How to perform regex only after Squid knows the full url with SslBump

classic Classic list List threaded Threaded
5 messages Options
Reply | Threaded
Open this post in threaded view
|

How to perform regex only after Squid knows the full url with SslBump

laviier
Hi,

I have a use case that I want to access a certain URL path of a domain but
not other. i.e. I want client to be able to access example.com/abc/login,
but not other paths.

Hence, I created ACL rule to achieve that, see below:

```
acl to_domain_whitelist url_regex "/squid-config/whitelist/allow.acl"
acl http port 80
acl https port 443
acl connect method CONNECT

http_access allow all to_domain_whitelist
http_access deny all

http_reply_access allow all

acl step1 at_step SslBump1
acl step2 at_step SslBump2
acl step3 at_step SslBump3

ssl_bump peek step3
ssl_bump bump all
```

However the above code does not work properly, the URL regex matching
happens before Squid performs decryption so that it can only match against
the host name instead of full URL path. I wonder if there's a way to perform
the URL regex only after Squid knows the full url with SslBump? Below is a
briefing of the log. Thank you so much!!!!
```
---------
CONNECT example.com:443 HTTP/1.1
Host: example.com:443
User-Agent: curl/7.54.0
Proxy-Connection: Keep-Alive
X-Forwarded-For: xx.xxx.xx.xx
----------
...
2020/03/20 14:51:43.067| 28,3| Acl.cc(158) matches: checked:
to_domain_whitelist = 0
2020/03/20 14:51:43.071| 85,2| client_side_request.cc(745)
clientAccessCheckDone: The request CONNECT example.com:443 is DENIED; last
ACL checked: all
...
---------
GET /abc/login HTTP/1.1
Host: example.com
User-Agent: curl/7.54.0
Accept: */*
----------
....
```



--
Sent from: http://squid-web-proxy-cache.1019090.n4.nabble.com/Squid-Users-f1019091.html
_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|

Re: How to perform regex only after Squid knows the full url with SslBump

Alex Rousskov
On 3/20/20 5:48 PM, laviier wrote:

> Hi,
>
> I have a use case that I want to access a certain URL path of a domain but
> not other. i.e. I want client to be able to access example.com/abc/login,
> but not other paths.
>
> Hence, I created ACL rule to achieve that, see below:
>
> ```
> acl to_domain_whitelist url_regex "/squid-config/whitelist/allow.acl"
> acl http port 80
> acl https port 443
> acl connect method CONNECT
>
> http_access allow all to_domain_whitelist
> http_access deny all
>
> http_reply_access allow all
>
> acl step1 at_step SslBump1
> acl step2 at_step SslBump2
> acl step3 at_step SslBump3
>
> ssl_bump peek step3
> ssl_bump bump all
> ```
>
> However the above code does not work properly, the URL regex matching
> happens before Squid performs decryption so that it can only match against
> the host name instead of full URL path. I wonder if there's a way to perform
> the URL regex only after Squid knows the full url with SslBump? Below is a
> briefing of the log. Thank you so much!!!!
> ```
> ---------
> CONNECT example.com:443 HTTP/1.1
> Host: example.com:443
> User-Agent: curl/7.54.0
> Proxy-Connection: Keep-Alive
> X-Forwarded-For: xx.xxx.xx.xx
> ----------
> ...
> 2020/03/20 14:51:43.067| 28,3| Acl.cc(158) matches: checked:
> to_domain_whitelist = 0
> 2020/03/20 14:51:43.071| 85,2| client_side_request.cc(745)
> clientAccessCheckDone: The request CONNECT example.com:443 is DENIED; last
> ACL checked: all
> ...

If you want to make allow/deny decision based on individual request
URLs, your http_access rules must allow the CONNECT request. Once Squid
establishes (and bumps) the CONNECT tunnel, it will start processing
individual requests and apply http_access rules to each of them.

To allow a CONNECT request, do not use regular URL syntax because
CONNECT requests use a different URI syntax. Sorry, I do not know
whether a url_regex ACL can be used for CONNECT URIs, but you can use
other ACLs if/as needed, of course.


HTH,

Alex.


