
>> detects that and refuses to function.
>> #
>> acl FakeCert ssl::server_name .apple.com acl FakeCert 
>> ssl::server_name .icloud.com acl FakeCert ssl::server_name 
>> .mzstatic.com acl FakeCert ssl::server_name .dropbox.com acl FakeCert 
>> ssl::server_name .bnpparisbas acl ssl_step1 at_step SslBump1 acl 
>> ssl_step2 at_step
>> SslBump2 acl ssl_step3 at_step SslBump3 ssl_bump peek ssl_step1 
>> ssl_bump splice GlobalWhitelistDSTNet ssl_bump splice 
>> GlobalWhitelistDomainsRx ssl_bump splice GlobalWhitelistDomains 
>> ssl_bump splice FakeCert
>>
>> # SNI Group google_sni/ssl_sni
>> # id:16 Type: ssl_sni
>> acl SNIGroup16 ssl::server_name_regex -i accounts\.google\.com
>>
>> # 0 Splice rules...
>> acl KeepSSL ssl::server_name "/etc/squid3/acls_whitelist.dstdomain.conf"
>> ssl_bump splice KeepSSL
>> ssl_bump splice GlobalWhitelistDSTNet
>>
>> # Rules (spliced) added by admins....
>>
>> # 1 BUMP rules...
>> #ssl_bump stare all
>> ssl_bump bump ssl_step2 SNIGroup16
>> ssl_bump splice all
>>
>> tls_outgoing_options options=NO_SSLv3,NO_TICKET 
>> cipher=ALL:!SSLv2:!SSLv3:!ADH:!DSS:!MD5:!EXP:!DES:!PSK:!SRP:!RC4:!IDE
>> A :!SEED:!aNULL:!eNULL flags=DONT_VERIFY_PEER sslproxy_cert_error 
>> allow all on_unsupported_protocol tunnel all
>>
>>
>> -----Mensagem original-----
>> De: Alex Rousskov <rousskov@xxxxxxxxxxxxxxxxxxxxxxx>
>> Enviada: 8 de dezembro de 2021 15:13
>> Para: André Bolinhas <andre.bolinhas@xxxxxxxxxxxxxx>; 
>> squid-users@xxxxxxxxxxxxxxxxxxxxx
>> Assunto: Re:  deny squid to bump deny_info
>>
>> On 12/7/21 8:39 PM, André Bolinhas wrote:
>>
>>> We use Squid v5 with ssl_bump to decrypt only google domains. With a 
>>> special configuration we also need to deny important websites. Squid 
>>> tries to bump returned error pages
>>
>> Yes, when SslBump encounters an error, it tries to bump the client 
>> connection to deliver the error response.
>>
>> One way to prevent that error handling algorithm from kicking in is 
>> to close the offending client connection using an "ssl_bump 
>> terminate" rule (instead[1] of blocking client access using "http_access").
>>
>>
>>> We have tried using a TCP_RESET deny_info but this does not fix the 
>>> bump operation
>>
>> I suspect the TCP_RESET feature is checked at error delivery time, 
>> after the client connection is bumped to prepare it for error 
>> delivery. This suspect behavior should be considered a Squid 
>> bug/deficiency IMO -- Squid should not be bumping the TLS connection 
>> to deliver a TCP RST or FIN packet.
>>
>> HTH,
>>
>> Alex.
>> [1] It may be a good idea to also/still block client access using 
>> http_access rules, as an additional safety layer, but it has to be 
>> done carefully so that "ssl_bump terminate" rule matches _before_ any 
>> of the corresponding "http_access deny" rules may match.
