Quantcast

Cannot access https site

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
4 messages Options
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Cannot access https site

Vieri
Hi,



My goal is to set up Squid so it can act as a transparent proxy for local clients browsing the web. It should "deny all" except traffic to the destination domains included in an ACL file.

This is my squid config:

http_port 3129 tproxy
https_port 3130 tproxy ssl-bump generate-host-certificates=on dynamic_cert_mem_cache_size=16MB cert=/etc/ssl/squid/proxyserver.pem

acl localnet src 10.0.0.0/8 # RFC1918 possible internal network
acl localnet src 192.168.0.0/16 # RFC1918 possible internal network
acl localnet src fc00::/7       # RFC 4193 local private network range

acl intercepted myportname 3129
acl interceptedssl myportname 3130

acl allowed_domains dstdomain "/usr/local/share/proxy-settings/allowed.domains"

http_access deny intercepted !localnet
http_access deny interceptedssl !localnet
http_access deny !allowed_domains
http_access allow localnet

sslcrtd_program /usr/libexec/squid/ssl_crtd -s /var/lib/squid/ssl_db -M 16MB
sslcrtd_children 10
ssl_bump stare all
ssl_bump bump all
sslproxy_cert_error allow all
always_direct allow all

The ACL file allowed.domains contains:
.squid-cache.org
.stackexchange.com

When a client in localnet tries to access http://www.squid-cache.org, everything works fine, as expected.

However, when the same client tries to access https://stackexchange.com, the first SQUID error page says that access is denied to https://151.101.1.69/* (that's one of stackexchange's IP addresses).
How can I avoid this?

If I add 151.101.1.69 to allowed.domains I get a SQUID SSL handshake error page with https://*.stackexchange.com/* (bad write retry).

What am I doing wrong?

Also, would I have performance issues if the "allowed.domains" ACL file becomes very big over time?

Thanks,

Vieri
_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Cannot access https site

Alex Rousskov
On 05/15/2017 09:53 AM, Vieri wrote:

> My goal is to set up Squid so it can act as a transparent proxy for
> local clients browsing the web. It should "deny all" except traffic
> to the destination domains included in an ACL file.

> http_access deny intercepted !localnet
> http_access deny interceptedssl !localnet
> http_access deny !allowed_domains
> http_access allow localnet
...
> ssl_bump stare all
> ssl_bump bump all


> What am I doing wrong?

You are denying fake CONNECT requests during SslBump step1. During that
step, intercepted SSL connections are represented by fake CONNECT
requests with IP addresses (not domain names). Such requests will often
match your "http_access deny !allowed_domains" rule. See "Step 1"
description at http://wiki.squid-cache.org/Features/SslPeekAndSplice

What you probably want is to allow all reasonable fake CONNECT requests
during that step. There are several ways to do that, and I hope others
on the list can help you with that if you cannot figure it out. Please
do not forget to post your Squid version if you need further help (and
use the latest v3.5 or later if you are doing SslBump, regardless of
what your OS packages for you).

Some other configuration aspects are (or may be considered by some)
wrong as well, but it is best to fix one SslBump problem at a time IMHO.


> Also, would I have performance issues if the "allowed.domains" ACL
> file becomes very big over time?

Naturally, the more domains you have, the slower ACL checks become. 1000
domains is not a problem, but 1000 million domains usually is. Define
"very big" and "performance issues".


HTH,

Alex.

_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Cannot access https site

Vieri

________________________________

> From: Alex Rousskov <[hidden email]>
>> My goal is to set up Squid so it can act as a transparent proxy for
>> local clients browsing the web. It should "deny all" except traffic
>> to the destination domains included in an ACL file.
>>
>> http_access deny intercepted !localnet
>> http_access deny interceptedssl !localnet
>> http_access deny !allowed_domains
>> http_access allow localnet
> ...
>> ssl_bump stare all
>> ssl_bump bump all
>
> You are denying fake CONNECT requests during SslBump step1. During that

> step, intercepted SSL connections are represented by fake CONNECT> requests with IP addresses (not domain names). Such requests will often

> match your "http_access deny !allowed_domains" rule. See "Step 1"> description at http://wiki.squid-cache.org/Features/SslPeekAndSplice
>
> What you probably want is to allow all reasonable fake CONNECT requests

> during that step. There are several ways to do that

Hi,

Thanks for the explanation. I'm posting the whole squid.conf below as I wrongly left out some information in my first post. Sorry.
I didn't think I would have issues with CONNECT to 443 ports because I already had the default "http_access deny CONNECT !SSL_ports".
However, the ACL parsing doesn't stop there and goes on until it reaches "http_access deny !allowed_domains".
So I added the following explicit "allow" right before "deny":
http_access allow CONNECT SSL_ports
http_access deny !allowed_domains

So here's the full config:

