How to completely blacklist a domain + subdomains, including HTTPS?

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
5 messages Options
Reply | Threaded
Open this post in threaded view
|

How to completely blacklist a domain + subdomains, including HTTPS?

Roeeklinger60
Hey,

I have found a lot of outdated or conflicting information about this online, and since this is a really important matter, I wanted to make sure I am doing this correctly.

I am attempting to block some websites completely, including all HTTPS traffic and subdomains.

Squid.conf:
acl domain_blacklist dstdomain "/etc/squid/domain_blacklist.txt"
http_access deny all domain_blacklist
http_reply_access deny domain_blacklist
http_access deny CONNECT domain_blacklist

/etc/squid/domain_blacklist.txt:
.ph

.ph - will block all websites that have the .ph TLD including subdomains.
.somepornwebsite.com - will block all traffic to somepornwebsite.com, including all subdomains.
.facebook.com - will block all traffic to FB including subdomains.

Am I doing this the right way?
Thanks


_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|

Re: How to completely blacklist a domain + subdomains, including HTTPS?

Shouma
I am currently using:

###blocked websites###
acl blockedsites dstdomain .domain1.com .domain2.com .domain3.com
###end blocked websites###

http_access deny blockedsites

Simple and working ;)

--
Diese Nachricht wurde von meinem Android Mobiltelefon mit WEB.DE Mail gesendet.
Am 09.03.21, 12:58 schrieb roee klinger <[hidden email]>:
Hey,

I have found a lot of outdated or conflicting information about this online, and since this is a really important matter, I wanted to make sure I am doing this correctly.

I am attempting to block some websites completely, including all HTTPS traffic and subdomains.

Squid.conf:
acl domain_blacklist dstdomain "/etc/squid/domain_blacklist.txt"
http_access deny all domain_blacklist
http_reply_access deny domain_blacklist
http_access deny CONNECT domain_blacklist

/etc/squid/domain_blacklist.txt:
.ph

.ph - will block all websites that have the .ph TLD including subdomains.
.somepornwebsite.com - will block all traffic to somepornwebsite.com, including all subdomains.
.facebook.com - will block all traffic to FB including subdomains.

Am I doing this the right way?
Thanks

_______________________________________________ squid-users mailing list [hidden email] http://lists.squid-cache.org/listinfo/squid-users

_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|

Re: How to completely blacklist a domain + subdomains, including HTTPS?

Amos Jeffries
Administrator
In reply to this post by Roeeklinger60
On 10/03/21 12:57 am, roee klinger wrote:
> Hey,
>
> I have found a lot of outdated or conflicting information about this
> online, and since this is a really important matter, I wanted to make
> sure I am doing this correctly.
>
> I am attempting to block some websites completely, including all HTTPS
> traffic and subdomains.
>

Basically there are two protocols that need to be considered for this.
HTTP and TLS.

In HTTP the "website" is identified by a domain name in the
request-target (aka URI, sometimes called URL).
  * The 'dstdomain' ACL type matches URI domain name.
  * The http_access directive is where that domain name becomes
available for Squid to check.


In TLS the "website" is identified by the TLS SNI sent by the client, or
a field in the server X.509 certificate.
  * The 'ssl::server_name' ACL type matches those details.
  * The ssl_bump directive


Next thing is to be aware that there are many ways to layer protocols.
Do expect to see vastly different proxy behaviours for each permutation
of those.
  * port 443 "HTTPS" is TLS then HTTP
  * port 80 "HTTPS" is HTTP then TLS (quite rare)
  * forward-proxy "HTTPS" is HTTP then TLS then HTTP



> Squid.conf:
>
>     acl domain_blacklist dstdomain "/etc/squid/domain_blacklist.txt"
>     http_access deny all domain_blacklist

The "all" here is pointless.


>     http_reply_access deny domain_blacklist

Use of reply access directive for blacklisting by request details is not
useful.

The request already got blocked. So any response reaching here is just
the error page saying forbidden. Blocking that error page would just
change it to a slightly different error page saying the *response* was
forbidden - which is a bit confusing for any user trying to understand
why their request didn't work.


>     http_access deny CONNECT domain_blacklist
>

This line is useless here.

squid.conf lines are interpreted top-down. The "deny all
domain_blacklist" already stopped all requests that could possibly match
the second condition of this line.


