How to block a https website with squid 3.5.3

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
2 messages Options
Reply | Threaded
Open this post in threaded view
|

How to block a https website with squid 3.5.3

minh hưng đỗ hoàng
Dear all, i using squid as a transparent proxy. But i can't deny a https website like
https://remitano.com

My squid is compiled on ubuntu14 with this configure option
Squid Cache: Version 3.5.3
Service Name: squid
configure options:  '--prefix=/usr' '--includedir=/usr/include' '--infodir=/usr/share/info' '--sysconfdir=/etc' '--localstatedir=/var' '--libexecdir=/usr/lib/squid' '--srcdir=.' '--datadir=/usr/share/squid' '--sysconfdir=/etc/squid' '--mandir=/usr/share/man' '--enable-inline' '--enable-async-io=24' '--enable-storeio=ufs,aufs,diskd,rock' '--enable-removal-policies=lru,heap' '--enable-gnuregex' '--enable-cache-digests' '--enable-underscores' '--enable-icap-client' '--enable-follow-x-forwarded-for' '--enable-eui' '--enable-esi' '--enable-icmp' '--enable-zph-qos' '--enable-http-violations' '--enable-ssl-crtd' '--enable-linux-netfilter' '--enable-ltdl-install' '--enable-ltdl-convenience' '--enable-x-accelerator-vary' '--disable-maintainer-mode' '--disable-dependency-tracking' '--disable-silent-rules' '--disable-translation' '--disable-ipv6' '--disable-ident-lookups' '--enable-delay-pools' '--with-swapdir=/var/spool/squid' '--with-logdir=/var/log/squid' '--with-pidfile=/var/run/squid.pid' '--with-aufs-threads=24' '--with-filedescriptors=65536' '--with-large-files' '--with-maxfd=65536' '--with-openssl' '--with-default-user=proxy' '--with-included-ltdl'

And here is my squid.conf

acl localnet src 192.168.10.0/24 #LAN
acl localnet src 10.10.10.0/24 #WIFI
acl localnet src 10.10.20.0/24 #WIFI
acl localnet src 172.18.18.0/24 #WIFI
acl localnet src 172.17.0.0/16
acl localnet src 10.10.1.0/24

acl Safe_ports port 21 # ftp
acl Safe_ports port 443 # https


acl Safe_ports port 70 # gopher
acl Safe_ports port 210 # wais
acl Safe_ports port 1025-65535 # unregistered ports
acl Safe_ports port 280 # http-mgmt
acl Safe_ports port 488 # gss-http
acl Safe_ports port 591 # filemaker
acl Safe_ports port 777 # multiling http
acl CONNECT method CONNECT

http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
http_access allow localhost manager
http_access deny manager
http_access allow localnet
http_access allow localhost
http_access deny all


acl step1 at_step SslBump1
ssl_bump peek step1
ssl_bump terminate blockregexurl
ssl_bump terminate domain
ssl_bump terminate block_domain
ssl_bump splice all


sslproxy_options NO_SSLv2,NO_SSLv3,No_Compression
sslproxy_cipher  ALL:!SSLv2:!SSLv3:!ADH:!DSS:!MD5:!EXP:!DES:!PSK:!SRP:!RC4:!IDEA:!SEED:!aNULL:!eNULL
sslproxy_cert_error deny all
sslproxy_flags  DONT_VERIFY_PEER
sslproxy_cafile /etc/squid/intermediate_ca.pem

sslcrtd_program /usr/lib/squid/ssl_crtd -s /var/lib/squid/ssl_db -M 4MB
sslcrtd_children 8 startup=1 idle=1

-----------------------
First , i can block facebook by use this command :
acl facebook dstdomain .facebook.com
http_access deny CONNECT facebook

