Quantcast

Basic HTTPS filtering via CONNECT in Squid

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
12 messages Options
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Basic HTTPS filtering via CONNECT in Squid

Varun Singh
Hi,
I have a Squid 3 installed on Ubuntu 16.04. It works perfectly as an
HTTP proxy server in transparent mode.
I wanted to know whether it can be configured to run as HTTPS proxy
server without ssl-bump i.e. without 'man in the middle attack'
technique.

I read the documentation page of HTTPS support. It says that when a
browser comes across an HTTPS website, it opens a TCP tunnel through
Squid to the origin server using CONNECT reuqest method.
With this setting the server can filter URLs based on URL scheme, URL
path and query string. The payload is still encrypted.
After that the documentation goes on to explain how can we use
SSL-bump to decrypt the payload.

Now, I only want setup basic HTTPS proxy via CONNECT tunnel in which
you can only filter URL path and string. I am not looking to setup
SSL-bump but still want to setup Squid for HTTPS filtering. I'm not
able to find a good tutorial for that.
Every tutorial I have found points to setting up SSL-bump.

If any of you have done a setup like this before please help me.

Following is my squid configuration:

acl SSL_ports port 443
acl Safe_ports port 80 # http
acl Safe_ports port 21 # ftp
acl Safe_ports port 443 # https
acl Safe_ports port 70 # gopher
acl Safe_ports port 210 # wais
acl Safe_ports port 1025-65535 # unregistered ports
acl Safe_ports port 280 # http-mgmt
acl Safe_ports port 488 # gss-http
acl Safe_ports port 591 # filemaker
acl Safe_ports port 777 # multiling http
acl CONNECT method CONNECT
acl blockads url_regex "/usr/local/squid/easylist"
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
http_access allow localhost manager
http_access deny manager
http_access allow localhost
http_access deny blockads
http_access allow all
http_port 3128 transparent
coredump_dir /var/spool/squid
refresh_pattern ^ftp: 1440 20% 10080
refresh_pattern ^gopher: 1440 0% 1440
refresh_pattern -i (/cgi-bin/|\?) 0 0% 0
refresh_pattern (Release|Packages(.gz)*)$      0       20%     2880
refresh_pattern . 0 20% 4320

--
Regards,
Varun
_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Basic HTTPS filtering via CONNECT in Squid

Amos Jeffries
Administrator
On 6/02/2017 6:10 p.m., Varun Singh wrote:
> Hi,
> I have a Squid 3 installed on Ubuntu 16.04. It works perfectly as an
> HTTP proxy server in transparent mode.
> I wanted to know whether it can be configured to run as HTTPS proxy
> server without ssl-bump i.e. without 'man in the middle attack'
> technique.

The Ubuntu package of squid/squid3 can tunnel CONNECT requests. That is
all. It has no support for anything more complicated.


>
> I read the documentation page of HTTPS support. It says that when a
> browser comes across an HTTPS website, it opens a TCP tunnel through
> Squid to the origin server using CONNECT reuqest method.
> With this setting the server can filter URLs based on URL scheme, URL
> path and query string. The payload is still encrypted.

What documentation? it is wrong, or you are misunderstanding it. The URL
path?query is definitely *not* available without decrypting.

FWIW the squid wiki page on HTTPS documents all three of the
installation types that are all called "HTTPS".


> After that the documentation goes on to explain how can we use
> SSL-bump to decrypt the payload.
>
> Now, I only want setup basic HTTPS proxy via CONNECT tunnel in which
> you can only filter URL path and string. I am not looking to setup
> SSL-bump but still want to setup Squid for HTTPS filtering. I'm not
> able to find a good tutorial for that.
> Every tutorial I have found points to setting up SSL-bump.

Because the only way to access more than hostname/IP and port is to decrypt.

Amos

_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Basic HTTPS filtering via CONNECT in Squid

Varun Singh
On Mon, Feb 6, 2017 at 11:39 AM, Amos Jeffries <[hidden email]> wrote:

> On 6/02/2017 6:10 p.m., Varun Singh wrote:
>> Hi,
>> I have a Squid 3 installed on Ubuntu 16.04. It works perfectly as an
>> HTTP proxy server in transparent mode.
>> I wanted to know whether it can be configured to run as HTTPS proxy
>> server without ssl-bump i.e. without 'man in the middle attack'
>> technique.
>
> The Ubuntu package of squid/squid3 can tunnel CONNECT requests. That is
> all. It has no support for anything more complicated.
>
>
>>
>> I read the documentation page of HTTPS support. It says that when a
>> browser comes across an HTTPS website, it opens a TCP tunnel through
>> Squid to the origin server using CONNECT reuqest method.
>> With this setting the server can filter URLs based on URL scheme, URL
>> path and query string. The payload is still encrypted.
>
> What documentation? it is wrong, or you are misunderstanding it. The URL
> path?query is definitely *not* available without decrypting.
>
> FWIW the squid wiki page on HTTPS documents all three of the
> installation types that are all called "HTTPS".
>
>
>> After that the documentation goes on to explain how can we use
>> SSL-bump to decrypt the payload.
>>
>> Now, I only want setup basic HTTPS proxy via CONNECT tunnel in which
>> you can only filter URL path and string. I am not looking to setup
>> SSL-bump but still want to setup Squid for HTTPS filtering. I'm not
>> able to find a good tutorial for that.
>> Every tutorial I have found points to setting up SSL-bump.
>
> Because the only way to access more than hostname/IP and port is to decrypt.
>
> Amos
>
> _______________________________________________
> squid-users mailing list
> [hidden email]
> http://lists.squid-cache.org/listinfo/squid-users


Hi,
Please find my reply inline:

> What documentation? it is wrong, or you are misunderstanding it. The URL
> path?query is definitely *not* available without decrypting.
>

Correct, I mis-read it.