>>
>>
>>
>>> In this peace of log, you can see that squid is forcing bump for 
>>> Access Denied website under https:
>>> 2021/12/08 05:05:53.774 kid2| 85,5| client_side_request.cc(769)
>>> clientAccessCheckDone: Access Denied: beacons2.gvt2.com:443
>>> 2021/12/08 05:05:53.774 kid2| 85,5| client_side_request.cc(770)
>>> clientAccessCheckDone: AclMatchedName = all
>>> 2021/12/08 05:05:53.774 kid2| 83,7| LogTags.cc(57) update: TAG_NONE 
>>> to TCP_DENIED
>>> 2021/12/08 05:05:53.774 kid2| 28,4| FilledChecklist.cc(67)
>>> ~ACLFilledChecklist: ACLFilledChecklist destroyed 0x7ffc945c5b40
>>> 2021/12/08 05:05:53.774 kid2| 28,4| Checklist.cc(197) ~ACLChecklist:
>>> ACLChecklist::~ACLChecklist: destroyed 0x7ffc945c5b40
>>> 2021/12/08 05:05:53.774 kid2| 85,5| client_side_request.cc(1461)
>>> sslBumpAccessCheck: SslBump applies. Force bump action on error 
>>> UNKNOWN
>>> 2021/12/08 05:05:53.774 kid2| 83,3| client_side_request.cc(1562)
>>> sslBumpNeed: sslBump required: bump
>>> 2021/12/08 05:05:53.774 kid2| 73,3| HttpRequest.cc(683) storeId: 
>>> sent back
>>> effectiveRequestUrl: beacons2.gvt2.com:443
>>> 2021/12/08 05:05:53.774 kid2| 24,7| SBuf.cc(160) rawSpace: reserving
>>> 1 for
>>> SBuf77493929
>>> 2021/12/08 05:05:53.774 kid2| 24,7| SBuf.cc(866) reAlloc:
>>> SBuf77493929 new store capacity: 40
>>> 2021/12/08 05:05:53.774 kid2| 20,3| store.cc(769) storeCreatePureEntry:
>>> storeCreateEntry: 'beacons2.gvt2.com:443'
>>> 2021/12/08 05:05:53.774 kid2| 20,5| store.cc(349) StoreEntry:
>>> StoreEntry constructed, this=0x5561d9347e90
>>> 2021/12/08 05:05:53.774 kid2| 20,3| MemObject.cc(100) MemObject:
>>> MemObject constructed, this=0x5561d5e66f50
>>> 2021/12/08 05:05:53.774 kid2| 55,7| HttpHeader.cc(155) HttpHeader:
>>> init-ing
>>> hdr: 0x5561d80af128 owner: 3
>>> 2021/12/08 05:05:53.774 kid2| 88,3| MemObject.cc(83) setUris:
>>> 0x5561d5e66f50
>>> storeId: beacons2.gvt2.com:443
>>> 2021/12/08 05:05:53.774 kid2| 24,7| SBuf.cc(85) assign: assigning
>>> SBuf77493930 from SBuf77493860
>>> 2021/12/08 05:05:53.774 kid2| 20,3| store.cc(443) lock:
>>> storeCreateEntry locked key [null_store_key] e:=V/0x5561d9347e90*1
>>> 2021/12/08 05:05:53.774 kid2| 20,3| store.cc(569) setPrivateKey: 01
>>> e:=V/0x5561d9347e90*1
>>> 2021/12/08 05:05:53.774 kid2| 20,3| store.cc(421) hashInsert:
>>> StoreEntry::hashInsert: Inserting Entry e:=XIV/0x5561d9347e90*1 key 
>>> '71570400000000002412000002000000'
>>> 2021/12/08 05:05:53.774 kid2| 83,3| client_side_request.cc(1562)
>>> sslBumpNeed: sslBump required: client-first
>>> 2021/12/08 05:05:53.774 kid2| 33,4| ServerBump.cc(28) ServerBump:
>>> will peek at beacons2.gvt2.com:443
>>> 2021/12/08 05:05:53.774 kid2| 20,3| store.cc(443) lock:
>>> Ssl::ServerBump locked key 71570400000000002412000002000000
>>> e:=XIV/0x5561d9347e90*2
>>> 2021/12/08 05:05:53.774 kid2| 4,4| errorpage.cc(720) errorAppendEntry:
>>> storing TEMPLATE_5 in e:=XIV/0x5561d9347e90*2
>>> 2021/12/08 05:05:53.774 kid2| 55,7| HttpHeader.cc(155) HttpHeader:
>>> init-ing
>>> hdr: 0x5561d66a8078 owner: 3
>>> 2021/12/08 05:05:53.774 kid2| 4,2| errorpage.cc(1389) buildBody: No 
>>> existing error page language negotiated for TEMPLATE_5. Using 
>>> default error file.