> ---------
> GET /abc/login HTTP/1.1
> Host: example.com
> User-Agent: curl/7.54.0
> Accept: */*
> ----------
> ....
> ```
>
>
>
> --
> Sent from: http://squid-web-proxy-cache.1019090.n4.nabble.com/Squid-Users-f1019091.html
> _______________________________________________
> squid-users mailing list
> [hidden email]
> http://lists.squid-cache.org/listinfo/squid-users
>

_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|

Re: How to perform regex only after Squid knows the full url with SslBump

Amos Jeffries
Administrator
On 23/03/20 4:19 am, Alex Rousskov wrote:
>
> To allow a CONNECT request, do not use regular URL syntax because
> CONNECT requests use a different URI syntax. Sorry, I do not know
> whether a url_regex ACL can be used for CONNECT URIs, but you can use
> other ACLs if/as needed, of course.
>

It can so long as the pattern only needs to match the authority-URI section.

Amos
_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|

Re: How to perform regex only after Squid knows the full url with SslBump

laviier
In reply to this post by Alex Rousskov
Thank you for the suggestion!

I did think of allowing the domain name first during CONNECT phase, and then the full URL after connection established. However, other paths under the same site wont be blocked.

i.e. I can ask Squid to let example.com pass through during CONNECT, and then let example.com/abc/logcin pass through after connection established. However, this will let other paths of example.com pass Squid too (such as example.com/not_to_pass) because the it passes the ACL check during CONNECT phase.



On Sun, Mar 22, 2020 at 11:19 AM Alex Rousskov <[hidden email]> wrote:
On 3/20/20 5:48 PM, laviier wrote:
> Hi,
>
> I have a use case that I want to access a certain URL path of a domain but
> not other. i.e. I want client to be able to access example.com/abc/login,
> but not other paths.
>
> Hence, I created ACL rule to achieve that, see below:
>
> ```
> acl to_domain_whitelist url_regex "/squid-config/whitelist/allow.acl"
> acl http port 80
> acl https port 443
> acl connect method CONNECT
>
> http_access allow all to_domain_whitelist
> http_access deny all
>
> http_reply_access allow all
>
> acl step1 at_step SslBump1
> acl step2 at_step SslBump2
> acl step3 at_step SslBump3
>
> ssl_bump peek step3
> ssl_bump bump all
> ```
>
> However the above code does not work properly, the URL regex matching
> happens before Squid performs decryption so that it can only match against
> the host name instead of full URL path. I wonder if there's a way to perform
> the URL regex only after Squid knows the full url with SslBump? Below is a
> briefing of the log. Thank you so much!!!!
> ```
> ---------
> CONNECT example.com:443 HTTP/1.1
> Host: example.com:443
> User-Agent: curl/7.54.0
> Proxy-Connection: Keep-Alive
> X-Forwarded-For: xx.xxx.xx.xx
> ----------
> ...
> 2020/03/20 14:51:43.067| 28,3| Acl.cc(158) matches: checked:
> to_domain_whitelist = 0
> 2020/03/20 14:51:43.071| 85,2| client_side_request.cc(745)
> clientAccessCheckDone: The request CONNECT example.com:443 is DENIED; last
> ACL checked: all
> ...

If you want to make allow/deny decision based on individual request
URLs, your http_access rules must allow the CONNECT request. Once Squid
establishes (and bumps) the CONNECT tunnel, it will start processing
individual requests and apply http_access rules to each of them.

To allow a CONNECT request, do not use regular URL syntax because
CONNECT requests use a different URI syntax. Sorry, I do not know
whether a url_regex ACL can be used for CONNECT URIs, but you can use
other ACLs if/as needed, of course.


HTH,

Alex.


> ---------
> GET /abc/login HTTP/1.1
> Host: example.com
> User-Agent: curl/7.54.0
> Accept: */*
> ----------
> ....
> ```
>
>
>
> --
> Sent from: http://squid-web-proxy-cache.1019090.n4.nabble.com/Squid-Users-f1019091.html
> _______________________________________________
> squid-users mailing list
> [hidden email]
> http://lists.squid-cache.org/listinfo/squid-users
>


_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|

Re: How to perform regex only after Squid knows the full url with SslBump

Alex Rousskov
On 3/23/20 11:20 AM, laviier wrote:

> I did think of allowing the domain name first during CONNECT phase, and
> then the full URL after connection established. However, other paths
> under the same site wont be blocked.

What will (or will not be) blocked is for you to decide.


> i.e. I can ask Squid to let example.com pass
> through during CONNECT, and then let example.com/abc/logcin
> pass through after connection established.

Yes, you can.