> Because the only way to access more than hostname/IP and port is to decrypt.

Okay. In that, case I am okay with only being able to see hostname/IP and port.
But whenever I search for setting up HTTPS with Squid, I always come
across SSL-bump.
Could you point me to a tutorial which perform just basic HTTPS setup?

What I have tried so far is, configuring Squid to listen to port 3129
to expect HTTPS traffic. I did this by adding following line to
squid.conf:

https_port 3129

Once this was done, I redirected all the traffic coming to port 443 to
port 3129 using iptables. This is because my clients connect to proxy
via VPN.
But this had no effect. After connecting clients to proxy, when I try
to access an HTTPS website, the clients get no response and nothing
shows in access.log file. The browser behaves as if it could not
connect to internet.

Please note that this setup works perfectly for HTTP requests. Only
HTTPS requests give problems.



FYI, by documentation I was referring to below link:
http://wiki.squid-cache.org/Features/HTTPS


--
Regards,
Varun
_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Basic HTTPS filtering via CONNECT in Squid

Amos Jeffries
Administrator
On 7/02/2017 2:46 a.m., Varun Singh wrote:

> On Mon, Feb 6, 2017 at 11:39 AM, Amos Jeffries wrote:
>
> Hi,
> Please find my reply inline:
>
>> What documentation? it is wrong, or you are misunderstanding it. The URL
>> path?query is definitely *not* available without decrypting.
>>
>
> Correct, I mis-read it.
>
>
>> Because the only way to access more than hostname/IP and port is to decrypt.
>
> Okay. In that, case I am okay with only being able to see hostname/IP and port.
> But whenever I search for setting up HTTPS with Squid, I always come
> across SSL-bump.
> Could you point me to a tutorial which perform just basic HTTPS setup?

The Squid default config handles as much of HTTPS as can be handled
without the SSL-Bump feature.

>
> What I have tried so far is, configuring Squid to listen to port 3129
> to expect HTTPS traffic. I did this by adding following line to
> squid.conf:
>
> https_port 3129
>
> Once this was done, I redirected all the traffic coming to port 443 to
> port 3129 using iptables. This is because my clients connect to proxy
> via VPN.

Since you are intercepting port 443 that port is missing the 'intercept'
flag. Also, interceptig port 443 requires SSL-Bump.


> But this had no effect. After connecting clients to proxy, when I try
> to access an HTTPS website, the clients get no response and nothing
> shows in access.log file. The browser behaves as if it could not
> connect to internet.
>
> Please note that this setup works perfectly for HTTP requests. Only
> HTTPS requests give problems.
>

Port 80 (HTTP) and port 443 (HTTPS) have totally different transport
protocols. The port 443 one is designed to break when being intercepted.


>
> FYI, by documentation I was referring to below link:
> http://wiki.squid-cache.org/Features/HTTPS
>


Amos
_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Basic HTTPS filtering via CONNECT in Squid

Varun Singh
On Tue, Feb 7, 2017 at 3:48 AM, Amos Jeffries <[hidden email]> wrote:

> On 7/02/2017 2:46 a.m., Varun Singh wrote:
>> On Mon, Feb 6, 2017 at 11:39 AM, Amos Jeffries wrote:
>>
>> Hi,
>> Please find my reply inline:
>>
>>> What documentation? it is wrong, or you are misunderstanding it. The URL
>>> path?query is definitely *not* available without decrypting.
>>>
>>
>> Correct, I mis-read it.
>>
>>
>>> Because the only way to access more than hostname/IP and port is to decrypt.
>>
>> Okay. In that, case I am okay with only being able to see hostname/IP and port.
>> But whenever I search for setting up HTTPS with Squid, I always come
>> across SSL-bump.
>> Could you point me to a tutorial which perform just basic HTTPS setup?
>
> The Squid default config handles as much of HTTPS as can be handled
> without the SSL-Bump feature.
>
>>
>> What I have tried so far is, configuring Squid to listen to port 3129
>> to expect HTTPS traffic. I did this by adding following line to
>> squid.conf:
>>
>> https_port 3129
>>
>> Once this was done, I redirected all the traffic coming to port 443 to
>> port 3129 using iptables. This is because my clients connect to proxy
>> via VPN.
>
> Since you are intercepting port 443 that port is missing the 'intercept'
> flag. Also, interceptig port 443 requires SSL-Bump.
>
>
>> But this had no effect. After connecting clients to proxy, when I try
>> to access an HTTPS website, the clients get no response and nothing
>> shows in access.log file. The browser behaves as if it could not
>> connect to internet.
>>
>> Please note that this setup works perfectly for HTTP requests. Only
>> HTTPS requests give problems.
>>
>
> Port 80 (HTTP) and port 443 (HTTPS) have totally different transport
> protocols. The port 443 one is designed to break when being intercepted.
>
>
>>
>> FYI, by documentation I was referring to below link:
>> http://wiki.squid-cache.org/Features/HTTPS
>>
>
>
> Amos

Thanks Amos. Sorry I couldn't reply early.