# grep -v "^#" squid.conf | grep -v "^$"
acl SSL_ports port 443
acl Safe_ports port 80          # http
acl Safe_ports port 21          # ftp
acl Safe_ports port 443         # https
acl Safe_ports port 70          # gopher
acl Safe_ports port 210         # wais
acl Safe_ports port 1025-65535  # unregistered ports
acl Safe_ports port 280         # http-mgmt
acl Safe_ports port 488         # gss-http
acl Safe_ports port 591         # filemaker
acl Safe_ports port 777         # multiling http
acl Safe_ports port 901         # SWAT
acl CONNECT method CONNECT
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
http_access allow localhost manager
http_access deny manager
include /etc/squid/squid.custom.rules
http_access allow localhost
http_access deny all
coredump_dir /var/cache/squid
refresh_pattern ^ftp:           1440    20%     10080
refresh_pattern ^gopher:        1440    0%      1440
refresh_pattern -i (/cgi-bin/|\?) 0     0%      0
refresh_pattern .               0       20%     4320

# grep -v "^#" squid.custom.rules | grep -v "^$"
http_port 3128
http_port 3129 tproxy
https_port 3130 tproxy ssl-bump generate-host-certificates=on dynamic_cert_mem_cache_size=16MB cert=/etc/ssl/squid/proxyserver.pem
external_acl_type nt_group ttl=0 children-max=10 %LOGIN /usr/libexec/squid/ext_wbinfo_group_acl -K
auth_param negotiate program /usr/libexec/squid/negotiate_kerberos_auth -s HTTP/[hidden email]
auth_param negotiate children 60
auth_param negotiate keep_alive on
auth_param basic realm ORG proxy
acl localnet src 10.0.0.0/8     # RFC1918 possible internal network
acl localnet src 192.168.0.0/16 # RFC1918 possible internal network
acl localnet src fc00::/7       # RFC 4193 local private network range
acl ORG_all proxy_auth REQUIRED
acl explicit myportname 3128
acl intercepted myportname 3129
acl interceptedssl myportname 3130
acl interceptednormal myportname 3131
acl interceptedsslnormal myportname 3132
acl allowed_ips src "/usr/local/share/proxy-settings/allowed.ips"
acl allowed_groups external nt_group "/usr/local/share/proxy-settings/allowed.groups"
acl denied_domains dstdomain "/usr/local/share/proxy-settings/denied.domains"
acl allowed_domains dstdomain "/usr/local/share/proxy-settings/allowed.domains"
acl denied_ads url_regex "/usr/local/share/proxy-settings/denied.ads"
acl denied_filetypes urlpath_regex -i "/usr/local/share/proxy-settings/denied.filetypes"
acl restricted_ips src "/usr/local/share/proxy-settings/restricted.ips"
acl restricted_groups external nt_group "/usr/local/share/proxy-settings/restricted.groups"
acl restricted_domains dstdomain "/usr/local/share/proxy-settings/restricted.domains"
http_access deny restricted_ips !restricted_domains
http_access deny restricted_groups !restricted_domains
http_access deny denied_domains !allowed_groups !allowed_ips
http_access deny CONNECT denied_domains !allowed_groups !allowed_ips
http_access deny denied_ads !allowed_groups !allowed_ips
http_access deny denied_filetypes !allowed_groups !allowed_ips
http_access deny explicit !ORG_all
http_access deny intercepted !localnet
http_access deny interceptedssl !localnet
http_access deny interceptedsslnormal !localnet
http_access deny interceptednormal !localnet
http_access allow CONNECT SSL_ports
http_access deny !allowed_domains
cache_mgr [hidden email]
email_err_data on
error_directory /usr/share/squid/errors/ORG
append_domain .mydomain.org
http_access allow localnet
sslcrtd_program /usr/libexec/squid/ssl_crtd -s /var/lib/squid/ssl_db -M 16MB
sslcrtd_children 10
ssl_bump stare all
ssl_bump bump all
sslproxy_cert_error allow all
always_direct allow all
icap_enable on
icap_send_client_ip on
icap_send_client_username on
icap_client_username_encode off
icap_client_username_header X-Authenticated-User
icap_preview_enable on
icap_preview_size 1024
icap_service squidclamav respmod_precache bypass=0 icap://127.0.0.1:1344/clamav
adaptation_access squidclamav allow all
include /etc/squid/squid.custom.common
include /etc/squid/squid.custom.hide
cache_dir diskd /var/cache/squid 100 16 256

# grep -v "^#" squid.custom.hide | grep -v "^$"
httpd_suppress_version_string on
dns_v4_first on
via off
forwarded_for off
request_header_access Allow allow all
request_header_access Authorization allow all
request_header_access WWW-Authenticate allow all
request_header_access Proxy-Authorization allow all
request_header_access Proxy-Authenticate allow all
request_header_access Cache-Control allow all
request_header_access Content-Encoding allow all
request_header_access Content-Length allow all
request_header_access Content-Type allow all
request_header_access Date allow all
request_header_access Expires allow all
request_header_access Host allow all
request_header_access If-Modified-Since allow all
request_header_access Last-Modified allow all
request_header_access Location allow all
request_header_access Pragma allow all
request_header_access Accept allow all
request_header_access Accept-Charset allow all
request_header_access Accept-Encoding allow all
request_header_access Accept-Language allow all
request_header_access Content-Language allow all
request_header_access Mime-Version allow all
request_header_access Retry-After allow all
request_header_access Title allow all
request_header_access Connection allow all
request_header_access Proxy-Connection allow all
request_header_access User-Agent allow all
request_header_access Cookie allow all
request_header_access All deny all