>
> /etc/squid/domain_blacklist.txt:
>
>     .ph
>     .somepornwebsite.com
>     .facebook.com
>
...
>
> Am I doing this the right way?


Sort of. Your http_access denial will catch all the HTTP and decrypted
HTTP(S) traffic. It will not be able to block any HTTP(S) requests that
are not able to decrypt.

To catch and block these domains without needing the decrypt you should
also use:

  acl server_blacklist ssl::server_name "/etc/squid/domain_blacklist.txt"
  ssl_bump terminate server_blacklist

Of course there is always the failure case where traffic cannot decrypt
and the TLS details use different server names.


Amos
_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|

Re: How to completely blacklist a domain + subdomains, including HTTPS?

Roeeklinger60
Thanks, Amos.

I tried implementing the configuration you suggested but I am getting an error message:
FATAL: Invalid ACL type 'ssl::server_name'
FATAL: Bungled /etc/squid/squid.conf line 36: acl server_blacklist ssl::server_name "/etc/squid/domain_blacklist.txt"
 
I tried reading the documentation but can't find anything wrong in my config file, I used the 2 lines exactly like they are in your suggestion, and I am running Squid 4.10.

On Tue, Mar 9, 2021 at 2:48 PM Amos Jeffries <[hidden email]> wrote:
On 10/03/21 12:57 am, roee klinger wrote:
> Hey,
>
> I have found a lot of outdated or conflicting information about this
> online, and since this is a really important matter, I wanted to make
> sure I am doing this correctly.
>
> I am attempting to block some websites completely, including all HTTPS
> traffic and subdomains.
>

Basically there are two protocols that need to be considered for this.
HTTP and TLS.

In HTTP the "website" is identified by a domain name in the
request-target (aka URI, sometimes called URL).
  * The 'dstdomain' ACL type matches URI domain name.
  * The http_access directive is where that domain name becomes
available for Squid to check.


In TLS the "website" is identified by the TLS SNI sent by the client, or
a field in the server X.509 certificate.
  * The 'ssl::server_name' ACL type matches those details.
  * The ssl_bump directive


Next thing is to be aware that there are many ways to layer protocols.
Do expect to see vastly different proxy behaviours for each permutation
of those.
  * port 443 "HTTPS" is TLS then HTTP
  * port 80 "HTTPS" is HTTP then TLS (quite rare)
  * forward-proxy "HTTPS" is HTTP then TLS then HTTP



> Squid.conf:
>
>     acl domain_blacklist dstdomain "/etc/squid/domain_blacklist.txt"
>     http_access deny all domain_blacklist

The "all" here is pointless.


>     http_reply_access deny domain_blacklist

Use of reply access directive for blacklisting by request details is not
useful.

The request already got blocked. So any response reaching here is just
the error page saying forbidden. Blocking that error page would just
change it to a slightly different error page saying the *response* was
forbidden - which is a bit confusing for any user trying to understand
why their request didn't work.


>     http_access deny CONNECT domain_blacklist
>

This line is useless here.

squid.conf lines are interpreted top-down. The "deny all
domain_blacklist" already stopped all requests that could possibly match
the second condition of this line.


>
> /etc/squid/domain_blacklist.txt:
>
>     .ph
>     .somepornwebsite.com
>     .facebook.com
>
...
>
> Am I doing this the right way?


Sort of. Your http_access denial will catch all the HTTP and decrypted
HTTP(S) traffic. It will not be able to block any HTTP(S) requests that
are not able to decrypt.

To catch and block these domains without needing the decrypt you should
also use:

  acl server_blacklist ssl::server_name "/etc/squid/domain_blacklist.txt"
  ssl_bump terminate server_blacklist

Of course there is always the failure case where traffic cannot decrypt
and the TLS details use different server names.


Amos
_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users

_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|

Re: How to completely blacklist a domain + subdomains, including HTTPS?

Amos Jeffries
Administrator
On 11/03/21 1:28 am, roee klinger wrote:
> Thanks, Amos.
>
> I tried implementing the configuration you suggested but I am getting an
> error message:
>
>     FATAL: Invalid ACL type 'ssl::server_name'
>     FATAL: Bungled /etc/squid/squid.conf line 36: acl server_blacklist
>     ssl::server_name "/etc/squid/domain_blacklist.txt"
>

That means your Squid lacks OpenSSL support (--with-openssl build
option) required to do SSL-Bump related things.

I assumed from previous threads you had that enabled.


Amos
_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users