So in this case, say I want to configure HTTPS proxy from a
web-browser directly and not through VPN. In that case there will be
no port forwarding involved and hence 443 shouldn't break. To achieve
this, what configurations will have to be set in squid.conf file? I am
assuming we will have to at least provide a port number by adding
'https_port 3129'. Is there anything else I will have to do?

Thanks for your help.



--
Regards,
Varun
_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Basic HTTPS filtering via CONNECT in Squid

Varun Singh


On Friday, February 10, 2017, Varun Singh <[hidden email]> wrote:
On Tue, Feb 7, 2017 at 3:48 AM, Amos Jeffries <<a href="javascript:;" onclick="_e(event, &#39;cvml&#39;, &#39;squid3@treenet.co.nz&#39;)">squid3@...> wrote:
> On 7/02/2017 2:46 a.m., Varun Singh wrote:
>> On Mon, Feb 6, 2017 at 11:39 AM, Amos Jeffries wrote:
>>
>> Hi,
>> Please find my reply inline:
>>
>>> What documentation? it is wrong, or you are misunderstanding it. The URL
>>> path?query is definitely *not* available without decrypting.
>>>
>>
>> Correct, I mis-read it.
>>
>>
>>> Because the only way to access more than hostname/IP and port is to decrypt.
>>
>> Okay. In that, case I am okay with only being able to see hostname/IP and port.
>> But whenever I search for setting up HTTPS with Squid, I always come
>> across SSL-bump.
>> Could you point me to a tutorial which perform just basic HTTPS setup?
>
> The Squid default config handles as much of HTTPS as can be handled
> without the SSL-Bump feature.
>
>>
>> What I have tried so far is, configuring Squid to listen to port 3129
>> to expect HTTPS traffic. I did this by adding following line to
>> squid.conf:
>>
>> https_port 3129
>>
>> Once this was done, I redirected all the traffic coming to port 443 to
>> port 3129 using iptables. This is because my clients connect to proxy
>> via VPN.
>
> Since you are intercepting port 443 that port is missing the 'intercept'
> flag. Also, interceptig port 443 requires SSL-Bump.
>
>
>> But this had no effect. After connecting clients to proxy, when I try
>> to access an HTTPS website, the clients get no response and nothing
>> shows in access.log file. The browser behaves as if it could not
>> connect to internet.
>>
>> Please note that this setup works perfectly for HTTP requests. Only
>> HTTPS requests give problems.
>>
>
> Port 80 (HTTP) and port 443 (HTTPS) have totally different transport
> protocols. The port 443 one is designed to break when being intercepted.
>
>
>>
>> FYI, by documentation I was referring to below link:
>> http://wiki.squid-cache.org/Features/HTTPS
>>
>
>
> Amos

Thanks Amos. Sorry I couldn't reply early.

So in this case, say I want to configure HTTPS proxy from a
web-browser directly and not through VPN. In that case there will be
no port forwarding involved and hence 443 shouldn't break. To achieve
this, what configurations will have to be set in squid.conf file? I am
assuming we will have to at least provide a port number by adding
'https_port 3129'. Is there anything else I will have to do?

Thanks for your help.



--
Regards,
Varun

I found this post on a StackExchange forum which is exactly what I want:


The answer points to installing a CA on client. 
Does this mean even if I don't want Squid-in-the-middle approach, my clients would still have to install a certificate?


--
Regards,
Varun Singh
Sr. Software Engineer | m: +91 20 4671 2290 | 
G
reat Software Laboratory
------------------------------------------------------------------------------
      



_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Basic HTTPS filtering via CONNECT in Squid

Amos Jeffries
Administrator
On 12/02/2017 7:40 p.m., Varun Singh wrote:
>
> The answer points to installing a CA on client.

The question was about how to get browsers talking TLS *directly to a
Squid reverse-proxy*. Your Ubuntu package is not capable of that and you
are not using a reverse-proxy.

> Does this mean even if I don't want Squid-in-the-middle approach, my
> clients would still have to install a certificate?

No. It is irrelevant to yrou sitation.


You began this thread with a simple question:

> Hi,
> I have a Squid 3 installed on Ubuntu 16.04. It works perfectly as an
> HTTP proxy server in transparent mode.
> I wanted to know whether it can be configured to run as HTTPS proxy
> server without ssl-bump i.e. without 'man in the middle attack'
> technique.


Everything you have been asking about since then is various ways to do
parts of the SSL-bump process. Which does not fit very well with the
"without ssl-bump" requirement.

