Dear Squid Community Nice to meet you. I am a newbie who just recently started using Squid. I have a question about Squid configuration. If there is any missing information or clarification, please let me know... ■Questions When using Squid transparently, is it possible to control the whitelist of the domain to connect to and inspect the Host field in the request header together? According to the verification results, the Host field can be inspected by "host_verify_strict on" in squid-transparent.conf, but it seems that the whitelist is not controlled. ■Requirements ・Proxy shall be transparently configured to accommodate clients that cannot configure proxy settings. ・Communication is possible only with authorized domains using the whitelist method. ・Whitelists are managed by domain, not IP address. ・Check the Host field in the request header and reject communication if the value is invalid. ・If the actual destination IP is different from the result of name resolution of the FQDN specified by SNI, communication is denied. ■Environment server:AWS EC2 platform:Amazon Linux Squid Cache:Version 4.15 ■Configuration Details 〇squid-transparent.conf(Excerpts) #Whitelist acl whitelist dstdomain "/etc/squid/whitelist" acl whitelist dstdomain "/etc/squid/whitelist_transparent" acl whitelist_https dstdomain "/etc/squid/whitelist_https" acl whitelist_transparent_https dstdomain "/etc/squid/whitelist_transparent_https" proxy_protocol_access allow localnet proxy_protocol_access deny all http_access allow localnet whitelist http_access deny localnet whitelist_https !https_port http_access deny localnet whitelist_transparent_https !https_port # Handling HTTP requests http_port 3129 intercept # Handling HTTPS requests https_port 3130 intercept tcpkeepalive=60,30,3 ssl-bump generate-host-certificates=on dynamic_cert_mem_cache_size=20MB tls-cert=/etc/squid/ssl/squid.crt tls-key=/etc/squid/ssl/squid.key cipher=HIGH:MEDIUM:!LOW:!RC4:!SEED:!IDEA:!3DES:!MD5:!EXP:!PSK:!DSS options=NO_TLSv1,NO_SSLv3,SINGLE_DH_USE,SINGLE_ECDH_USE tls-dh=prime256v1:/etc/squid/ssl/bump_dhparam.pem # Start up for squid process http_port 3131 http_access allow https_port acl allowed_https_sites ssl::server_name "/etc/squid/whitelist" acl allowed_https_sites ssl::server_name "/etc/squid/whitelist_transparent" acl allowed_https_sites ssl::server_name "/etc/squid/whitelist_https" acl allowed_https_sites ssl::server_name "/etc/squid/whitelist_transparent_https" http_access deny all # strict setting host_verify_strict on # SSL_BUMP sslcrtd_program /usr/lib64/squid/security_file_certgen -s /var/lib/squid/ssl_db -M 20MB acl step1 at_step SslBump1 acl step2 at_step SslBump2 acl step3 at_step SslBump3 ssl_bump bump all 〇/etc/squid/whitelist .pypi.org ■Verification of Settings I ran the curl command from each of the client environments that use Squid. 1. if SNI, Destination IP, and HeaderHost are correct, the user should be able to connect to pypi.org Command: date;curl https://pypi.org/ -v --cacert squid_2.crt -k Result: OK 2. rejection of communication to pypi.org if SNI is correct but destination IP and HeaderHost are incorrect Command: date;curl https://pypi.org/ --resolve pypi.org:443:182.22.24.252 -H "Host: www.yahoo.co.jp" -v --cacert squid_2.crt -k Result: OK (409 Conflict is returned) 3. rejection of communication to pypi.org if SNI and destination IP are correct and HeaderHost is incorrect Command: date;curl https://pypi.org/ -H "Host: www.yahoo.co.jp" -v --cacert squid_2.crt -k Result: OK (409 Confilic returned) 4. rejection of communication to pypi.org if SNI and HeaderHost are correct but destination IP is incorrect Command: date;curl https://pypi.org/ --resolve pypi.org:443:182.22.24.252 -v --cacert squid_2.crt -k Result: OK (409 Confilic returned) 5. if SNI, destination IP, and HeaderHost are all invalid (yahoo.co.jp not registered in whitelist), communication will be rejected Command: date;curl https://yahoo.co.jp/ -v --cacert squid_2.crt -k Result: NG (301 Moved Permanently is returned, but it appears that the communication is reaching yahoo.co.jp) _______________________________________________ squid-users mailing list squid-users@xxxxxxxxxxxxxxxxxxxxx https://lists.squid-cache.org/listinfo/squid-users