But it is not effect with https://remitano.com
 
I try to use these command but it's not work:

acl blockregexurl url_regex -i ^http[s]?:\/\/.*\.remitano\.com\/(/vn)
http_access deny blockregexurl
http_access deny CONNECT blockregexurl

acl block_domain dstdomain remitano.com
acl domain dstdomain sso.remitano.com socket.remitano.com cdn.remitano.com
http_access deny block_domain
http_access deny CONNECT block_domain
http_access deny domain
http_access deny CONNECT domain


--
Thanks & Best Regards,
--------------
Đỗ Hoàng Minh Hưng
Gmail : [hidden email]
SĐT : 01234454115

_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|

Re: How to block a https website with squid 3.5.3

Amos Jeffries
Administrator
On 11/01/18 23:39, minh hưng đỗ hoàng wrote:
> Dear all, i using squid as a transparent proxy. But i can't deny a https
> website like
> https://remitano.com
>

The first step is to upgrade your Squid. TLS hijacking is a very
volatile area and things are changing often 3.5.3 is a very old Squid
release now.
  The current Squid-3 version is 3.5.27.


> My squid is compiled on ubuntu14 with this configure option
> Squid Cache: Version 3.5.3
> Service Name: squid
> configure options:  '--prefix=/usr' '--includedir=/usr/include'
> '--infodir=/usr/share/info' '--sysconfdir=/etc' '--localstatedir=/var'
> '--libexecdir=/usr/lib/squid' '--srcdir=.' '--datadir=/usr/share/squid'
> '--sysconfdir=/etc/squid' '--mandir=/usr/share/man' '--enable-inline'
> '--enable-async-io=24' '--enable-storeio=ufs,aufs,diskd,rock'
> '--enable-removal-policies=lru,heap' '--enable-gnuregex'
> '--enable-cache-digests' '--enable-underscores' '--enable-icap-client'
> '--enable-follow-x-forwarded-for' '--enable-eui' '--enable-esi'
> '--enable-icmp' '--enable-zph-qos' '--enable-http-violations'
> '--enable-ssl-crtd' '--enable-linux-netfilter' '--enable-ltdl-install'
> '--enable-ltdl-convenience' '--enable-x-accelerator-vary'
> '--disable-maintainer-mode' '--disable-dependency-tracking'
> '--disable-silent-rules' '--disable-translation' '--disable-ipv6'
> '--disable-ident-lookups' '--enable-delay-pools'
> '--with-swapdir=/var/spool/squid' '--with-logdir=/var/log/squid'
> '--with-pidfile=/var/run/squid.pid' '--with-aufs-threads=24'
> '--with-filedescriptors=65536' '--with-large-files' '--with-maxfd=65536'
> '--with-openssl' '--with-default-user=proxy' '--with-included-ltdl'
>
> And here is my squid.conf
>
> acl localnet src 192.168.10.0/24 <http://192.168.10.0/24> #LAN
> acl localnet src 10.10.10.0/24 <http://10.10.10.0/24> #WIFI
> acl localnet src 10.10.20.0/24 <http://10.10.20.0/24> #WIFI
> acl localnet src 172.18.18.0/24 <http://172.18.18.0/24> #WIFI
> acl localnet src 172.17.0.0/16 <http://172.17.0.0/16>
> acl localnet src 10.10.1.0/24 <http://10.10.1.0/24>
>
> acl Safe_ports port 21 # ftp
> acl Safe_ports port 443 # https
>
>
> acl Safe_ports port 70 # gopher
> acl Safe_ports port 210 # wais
> acl Safe_ports port 1025-65535 # unregistered ports
> acl Safe_ports port 280 # http-mgmt
> acl Safe_ports port 488 # gss-http
> acl Safe_ports port 591 # filemaker
> acl Safe_ports port 777 # multiling http
> acl CONNECT method CONNECT
>
> http_access deny !Safe_ports
> http_access deny CONNECT !SSL_ports
> http_access allow localhost manager
> http_access deny manager
> http_access allow localnet
> http_access allow localhost
> http_access deny all
>
>
> acl step1 at_step SslBump1
> ssl_bump peek step1
> ssl_bump terminate blockregexurl


TLS does not have URLs. So this will never work.