So this setup is a mixed explicit/transparent proxy. Right now, I'm just trying to focus on the transparent part only.
The goal is to allow http/https traffic to allowed_domains only and to force content analysis via ICAP (clamav) of both http and https content.

The above config now seems to work and I can access sites listed in allowed_domains only. I just hope I got it all cleared out.

BTW I've seen the example at http://wiki.squid-cache.org/ConfigExamples/Intercept/SslBumpExplicit where it suggests to use:

acl step1 at_step SslBump1
ssl_bump peek step1

Should I be using that instead of "ssl_bump stare all"?

Which "other configuration aspects are wrong", as you say?

Are you referring to "sslproxy_cert_error allow all" or are there more?

# squid -version
Squid Cache: Version 3.5.14
Service Name: squid
configure options:  '--prefix=/usr' '--build=i686-pc-linux-gnu' '--host=i686-pc-linux-gnu' '--mandir=/usr/share/man' '--infodir=/usr/share/info' '--datadir=/usr/share' '--sysconfdir=/etc' '--localstatedir=/var/lib' '--disable-dependency-tracking' '--disable-silent-rules' '--libdir=/usr/lib' '--sysconfdir=/etc/squid' '--libexecdir=/usr/libexec/squid' '--localstatedir=/var' '--with-pidfile=/run/squid.pid' '--datadir=/usr/share/squid' '--with-logdir=/var/log/squid' '--with-default-user=squid' '--enable-removal-policies=lru,heap' '--enable-storeio=aufs,diskd,rock,ufs' '--enable-disk-io' '--enable-auth-basic=MSNT-multi-domain,NCSA,POP3,getpwnam,SMB,LDAP,PAM,RADIUS' '--enable-auth-digest=file,LDAP,eDirectory' '--enable-auth-ntlm=smb_lm' '--enable-auth-negotiate=kerberos,wrapper' '--enable-external-acl-helpers=file_userip,session,unix_group,wbinfo_group,LDAP_group,eDirectory_userip,kerberos_ldap_group' '--enable-log-daemon-helpers' '--enable-url-rewrite-helpers' '--enable-cache-digests' '--enable-delay-pools' '--enable-eui' '--enable-icmp' '--enable-follow-x-forwarded-for' '--with-large-files' '--disable-strict-error-checking' '--disable-arch-native' '--with-ltdl-includedir=/usr/include' '--with-ltdl-libdir=/usr/lib' '--with-libcap' '--enable-ipv6' '--disable-snmp' '--with-openssl' '--with-nettle' '--with-gnutls' '--enable-ssl-crtd' '--disable-ecap' '--disable-esi' '--enable-htcp' '--enable-wccp' '--enable-wccpv2' '--enable-linux-netfilter' '--with-mit-krb5' '--without-heimdal-krb5' 'build_alias=i686-pc-linux-gnu' 'host_alias=i686-pc-linux-gnu' 'CC=i686-pc-linux-gnu-gcc' 'CFLAGS=-O2 -march=i686 -pipe' 'LDFLAGS=-Wl,-O1 -Wl,--as-needed' 'CXXFLAGS=-O2 -march=i686 -pipe' 'PKG_CONFIG_PATH=/usr/lib/pkgconfig'

Thanks,

Vieri
_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Cannot access https site

Amos Jeffries
Administrator
On 16/05/17 19:54, Vieri wrote:
>
> Which "other configuration aspects are wrong", as you say? Are you
> referring to "sslproxy_cert_error allow all" or are there more?

The "always_direct allow all" is wrong, you do not have cache_peer, and
if you did why would you prohibit using any of them for *all* traffic ?

That "sslproxy_cert_error allow all" is the default, so useless to
configure - but not exactly wrong, just a waste of CPU and memory
setting up ACLs only to do nothing.

In a similar topic many of the request_header_access rules are checking
for non-request headers. (eg. Title, WWW-Authenticate) or headers which
are not relayed (eg. all the Proxy-* ones).

> # squid -version Squid Cache: Version 3.5.14


On 16/05/17 05:25, Alex Rousskov wrote:
>
> (and use the latest v3.5 or later if you are doing SslBump, regardless
> of what your OS packages for you).

The current release is 3.5.25 or 4.0.19. A lot has changed in the last
year in terms of both TLS practices and how SSL-Bump works to fit with
those.


Amos

_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Loading...