> However, this will let other paths of example.com
> pass Squid too (such as example.com/not_to_pass

Only if your http_access rules allow them. Your rules can include
request methods and bump stages, among other things.


> because the it passes the ACL check during CONNECT phase.

You can make that first example.com check be specific to the "CONNECT
phase". That specific rule does not have to match after the connection
was bumped -- you control that. Squid ACLs are very flexible. Do not
think about one ACL (with several regexes). Think of a combination of
different ACLs. Think of multiple http_access lines. Think of any-of and
all-of ACLs. For example:

  acl ...
  ...
  acl allowedAtTcpLevel ...
  acl allowedAtSniLevel ...
  acl allowedPlainAndBumpedTraffic ...

  http_access allow step1 allowedAtTcpLevel
  http_access deny step1
  http_access allow step2 allowedAtSniLevel
  http_access deny step2
  http_access allow allowedPlainAndBumpedTraffic
  http_access deny all

There are many ways to express what you want. The above is just one
excessively generic sketch. Your best solution will be different. I am
just illustrating the concept.


HTH,

Alex.


> On Sun, Mar 22, 2020 at 11:19 AM Alex Rousskov wrote:
>
>     On 3/20/20 5:48 PM, laviier wrote:
>     > Hi,
>     >
>     > I have a use case that I want to access a certain URL path of a
>     domain but
>     > not other. i.e. I want client to be able to access
>     example.com/abc/login <http://example.com/abc/login>,
>     > but not other paths.
>     >
>     > Hence, I created ACL rule to achieve that, see below:
>     >
>     > ```
>     > acl to_domain_whitelist url_regex "/squid-config/whitelist/allow.acl"
>     > acl http port 80
>     > acl https port 443
>     > acl connect method CONNECT
>     >
>     > http_access allow all to_domain_whitelist
>     > http_access deny all
>     >
>     > http_reply_access allow all
>     >
>     > acl step1 at_step SslBump1
>     > acl step2 at_step SslBump2
>     > acl step3 at_step SslBump3
>     >
>     > ssl_bump peek step3
>     > ssl_bump bump all
>     > ```
>     >
>     > However the above code does not work properly, the URL regex matching
>     > happens before Squid performs decryption so that it can only match
>     against
>     > the host name instead of full URL path. I wonder if there's a way
>     to perform
>     > the URL regex only after Squid knows the full url with SslBump?
>     Below is a
>     > briefing of the log. Thank you so much!!!!
>     > ```
>     > ---------
>     > CONNECT example.com:443 <http://example.com:443> HTTP/1.1
>     > Host: example.com:443 <http://example.com:443>
>     > User-Agent: curl/7.54.0
>     > Proxy-Connection: Keep-Alive
>     > X-Forwarded-For: xx.xxx.xx.xx
>     > ----------
>     > ...
>     > 2020/03/20 14:51:43.067| 28,3| Acl.cc(158) matches: checked:
>     > to_domain_whitelist = 0
>     > 2020/03/20 14:51:43.071| 85,2| client_side_request.cc(745)
>     > clientAccessCheckDone: The request CONNECT example.com:443
>     <http://example.com:443> is DENIED; last
>     > ACL checked: all
>     > ...
>
>     If you want to make allow/deny decision based on individual request
>     URLs, your http_access rules must allow the CONNECT request. Once Squid
>     establishes (and bumps) the CONNECT tunnel, it will start processing
>     individual requests and apply http_access rules to each of them.
>
>     To allow a CONNECT request, do not use regular URL syntax because
>     CONNECT requests use a different URI syntax. Sorry, I do not know
>     whether a url_regex ACL can be used for CONNECT URIs, but you can use
>     other ACLs if/as needed, of course.
>
>
>     HTH,
>
>     Alex.
>
>
>     > ---------
>     > GET /abc/login HTTP/1.1
>     > Host: example.com <http://example.com>
>     > User-Agent: curl/7.54.0
>     > Accept: */*
>     > ----------
>     > ....
>     > ```
>     >
>     >
>     >
>     > --
>     > Sent from:
>     http://squid-web-proxy-cache.1019090.n4.nabble.com/Squid-Users-f1019091.html
>     > _______________________________________________
>     > squid-users mailing list
>     > [hidden email]
>     <mailto:[hidden email]>
>     > http://lists.squid-cache.org/listinfo/squid-users
>     >
>

_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users