You need to use ssl::server_name ACLs instead of dstdomain for this
directive.

ALso, maybe ssl::server_name_regex for the regex patterns *if* any are
relevant after considering how URLs dont exist.

You are doing peek first, which should make the SNI details available
for ssl::server_name* to use.



> ssl_bump terminate domain
> ssl_bump terminate block_domain
> ssl_bump splice all
>
>
> sslproxy_options NO_SSLv2,NO_SSLv3,No_Compression
> sslproxy_cipher  
> ALL:!SSLv2:!SSLv3:!ADH:!DSS:!MD5:!EXP:!DES:!PSK:!SRP:!RC4:!IDEA:!SEED:!aNULL:!eNULL
> sslproxy_cert_error deny all
> sslproxy_flags  DONT_VERIFY_PEER

Remove that DONT_VERIFY_PEER flag. It is only hiding problems from *you*
the admin - while letting them still be problems for all your clients.

> sslproxy_cafile /etc/squid/intermediate_ca.pem
>

This is a bit dangerous. Any non-intermediates Ca certs in that PEM file
will allow remote hijacking of your proxy outbound connections by
clients of that root CA.

That said,   you already completely disabled *ALL* verify checks on the
server certs with DONT_VERIFY_PEER - so anyone can already hijack your
traffic without needing to go to the trouble of even having their certs
signed. All they need is some garbage bytes that use the correct X.509
_format_ used by certs.

After you upgrade your Squid, change that to
sslproxy_foreign_intermediate_certs which will only load intermediate
certs for use. If your upgraded Squid does not accept that directive it
is still too old to use safely for SSL-Bump.



> sslcrtd_program /usr/lib/squid/ssl_crtd -s /var/lib/squid/ssl_db -M 4MB
> sslcrtd_children 8 startup=1 idle=1
>

What are the http_port and https_port lines you are using?

> -----------------------
> First , i can block facebook by use this command :
> acl facebook dstdomain .facebook.com <http://facebook.com>
> http_access deny CONNECT facebook
>

You can only block domains like that if;
  a) you are using explicit proxy and the client sent a CONNECT with a
domain name, or
  b) its IP address rDNS points back to the domain you are naming in the
ACL, or
  c) the client sends TLS SNI details *and* your ssl_bump rules make
that detail available to Squid (eg. peek).


see
<https://wiki.squid-cache.org/Features/SslPeekAndSplice#Processing_steps>
for details on what SSL-Bump actually does at each step of the TLS
handshake.

Pay particular attention to what info is available at each "step" - and
also what is *not* available.



> But it is not effect with https://remitano.com
> I try to use these command but it's not work:
>
> acl blockregexurl url_regex -i ^http[s]?:\/\/.*\.remitano\.com\/(/vn)
> http_access deny blockregexurl
> http_access deny CONNECT blockregexurl

The regex pattern is looking for an absolute-form URL which will never
exist in any CONNECT messages, since they always use authority-form URL.

That first http_access line might work *if* you already bumped the HTTPS
traffic. The second never will.


>
> acl block_domain dstdomain remitano.com <http://remitano.com>
> acl domain dstdomain sso.remitano.com <http://sso.remitano.com>
> socket.remitano.com <http://socket.remitano.com> cdn.remitano.com
> <http://cdn.remitano.com>
> http_access deny block_domain
> http_access deny CONNECT block_domain
> http_access deny domain
> http_access deny CONNECT domain
>

Same issues mentioned above about the facebook dstdomain ACL as to when
these dstdomain ACLs will match.

Except that here the "deny foo" lines that go first without mentioning
CONNECT will match all the same things as the CONNECT line would -
meaning they already block all traffic even stuff not using CONNECT
tunnels. So the mention of CONNECT in these lines is pointless, and you
can completely remove the lines which use it without changing the proxy
behaviour.


Amos
_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users