Fwd: Https blocked sites getting ssl error , with connection abruptly ending - Peek and splice feature

classic Classic list List threaded Threaded
2 messages Options
Reply | Threaded
Open this post in threaded view
|

Fwd: Https blocked sites getting ssl error , with connection abruptly ending - Peek and splice feature

bandeep2000






Hi Everyone, 

Have configured squid proxy with https whitelisted sites using ssl bump, peek and splice feature 
in transparent mode.
Although non whitelisted site are getting blocked, but it is not graceful, with 'ssl connect error'  and  no 403 message(using curl). For http, it is working fine with Access denied with 403 http error code.

Using ssl bump 'terminate all' seem to abruptly stop the connection, this might cause issues in our application.

Is there a way to terminate the connection with access denied message gracefully(with 403 error code)  just like it does for Http.

Non Whitelisted site error:

curl -I https://nba.com

curl: (35) SSL connect error


http non whitelisted site:

c5278791@ban-squid-client22 ~]$ curl -I http://nba.com

HTTP/1.1 403 Forbidden

Server: squid/3.5.28

Mime-Version: 1.0

Date: Fri, 25 Jan 2019 17:01:38 GMT

Content-Type: text/html;charset=utf-8

Content-Length: 3574

X-Squid-Error: ERR_ACCESS_DENIED 0

Vary: Accept-Language

Content-Language: en

X-Cache: MISS from squid

Via: 1.1 squid (squid/3.5.28)

Connection: keep-alive


https whitelisted site works fine:

curl -I https://cnn.com

HTTP/1.1 301 Moved Permanently

Server: Varnish

Retry-After: 0

Content-Length: 0

Cache-Control: public, max-age=600

Location: https://www.cnn.com/

Accept-Ranges: bytes

Date: Fri, 25 Jan 2019 17:00:08 GMT

Via: 1.1 varnish

Connection: close

Set-Cookie: countryCode=US; Domain=.cnn.com; Path=/

Set-Cookie: geoData=mountain view|CA|94043|US|NA; Domain=.cnn.com; Path=/

X-Served-By: cache-sea1038-SEA

X-Cache: HIT

X-Cache-Hits: 0






Squid.conf Details:

visible_hostname squid

 

cache deny all

#Handling HTTP requests

http_port 3128 intercept

acl allowed_http_sites dstdomain .amazonaws.com .bbc.com

#acl allowed_http_sites dstdomain [you can add other domains to permit]

http_access allow allowed_http_sites

 

#Handling HTTPS requests

https_port 3130 cert=/etc/pki/tls/certs/squidCA.pem ssl-bump intercept

acl SSL_port port 443

http_access allow SSL_port

acl allowed_https_sites ssl::server_name .amazonaws.com .cnn.com .yahoo.com .bbc.com

#acl allowed_https_sites ssl::server_name [you can add other domains to permit]

acl step1 at_step SslBump1

acl step2 at_step SslBump2

acl step3 at_step SslBump3

ssl_bump peek step1 all

ssl_bump splice allowed_https_sites

#ssl_bump peek step2 all

ssl_bump terminate  all

 

http_access deny all


Squid version:

squid -v

Squid Cache: Version 3.5.28

Service Name: squid


This binary uses OpenSSL 1.0.1e-fips 11 Feb 2013. For legal restrictions on distribution see https://www.openssl.org/source/license.html


configure options:  '--prefix=/usr' '--includedir=/usr/include' '--datadir=/usr/share' '--bindir=/usr/sbin' '--libexecdir=/usr/lib/squid' '--localstatedir=/var' '--sysconfdir=/etc/squid' '--with-logdir=/var/log/squid' '--with-openssl' '--enable-ssl-crtd' --enable-ltdl-convenien


OS version:

cat /etc/redhat-release 

CentOS release 6.10 (Final)


Thanks,

-Bandeep


_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|

Re: Fwd: Https blocked sites getting ssl error , with connection abruptly ending - Peek and splice feature

Alex Rousskov
On 1/25/19 10:18 AM, bandeep2000 wrote:

> Have configured squid proxy with https whitelisted sites using ssl bump,
> peek and splice feature in transparent mode.


> Is there a way to terminate the connection with access denied message
> gracefully(with 403 error code)

Yes, there is, but it comes at a price: If you want to serve an HTTP
response to the TLS client, you must bump the client connection.
Actually, Squid will bump on errors automatically for you if you do
_not_ tell it to terminate the TLS connection in ssl_bump rules and rely
on http_access for access control instead. Here is an incomplete and
untested sketch to illustrate the idea:

  ssl_bump peek all
  ssl_bump splice all

  ... add rules to allow step1 CONNECT requests here ...
  http_access allow allowed_http_sites
  http_access deny all

Alex.
_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users