>>>
>>> Ssl.conf
>>> # SSL used for port ID 1, :3128 on
>>> # Patch 2020 - 08 - 03 SquidMikrotikEnabled = 0 # SSL Proxy options 
>>> Proxy
>>> version:5.2 [134] sslcrtd_program /lib/squid3/security_file_certgen 
>>> sslcrtd_children 32 startup=5 idle=1 queue-size=64 #The AppStore 
>>> application in IOS (iPhone, iPad, MacOS) uses SSL Certificate 
>>> Pinning, #it means the application knows what certificate to expect 
>>> when accessing AppStore.
>>> #When you enable SSL Bump of HTTPS connections Squid replaces the 
>>> default certificate with a  ^`^xmimicked ^`^y one;
>>>
>>> #the application detects that and refuses to function.
>>> #
>>> acl FakeCert ssl::server_name .apple.com acl FakeCert 
>>> ssl::server_name .icloud.com acl FakeCert ssl::server_name 
>>> .mzstatic.com acl FakeCert ssl::server_name .dropbox.com acl 
>>> FakeCert ssl::server_name .bnpparisbas acl notbump ssl::server_name 
>>> .redtube.com acl ssl_step1 at_step SslBump1 acl
>>> ssl_step2 at_step SslBump2 acl ssl_step3 at_step SslBump3
>>>
>>> acl Me dst 127.0.0.1 192.168.58.11
>>> acl GlobalWhitelistDSTNet dst "/etc/squid3/acls_whitelist.dst.conf"
>>>
>>> ssl_bump splice notbump all
>>> ssl_bump splice GlobalWhitelistDSTNet
>>>
>>> ssl_bump splice ssl_step1 Me
>>> ssl_bump splice ByPassRBL
>>> ssl_bump splice FakeCert
>>>
>>> # SNI Group sni_domains/ssl_sni
>>> # id:7 Type: ssl_sni
>>> acl SNIGroup7 ssl::server_name_regex -i account\.google\.com acl
>>> SNIGroup7 ssl::server_name_regex -i accounts\.google\.com ssl_bump 
>>> peek ssl_step1 all # 0 Splice rules...
>>> ssl_bump splice ByPassRBL
>>> ssl_bump splice GlobalWhitelistDSTNet
>>>
>>> # Rules (spliced) added by admins....
>>>
>>> # 1 BUMP rules...