Simply put; if you are not going to SSL-Bump then you can discard any
thoughts of doing things with the HTTPS messages or port 443 traffic.

If you have changed your mind and want to use SSL-Bump now, please
re-describe what you want to actually happen now.

Amos

_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Basic HTTPS filtering via CONNECT in Squid

Varun Singh
On Feb 12, 2017 2:21 PM, "Amos Jeffries" <[hidden email]> wrote:
On 12/02/2017 7:40 p.m., Varun Singh wrote:
>
> The answer points to installing a CA on client.

The question was about how to get browsers talking TLS *directly to a
Squid reverse-proxy*. Your Ubuntu package is not capable of that and you
are not using a reverse-proxy.

> Does this mean even if I don't want Squid-in-the-middle approach, my
> clients would still have to install a certificate?

No. It is irrelevant to yrou sitation.


You began this thread with a simple question:

> Hi,
> I have a Squid 3 installed on Ubuntu 16.04. It works perfectly as an
> HTTP proxy server in transparent mode.
> I wanted to know whether it can be configured to run as HTTPS proxy
> server without ssl-bump i.e. without 'man in the middle attack'
> technique.


Everything you have been asking about since then is various ways to do
parts of the SSL-bump process. Which does not fit very well with the
"without ssl-bump" requirement.

Simply put; if you are not going to SSL-Bump then you can discard any
thoughts of doing things with the HTTPS messages or port 443 traffic.

If you have changed your mind and want to use SSL-Bump now, please
re-describe what you want to actually happen now.

Amos

_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users

Hi,
Simply put, my question has three parts:
1. Can Squid be configured as an HTTPS proxy server without SSL-Bump?
2. If yes, then what other configurations have to performed other than "https_port XXXX"? 
3. In this configuration, can Squid filter HTTPS requests from ACL? 


Thanks for you help in advance.

--
Regards,
Varun

_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Basic HTTPS filtering via CONNECT in Squid

Amos Jeffries
Administrator
On 12/02/2017 11:51 p.m., Varun Singh wrote:

> On Feb 12, 2017 2:21 PM, "Amos Jeffries" <[hidden email]> wrote:
>
> On 12/02/2017 7:40 p.m., Varun Singh wrote:
>>
>> The answer points to installing a CA on client.
>
> The question was about how to get browsers talking TLS *directly to a
> Squid reverse-proxy*. Your Ubuntu package is not capable of that and you
> are not using a reverse-proxy.
>
>> Does this mean even if I don't want Squid-in-the-middle approach, my
>> clients would still have to install a certificate?
>
> No. It is irrelevant to yrou sitation.
>
>
> You began this thread with a simple question:
>
>> Hi,
>> I have a Squid 3 installed on Ubuntu 16.04. It works perfectly as an
>> HTTP proxy server in transparent mode.
>> I wanted to know whether it can be configured to run as HTTPS proxy
>> server without ssl-bump i.e. without 'man in the middle attack'
>> technique.
>
>
> Everything you have been asking about since then is various ways to do
> parts of the SSL-bump process. Which does not fit very well with the
> "without ssl-bump" requirement.
>
>
> Simply put; if you are not going to SSL-Bump then you can discard any
> thoughts of doing things with the HTTPS messages or port 443 traffic.
>
> If you have changed your mind and want to use SSL-Bump now, please
> re-describe what you want to actually happen now.
>

You have not described what you want to happen. Just asked how to do
this unknown thing...

>
> Hi,
> Simply put, my question has three parts:
> 1. Can Squid be configured as an HTTPS proxy server without SSL-Bump?


* The term "HTTPS" is a generic term used to simultaneously describe two
completely different traffic syntaxes (CONNECT tunnels, and port 443 TLS).

* There are three proxy operating "modes" which may receive each of
those types of traffic (explicit/forward, intercept/tproxy, and
reverse/CDN/accel).

* For each type of traffic one mode is invalid, leaving 2x2= 4 different
sets of operations all called "proxying HTTPS".

* all 4 of those ways may be done with or without SSL-Bump feature.

When not using SSL-Bump 2 of the ways of "proxying HTTPS" will work, 2
will not.

When using SSL-Bump the non-working ways of "proxying HTTPS" will start
working, and the working ways will have an extra permutation of splice
vs bump operation that can happen. Extending the possibilities to be 6
ways of "proxying HTTPS".


So the answer(s) to your first question are:

yes, no.  yes, no.  no, yes.



> 2. If yes, then what other configurations have to performed other than
> "https_port XXXX"?

For the cases where the #1 answer was "yes" and not "no".

a) An explicit/forward or intercept proxy not using ssl-bump and
receiving CONNECT requests does not need any special configuration to
"proxy HTTPS". The proxy will simply enact the requested opaque tunnel
in accordance to HTTP rules.

b) A reverse proxy requires the 'accel' mode flag, and the cert= option
must load the cert for the domain you are hosting on that port, and the
key= option must load the private key for that certificate.

c) all other modes will not work without SSL-Bump feature.



