Re: squid-users Digest, Vol 30, Issue 3

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
2 messages Options
Reply | Threaded
Open this post in threaded view
|

Re: squid-users Digest, Vol 30, Issue 3

Sergey Klusov

> Date: Thu, 2 Feb 2017 03:46:44 +1300
> From: Amos Jeffries <[hidden email]>
> To: [hidden email]
> Subject: Re: [squid-users] transparent http and https filter with
> white-list only
> Message-ID: <[hidden email]>
> Content-Type: text/plain; charset=utf-8
>
> On 28/01/2017 12:36 a.m., Sergey Klusov wrote:
>> Hello. I'm trying to get working transparent setup allowing only certain
>> domains and have problem that in order to allow https "ssl_bump splice
>> allowed_domains" i have to "http_access allow all", thus allowing all
>> other http traffic through. Otherwise https traffic is not allowed at all.
>>
>> Here is my config:
>>
> Some comments inline to improve it.
>
> Also, what version of Squid are you using?
>   I will assume that you are following the best practice advice and using
> at least 3.5.19.  If not, please try to upgrade.
just installed from centos7 repo, using yum
Squid Cache: Version 3.5.20

>
>> =======config=======
>> http_port 10.96.243.1:3128 intercept options=NO_SSLv3:NO_SSLv2
>> http_port 10.96.243.1:3130 options=NO_SSLv3:NO_SSLv2
> Setting SSL-related options on http_port's is not useful when they are
> not doing SSL-Bump.

ok. just copy-pasted from some internet site about ssl_bump

>
>> https_port 10.96.243.1:3129 intercept ssl-bump
>> options=ALL:NO_SSLv3:NO_SSLv2 connection-auth=off
>> cert=/etc/squid/squidCA.pem
>> acl localnet src 10.0.0.0/8     # RFC1918 possible internal network
>>
>> acl SSL_ports port 443
>> acl Safe_ports port 80          # http
>> acl Safe_ports port 443         # https
>> acl CONNECT method CONNECT
>>
>> acl http_allow dstdomain "/etc/squid/http_allow_domains.txt"
>> acl https_allow ssl::server_name "/etc/squid/https_allow_domains.txt"
>>
>> sslproxy_cert_error allow all
>> sslproxy_flags DONT_VERIFY_PEER
> Not good. Remember this is a security protocol you are playing around with.
>
> Both of the above lines hide critical details you need to figure out
> what is going wrong. They can be useful as a spot-check (only!) to
> figure out if the problem is related to cert verification or something
> else. But DO NOT use them for regular traffic, not even testing traffic.
>
> You may find that there are certain _specific_ errors that you need to
> let through. Add the appropriate flags, SSL options, ACLs checks
> sslproxy_cert_error lines for those as needed, dont just ignore all
> possible errors like above does.

this setup only purpose is to just allow clients to connect only to
small set of certain sites
i suppose client's browser will do all checks?

>> acl step1 at_step SslBump1
>> ssl_bump peek step1
>> ssl_bump splice https_allow
>> ssl_bump terminate all
>>
> Looks okay. Just to be clear you understand that:
>   The above means that the TLS/SSL is spliced only if the client SNI
> contains a domain in your whitelist.
>   All other traffic will be terminated ... maybe with an HTTP error page.
That's all i need. In fact i would prefer to not use squid at all for
that purpose, but can't find any good free DPI solution.

>
>
>> cache deny all
>>
>> http_access deny !Safe_ports
>> http_access deny CONNECT !SSL_ports
>> http_access allow localhost manager
>> http_access deny manager
>>
>> http_access allow all http_allow
>> http_access allow all https_allow
> The ssl::server_name ACL will not work outside of the ssl_bump
> directive. Delete the above line.
Ok

>
> Also, I am not seeing is any line which permits the raw-IP CONNECT
> message which your Squid processes first to decide whether ssl_bump will
> be applied to the intercepted TCP connections.
>
>   That is why the "allow all" makes things "work". It lets those CONNECT
> request through.
>
> You can read the details about how bumping happens at
> <http://wiki.squid-cache.org/Features/SslPeekAndSplice#Processing_steps>
>   The CONNECT request mentioned in step 1.ii is your problem.
>
> To fix it in a very targeted way add these lines (mind the wrap sorry):
>
>   acl rawIP dstdom_regex
> ^(([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)|(\[([0-9a-f]+)?:([0-9a-f:]+)?:([0-9a-f]+|0-9\.]+)?\])):443$
>
>   acl bumpPort myportname 10.96.243.1:3129
>
>   http_access allow CONNECT bumpPort rawIP

i've worked around like this:

acl http_proto proto http
http_access allow !http

but will try your variant too
thanks.

>
>> http_access deny all
>>
>> always_direct allow all
>>
> That always_direct line is not useful. Remove it.
ok

_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|

Re: squid-users Digest, Vol 30, Issue 3

Amos Jeffries
Administrator
On 3/02/2017 1:22 a.m., Sergey Klusov wrote:

>
>> Date: Thu, 2 Feb 2017 03:46:44 +1300
>> From: Amos Jeffries
>>
>> On 28/01/2017 12:36 a.m., Sergey Klusov wrote:
>>> Hello. I'm trying to get working transparent setup allowing only certain
>>> domains and have problem that in order to allow https "ssl_bump splice
>>> allowed_domains" i have to "http_access allow all", thus allowing all
>>> other http traffic through. Otherwise https traffic is not allowed at
>>> all.
>>>

...

>>>
>>> sslproxy_cert_error allow all
>>> sslproxy_flags DONT_VERIFY_PEER
>> Not good. Remember this is a security protocol you are playing around
>> with.
>>
>> Both of the above lines hide critical details you need to figure out
>> what is going wrong. They can be useful as a spot-check (only!) to
>> figure out if the problem is related to cert verification or something
>> else. But DO NOT use them for regular traffic, not even testing traffic.
>>
>> You may find that there are certain _specific_ errors that you need to
>> let through. Add the appropriate flags, SSL options, ACLs checks
>> sslproxy_cert_error lines for those as needed, dont just ignore all
>> possible errors like above does.
>
> this setup only purpose is to just allow clients to connect only to
> small set of certain sites
> i suppose client's browser will do all checks?

What the browser sees is the stuff inside the spliced connections. Which
does not go near these sslproxy_* directives.

sslproxy_* are for Squid<->Internet connections. Errors here will never
get seen by any browser and in your setup will probably be from wrongly
bump'ed traffic, so you better be aware of those problems.

...

>>
>> To fix it in a very targeted way add these lines (mind the wrap sorry):
>>
>>   acl rawIP dstdom_regex
>> ^(([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)|(\[([0-9a-f]+)?:([0-9a-f:]+)?:([0-9a-f]+|0-9\.]+)?\])):443$
>>
>>
>>   acl bumpPort myportname 10.96.243.1:3129
>>
>>   http_access allow CONNECT bumpPort rawIP
>
> i've worked around like this:
>
> acl http_proto proto http
> http_access allow !http
>
> but will try your variant too
> thanks.

FYI: my ACLs were being very strict. Ensuring only allow for CONNECT
requests which are coming from the port with ssl-bump, and also going to
port 443 (HTTPS).

Just allowing all non-http:// URLs through the proxy is not much better
than 'allow all'.

Amos
_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users