>>> ssl_bump bump ssl_step2 SNIGroup7
>>> ssl_bump splice all
>>>
>>> tls_outgoing_options options=NO_SSLv3,NO_TICKET 
>>> cipher=ALL:!SSLv2:!SSLv3:!ADH:!DSS:!MD5:!EXP:!DES:!PSK:!SRP:!RC4:!ID
>>> E A :!SEED :!aNULL:!eNULL flags=DONT_VERIFY_PEER sslproxy_cert_error 
>>> allow all
>>>
>>> http_access.conf
>>> #### tcp_outgoing_tos ####
>>> #### tcp_outgoing_tos 0 Rules ####
>>> # SquidUrgency = 0 exec.squid.global.access.php[2233]
>>> #       HaClusterClient=0 class.squid.acls.groups.inc/buildacls_order
>>> #       mysql_for_port='' aclgpid=0 [L.174]
>>> #       [3] rules [220]
>>>
>>>
>>> # webfilters_sqacls #2 : aclport=0 (  ) [239] 
>>> [class.squid.acls.groups.inc] # [L.292]: rule id: 2 access_allow 
>>> Port
>>> Direction=0 () # [L.320]:
>>> class.squid.acls.groups.inc buildacls_bytype_items(2,..) acl
>>> AnnotateRule2 annotate_transaction accessrule=Rule2 http_access 
>>> allow
>>> Group2 AnnotateRule2 # webfilters_sqacls #4 : aclport=0 (  ) [239] 
>>> [class.squid.acls.groups.inc] # [L.292]: rule id: 4 access_allow 
>>> Port
>>> Direction=0 () # [L.320]:
>>> class.squid.acls.groups.inc buildacls_bytype_items(4,..) acl
>>> AnnotateRule4 annotate_transaction accessrule=Rule4 http_access 
>>> allow
>>> Group8 AnnotateRule4 # webfilters_sqacls #3 : aclport=0 (  ) [239] 
>>> [class.squid.acls.groups.inc] # [L.292]: rule id: 3 access_deny Port
>>> Direction=0 () # [L.320]:
>>> class.squid.acls.groups.inc buildacls_bytype_items(3,..) # Template 
>>> Enabled for this ACL.
>>> # Final acl is all, Template ID=1
>>> acl AnnotateRule3 annotate_transaction accessrule=Rule3 http_access 
>>> deny CONNECT  AnnotateRule3 deny_info TCP_RESET AnnotateRule3
>>>
>>> acl MyAll dst 0.0.0.0/0
>>> http_access deny Myall
>>> deny_info 302:http://artica/me Myall # # # ------------------ HTTP 
>>> ACCESS -------------------- # 0 rule(s) from engine (Line 2240)
>>>
>>>
>>> #
>>> # SquidStandardLDAPAuth = 0
>>> # EnableOpenLDAP = 0
>>> # SquidRadiusAuth = 0
>>> # LDAP_AUTH = 0 caused by EnableOpenLDAP acl MyBlockedIPs src 
>>> "/etc/squid3/acls/DenyIPSrc"
>>> acl AnnotateWindowsUpdates annotate_transaction 
>>> accessrule=AllowWindowsUpdates http_access allow WindowsUpdates 
>>> AnnotateWindowsUpdates # # -------------------- AUTH Schemes Squid
>>> v5.2-----------------------
>>>
>>> # ----------------------------------------------------------
>>>
>>> # LDAP Auth = 0
>>> acl AnnotateSafePorts annotate_transaction 
>>> accessrule=deny_remote_ports http_access deny HTTP !Safe_ports all 
>>> AnnotateSafePorts http_access deny CONNECT !SSL_ports all 
>>> AnnotateSafePorts deny_info TCP_RESET all
>>>
>>> acl AnnotateBLK annotate_transaction accessrule=global_blacklist 
>>> http_access deny MyBlockedIPs AnnotateBLK http_access deny 
>>> blockedsites AnnotateBLK http_access deny DomainsBlackLists 
>>> AnnotateBLK http_access deny NetworksBlackLists AnnotateBLK include 
>>> /etc/squid3/http_access_final.conf
>>> # END http_access (defaults)
>>>
>>> _______________________________________________
>>> squid-users mailing list
>>> squid-users@xxxxxxxxxxxxxxxxxxxxx
>>> http://lists.squid-cache.org/listinfo/squid-users
>>>
>>
> 


_______________________________________________
squid-users mailing list
squid-users@xxxxxxxxxxxxxxxxxxxxx
http://lists.squid-cache.org/listinfo/squid-users




[Index of Archives]     [Linux Audio Users]     [Samba]     [Big List of Linux Books]     [Linux USB]     [Yosemite News]

  Powered by Linux