> 3. In this configuration, can Squid filter HTTPS requests from ACL?
>

That depends on the meaning of "this". There are 3 different
configurations in the answer to #2.

For (2a) - no. Only the CONNECT request can be filterd.

For (2b) - yes. BUT, notice that it requires private key data for certs.
This configuration is only usable when _you own the domain_ which the
client is visiting.

For (2c) - SSL-Bump feature is the mechanism which enables https://
filtering for all traffic modes other than that described by (2b).
Without using that feature - no.


Do you understand now why every path you have tried ends up with how-tos
for configuring SSL-Bump?

HTH
Amos

_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Basic HTTPS filtering via CONNECT in Squid

Varun Singh


On Feb 12, 2017 5:43 PM, "Amos Jeffries" <[hidden email]> wrote:
On 12/02/2017 11:51 p.m., Varun Singh wrote:
> On Feb 12, 2017 2:21 PM, "Amos Jeffries" <[hidden email]> wrote:
>
> On 12/02/2017 7:40 p.m., Varun Singh wrote:
>>
>> The answer points to installing a CA on client.
>
> The question was about how to get browsers talking TLS *directly to a
> Squid reverse-proxy*. Your Ubuntu package is not capable of that and you
> are not using a reverse-proxy.
>
>> Does this mean even if I don't want Squid-in-the-middle approach, my
>> clients would still have to install a certificate?
>
> No. It is irrelevant to yrou sitation.
>
>
> You began this thread with a simple question:
>
>> Hi,
>> I have a Squid 3 installed on Ubuntu 16.04. It works perfectly as an
>> HTTP proxy server in transparent mode.
>> I wanted to know whether it can be configured to run as HTTPS proxy
>> server without ssl-bump i.e. without 'man in the middle attack'
>> technique.
>
>
> Everything you have been asking about since then is various ways to do
> parts of the SSL-bump process. Which does not fit very well with the
> "without ssl-bump" requirement.
>
>
> Simply put; if you are not going to SSL-Bump then you can discard any
> thoughts of doing things with the HTTPS messages or port 443 traffic.
>
> If you have changed your mind and want to use SSL-Bump now, please
> re-describe what you want to actually happen now.
>

You have not described what you want to happen. Just asked how to do
this unknown thing...

I want to implement a URL filter using proxy server. My clients will use this server either from their web-browsers or via strongSwan IPSec VPN server. If they use the proxy server via VPN server, their VPN profile will have HTTP and HTTPS proxy server configuration.

This proxy server will filter HTTP and HTTPS websites based on ACL provided. For security reasons, I want to avoid using SSL-bump.


>
> Hi,
> Simply put, my question has three parts:
> 1. Can Squid be configured as an HTTPS proxy server without SSL-Bump?


* The term "HTTPS" is a generic term used to simultaneously describe two
completely different traffic syntaxes (CONNECT tunnels, and port 443 TLS).

* There are three proxy operating "modes" which may receive each of
those types of traffic (explicit/forward, intercept/tproxy, and
reverse/CDN/accel).

* For each type of traffic one mode is invalid, leaving 2x2= 4 different
sets of operations all called "proxying HTTPS".

This means the combinations are:
#1 CONNECT - explicit/forward
#2 443 TLS - explicit/forward

#3 CONNECT - intercept/tproxy
#4 443 TLS - intercept/tproxy

#5 CONNECT - reverse/CDN/accel
#6 443 TLS - reverse/CDN/accel

One of modes in each type is invalid. So, from Squid's HTTPS feature page, looks like my scenario falls either in #1 or #3.

* all 4 of those ways may be done with or without SSL-Bump feature.

When not using SSL-Bump 2 of the ways of "proxying HTTPS" will work, 2
will not.

When using SSL-Bump the non-working ways of "proxying HTTPS" will start
working, and the working ways will have an extra permutation of splice
vs bump operation that can happen. Extending the possibilities to be 6
ways of "proxying HTTPS".


So the answer(s) to your first question are:

yes, no.  yes, no.  no, yes.



> 2. If yes, then what other configurations have to performed other than
> "https_port XXXX"?

For the cases where the #1 answer was "yes" and not "no".

a) An explicit/forward or intercept proxy not using ssl-bump and
receiving CONNECT requests does not need any special configuration to
"proxy HTTPS". The proxy will simply enact the requested opaque tunnel
in accordance to HTTP rules.

So this means other than specifying "https_port XXXX" no other config is needed. 
When I setup Squid with just "https_port xxxx" and configured Firefox to use my proxy server for HTTP and HTTPS, it worked fine for HTTP but for HTTPS it gave "Proxy server rejected connection".

So either something is wrong in my squid.conf or my assumption is incorrect that my scenario falls in #1 or #3.


b) A reverse proxy requires the 'accel' mode flag, and the cert= option
must load the cert for the domain you are hosting on that port, and the
key= option must load the private key for that certificate.

c) all other modes will not work without SSL-Bump feature.



> 3. In this configuration, can Squid filter HTTPS requests from ACL?
>

That depends on the meaning of "this". There are 3 different
configurations in the answer to #2.

For (2a) - no. Only the CONNECT request can be filterd.

