Search squid archive

Validation of IP address for SSL spliced connections

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Hi,

I'm configuring squid as a transparent proxy where local outbound traffic is redirect to a local squid process using tproxy.

I would like to limit the domains the host can contact by having an allow list. I have the following config file:

------

acl allowed_clients src "/etc/squid/allowed_clients"

acl allowed_domains dstdomain "/etc/squid/allowed_domains"

acl SSL_ports port 443
acl Safe_ports port 80
acl Safe_ports port 443
acl CONNECT method CONNECT

acl step1 at_step SslBump1
acl step2 at_step SslBump2
acl step3 at_step SslBump3

# Additional access control lists
acl https_domains ssl::server_name "/etc/squid/allowed_domains"

# Deny requests to certain unsafe ports
http_access deny !Safe_ports

# Deny CONNECT to other than secure SSL ports
http_access deny CONNECT !SSL_ports

# Only allow cachemgr access from localhost
http_access allow localhost manager
http_access deny manager

# We strongly recommend the following be uncommented to protect innocent
# web applications running on the proxy server who think the only
# one who can access services on "localhost" is a local user
http_access deny to_localhost

#
# INSERT YOUR OWN RULE(S) HERE TO ALLOW ACCESS FROM YOUR CLIENTS
#
http_access allow allowed_clients allowed_domains
http_access allow allowed_clients CONNECT

# Example rule allowing access from your local networks.
# Adapt localnet in the ACL section to list your (internal) IP networks
# from where browsing should be allowed
#http_access allow localnet
#http_access allow localhost

# And finally deny all other access to this proxy
http_access deny all

# Squid normally listens to port 3128
http_port 3128
http_port 3129 tproxy
https_port 3130 tproxy ssl-bump cert=/etc/squid/cert/local_ca.pem

# SSL bump configuration
ssl_bump peek step1
ssl_bump peek step2 https_domains
ssl_bump splice step3 https_domains
ssl_bump terminate all

------

When the Host header in an intercepted request matches a domain on the allowed_domains list, the request is allowed. Otherwise it's denied as expected.

But squid doesn't seem to validate that the IP address we're connecting to is valid for the specified name in the SNI header?

For example, if I add "wordpress.org" to my allowed_domains list, the following request is allowed:

curl -v https://wordpress.org --connect-to wordpress.org:443:8.8.8.8:443

8.8.8.8 is not a valid IP address for wordpress.org. This could be used to bypass the restrictions.

Is there an option in squid to make it perform a forward DNS lookup for the domain from the SNI information from step1 to validate that the IP address we're trying to connect to is actually valid for that host? In the example above, a DNS lookup for wordpress.org would return 198.143.164.252 as the IP address. This is not the IP address we're trying to connect to, so squid should block the request.

Similar question for the server certificate: I've configured the 'ssl_bump peek step2 https_domains' line so squid can peek at the server certificate. Is there a way to configure squid to validate that the server certificate is valid for the host specified in the SNI header?


Regards,

Rik

_______________________________________________
squid-users mailing list
squid-users@xxxxxxxxxxxxxxxxxxxxx
https://lists.squid-cache.org/listinfo/squid-users

[Index of Archives]     [Linux Audio Users]     [Samba]     [Big List of Linux Books]     [Linux USB]     [Yosemite News]

  Powered by Linux