From below links it looks like destination IP Address or hostname of a CONNECT request is same as HTTPS request. Is that correct?




For (2b) - yes. BUT, notice that it requires private key data for certs.
This configuration is only usable when _you own the domain_ which the
client is visiting.

For (2c) - SSL-Bump feature is the mechanism which enables https://
filtering for all traffic modes other than that described by (2b).
Without using that feature - no.


Do you understand now why every path you have tried ends up with how-tos
for configuring SSL-Bump?

Yes, thanks for the elaborate explanation.


HTH
Amos












_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Basic HTTPS filtering via CONNECT in Squid

Eliezer Croitoru
Hey Varun,

Filtering content based on the URL level\layer of the connection is not possible without SSL-bump.
There for you must use for some aspect of the connections SSL-bump.
However you can selectively choose which destinations would be bumped and which are not.
Most of the current browsers supports SNI which allows squid in some degree to decide if to fully bump the connection to the URL level or to decide to only proxy the connection in the TCP level.
As simple as it sounds URL level filtering requires full SSL-bump and TCP and basic TLS level filtering will not require you to fully utilize SSL-bump but will require you to fully setup squid for SSL-bump.

This is the place to clarify that SNI based filtering is not 100% bullet proof and it could be exploited to override in a way your basic SNI based SSL level filtering.

Do you have specific sites that you want to filter in the URL level or just globally?
The answer to the above question will guide us towards what might be the right path for your solution(which could be full SSL-BUMP or partial).

Eliezer

----
http://ngtech.co.il/lmgtfy/
Linux System Administrator
Mobile: +972-5-28704261
Email: [hidden email]


From: squid-users [mailto:[hidden email]] On Behalf Of Varun Singh
Sent: Monday, February 13, 2017 5:37 AM
To: Amos Jeffries <[hidden email]>
Cc: [hidden email]
Subject: Re: [squid-users] Basic HTTPS filtering via CONNECT in Squid



On Feb 12, 2017 5:43 PM, "Amos Jeffries" <mailto:[hidden email]> wrote:
On 12/02/2017 11:51 p.m., Varun Singh wrote:

> On Feb 12, 2017 2:21 PM, "Amos Jeffries" <mailto:[hidden email]> wrote:
>
> On 12/02/2017 7:40 p.m., Varun Singh wrote:
>>
>> The answer points to installing a CA on client.
>
> The question was about how to get browsers talking TLS *directly to a
> Squid reverse-proxy*. Your Ubuntu package is not capable of that and you
> are not using a reverse-proxy.
>
>> Does this mean even if I don't want Squid-in-the-middle approach, my
>> clients would still have to install a certificate?
>
> No. It is irrelevant to yrou sitation.
>
>
> You began this thread with a simple question:
>
>> Hi,
>> I have a Squid 3 installed on Ubuntu 16.04. It works perfectly as an
>> HTTP proxy server in transparent mode.
>> I wanted to know whether it can be configured to run as HTTPS proxy
>> server without ssl-bump i.e. without 'man in the middle attack'
>> technique.
>
>
> Everything you have been asking about since then is various ways to do
> parts of the SSL-bump process. Which does not fit very well with the
> "without ssl-bump" requirement.
>
>
> Simply put; if you are not going to SSL-Bump then you can discard any
> thoughts of doing things with the HTTPS messages or port 443 traffic.
>
> If you have changed your mind and want to use SSL-Bump now, please
> re-describe what you want to actually happen now.
>
You have not described what you want to happen. Just asked how to do
this unknown thing...

I want to implement a URL filter using proxy server. My clients will use this server either from their web-browsers or via strongSwan IPSec VPN server. If they use the proxy server via VPN server, their VPN profile will have HTTP and HTTPS proxy server configuration.

This proxy server will filter HTTP and HTTPS websites based on ACL provided. For security reasons, I want to avoid using SSL-bump.


>
> Hi,
> Simply put, my question has three parts:
> 1. Can Squid be configured as an HTTPS proxy server without SSL-Bump?

* The term "HTTPS" is a generic term used to simultaneously describe two
completely different traffic syntaxes (CONNECT tunnels, and port 443 TLS).

* There are three proxy operating "modes" which may receive each of
those types of traffic (explicit/forward, intercept/tproxy, and
reverse/CDN/accel).

* For each type of traffic one mode is invalid, leaving 2x2= 4 different
sets of operations all called "proxying HTTPS".

This means the combinations are:
#1 CONNECT - explicit/forward
#2 443 TLS - explicit/forward

#3 CONNECT - intercept/tproxy
#4 443 TLS - intercept/tproxy

#5 CONNECT - reverse/CDN/accel
#6 443 TLS - reverse/CDN/accel

One of modes in each type is invalid. So, from Squid's HTTPS feature page, looks like my scenario falls either in #1 or #3.

* all 4 of those ways may be done with or without SSL-Bump feature.

When not using SSL-Bump 2 of the ways of "proxying HTTPS" will work, 2
will not.

When using SSL-Bump the non-working ways of "proxying HTTPS" will start
working, and the working ways will have an extra permutation of splice
vs bump operation that can happen. Extending the possibilities to be 6
ways of "proxying HTTPS".


So the answer(s) to your first question are:

yes, no.  yes, no.  no, yes.



> 2. If yes, then what other configurations have to performed other than
> "https_port XXXX"?
For the cases where the #1 answer was "yes" and not "no".

a) An explicit/forward or intercept proxy not using ssl-bump and
receiving CONNECT requests does not need any special configuration to
"proxy HTTPS". The proxy will simply enact the requested opaque tunnel
in accordance to HTTP rules.

So this means other than specifying "https_port XXXX" no other config is needed.
When I setup Squid with just "https_port xxxx" and configured Firefox to use my proxy server for HTTP and HTTPS, it worked fine for HTTP but for HTTPS it gave "Proxy server rejected connection".

So either something is wrong in my squid.conf or my assumption is incorrect that my scenario falls in #1 or #3.


b) A reverse proxy requires the 'accel' mode flag, and the cert= option
must load the cert for the domain you are hosting on that port, and the
key= option must load the private key for that certificate.

c) all other modes will not work without SSL-Bump feature.



> 3. In this configuration, can Squid filter HTTPS requests from ACL?
>
That depends on the meaning of "this". There are 3 different
configurations in the answer to #2.

For (2a) - no. Only the CONNECT request can be filterd.

From below links it looks like destination IP Address or hostname of a CONNECT request is same as HTTPS request. Is that correct?

https://en.m.wikipedia.org/wiki/HTTP_tunnel#HTTP_CONNECT_tunneling

http://stackoverflow.com/a/11698002/548403


For (2b) - yes. BUT, notice that it requires private key data for certs.
This configuration is only usable when _you own the domain_ which the
client is visiting.

For (2c) - SSL-Bump feature is the mechanism which enables https://
filtering for all traffic modes other than that described by (2b).
Without using that feature - no.


Do you understand now why every path you have tried ends up with how-tos
for configuring SSL-Bump?

Yes, thanks for the elaborate explanation.


HTH
Amos











_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Basic HTTPS filtering via CONNECT in Squid

Varun Singh
On Mon, Feb 13, 2017 at 12:04 PM, Eliezer Croitoru <[hidden email]> wrote:

>
> Hey Varun,
>
> Filtering content based on the URL level\layer of the connection is not possible without SSL-bump.
> There for you must use for some aspect of the connections SSL-bump.
> However you can selectively choose which destinations would be bumped and which are not.
> Most of the current browsers supports SNI which allows squid in some degree to decide if to fully bump the connection to the URL level or to decide to only proxy the connection in the TCP level.
> As simple as it sounds URL level filtering requires full SSL-bump and TCP and basic TLS level filtering will not require you to fully utilize SSL-bump but will require you to fully setup squid for SSL-bump.
>
> This is the place to clarify that SNI based filtering is not 100% bullet proof and it could be exploited to override in a way your basic SNI based SSL level filtering.
>
> Do you have specific sites that you want to filter in the URL level or just globally?
> The answer to the above question will guide us towards what might be the right path for your solution(which could be full SSL-BUMP or partial).
>
> Eliezer
>
> ----
> http://ngtech.co.il/lmgtfy/
> Linux System Administrator
> Mobile: +972-5-28704261
> Email: [hidden email]
>
>
> From: squid-users [mailto:[hidden email]] On Behalf Of Varun Singh
> Sent: Monday, February 13, 2017 5:37 AM
> To: Amos Jeffries <[hidden email]>
> Cc: [hidden email]
> Subject: Re: [squid-users] Basic HTTPS filtering via CONNECT in Squid
>
>
>
> On Feb 12, 2017 5:43 PM, "Amos Jeffries" <mailto:[hidden email]> wrote:
> On 12/02/2017 11:51 p.m., Varun Singh wrote:
> > On Feb 12, 2017 2:21 PM, "Amos Jeffries" <mailto:[hidden email]> wrote:
> >
> > On 12/02/2017 7:40 p.m., Varun Singh wrote:
> >>
> >> The answer points to installing a CA on client.
> >
> > The question was about how to get browsers talking TLS *directly to a
> > Squid reverse-proxy*. Your Ubuntu package is not capable of that and you
> > are not using a reverse-proxy.
> >
> >> Does this mean even if I don't want Squid-in-the-middle approach, my
> >> clients would still have to install a certificate?
> >
> > No. It is irrelevant to yrou sitation.
> >
> >
> > You began this thread with a simple question:
> >
> >> Hi,
> >> I have a Squid 3 installed on Ubuntu 16.04. It works perfectly as an
> >> HTTP proxy server in transparent mode.
> >> I wanted to know whether it can be configured to run as HTTPS proxy
> >> server without ssl-bump i.e. without 'man in the middle attack'
> >> technique.
> >
> >
> > Everything you have been asking about since then is various ways to do
> > parts of the SSL-bump process. Which does not fit very well with the
> > "without ssl-bump" requirement.
> >
> >
> > Simply put; if you are not going to SSL-Bump then you can discard any
> > thoughts of doing things with the HTTPS messages or port 443 traffic.
> >
> > If you have changed your mind and want to use SSL-Bump now, please
> > re-describe what you want to actually happen now.
> >
> You have not described what you want to happen. Just asked how to do
> this unknown thing...
>
> I want to implement a URL filter using proxy server. My clients will use this server either from their web-browsers or via strongSwan IPSec VPN server. If they use the proxy server via VPN server, their VPN profile will have HTTP and HTTPS proxy server configuration.
>
> This proxy server will filter HTTP and HTTPS websites based on ACL provided. For security reasons, I want to avoid using SSL-bump.
>
>
> >
> > Hi,
> > Simply put, my question has three parts:
> > 1. Can Squid be configured as an HTTPS proxy server without SSL-Bump?
>
> * The term "HTTPS" is a generic term used to simultaneously describe two
> completely different traffic syntaxes (CONNECT tunnels, and port 443 TLS).
>
> * There are three proxy operating "modes" which may receive each of
> those types of traffic (explicit/forward, intercept/tproxy, and
> reverse/CDN/accel).
>
> * For each type of traffic one mode is invalid, leaving 2x2= 4 different
> sets of operations all called "proxying HTTPS".
>
> This means the combinations are:
> #1 CONNECT - explicit/forward
> #2 443 TLS - explicit/forward
>
> #3 CONNECT - intercept/tproxy
> #4 443 TLS - intercept/tproxy
>
> #5 CONNECT - reverse/CDN/accel
> #6 443 TLS - reverse/CDN/accel
>
> One of modes in each type is invalid. So, from Squid's HTTPS feature page, looks like my scenario falls either in #1 or #3.
>
> * all 4 of those ways may be done with or without SSL-Bump feature.
>
> When not using SSL-Bump 2 of the ways of "proxying HTTPS" will work, 2
> will not.
>
> When using SSL-Bump the non-working ways of "proxying HTTPS" will start
> working, and the working ways will have an extra permutation of splice
> vs bump operation that can happen. Extending the possibilities to be 6
> ways of "proxying HTTPS".
>
>
> So the answer(s) to your first question are:
>
> yes, no.  yes, no.  no, yes.
>
>
>
> > 2. If yes, then what other configurations have to performed other than
> > "https_port XXXX"?
> For the cases where the #1 answer was "yes" and not "no".
>
> a) An explicit/forward or intercept proxy not using ssl-bump and
> receiving CONNECT requests does not need any special configuration to
> "proxy HTTPS". The proxy will simply enact the requested opaque tunnel
> in accordance to HTTP rules.
>
> So this means other than specifying "https_port XXXX" no other config is needed.
> When I setup Squid with just "https_port xxxx" and configured Firefox to use my proxy server for HTTP and HTTPS, it worked fine for HTTP but for HTTPS it gave "Proxy server rejected connection".
>
> So either something is wrong in my squid.conf or my assumption is incorrect that my scenario falls in #1 or #3.
>
>
> b) A reverse proxy requires the 'accel' mode flag, and the cert= option
> must load the cert for the domain you are hosting on that port, and the
> key= option must load the private key for that certificate.
>
> c) all other modes will not work without SSL-Bump feature.
>
>
>
> > 3. In this configuration, can Squid filter HTTPS requests from ACL?
> >
> That depends on the meaning of "this". There are 3 different
> configurations in the answer to #2.
>
> For (2a) - no. Only the CONNECT request can be filterd.
>
> From below links it looks like destination IP Address or hostname of a CONNECT request is same as HTTPS request. Is that correct?
>
> https://en.m.wikipedia.org/wiki/HTTP_tunnel#HTTP_CONNECT_tunneling
>
> http://stackoverflow.com/a/11698002/548403
>
>
> For (2b) - yes. BUT, notice that it requires private key data for certs.
> This configuration is only usable when _you own the domain_ which the
> client is visiting.
>
> For (2c) - SSL-Bump feature is the mechanism which enables https://
> filtering for all traffic modes other than that described by (2b).
> Without using that feature - no.
>
>
> Do you understand now why every path you have tried ends up with how-tos
> for configuring SSL-Bump?
>
> Yes, thanks for the elaborate explanation.
>
>
> HTH
> Amos
>
>
>
>
>
>
>
>
>
>
>

Thanks for your reply Eliezer. As I understand, if I want to filter
HTTPS websites based on only hostname/IP-Address, I will still have to
configure SSL-bump. However, I may not have to use the complete
feature in order to do so. Moreover, I can choose which website to
apply SSL-bump to.
Am I correct in my assumptions?


> This is the place to clarify that SNI based filtering is not 100% bullet proof and it could be exploited to override in a way your basic SNI based SSL level filtering.

The SNI solution may work with web-browsers but my solution is also
targeting clients connecting via to proxy via VPN. I think SNI won't
work in that case. Is that right?

>
> Do you have specific sites that you want to filter in the URL level or just globally?

I have a list of URL regexes. I have to filter HTTPS websites whose
URLs match the regex pattern.

> The answer to the above question will guide us towards what might be the right path for your solution(which could be full SSL-BUMP or partial).



--
Thanks,
Varun
_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Loading...