SSL Bump for regex URL comparison

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
4 messages Options
Reply | Threaded
Open this post in threaded view
|

SSL Bump for regex URL comparison

Joe Foster
Good afternoon,

I have a small router onto which I have installed Squid.

I am trying to filter HTTPS urls for bad words on a blocked list.

It will require the client on the safe side of the router to install the
certificate, this isn't an issue as it's an open process and not an
illigal MITM attack.

Below is my squid.conf

As you will see I have been playing around with where to put the code
and what code to put in.

I only have a small amount of flash drive so I have put the auto-gen
cert directory in /tmp/. I am aware this is volatile memory but until I
have a better solution I will be doing this.

I have put a firewall rule in to forward 443 to 3128.

https://wiki.squid-cache.org/Features/SslBump
https://wiki.squid-cache.org/SquidFaq/SquidAcl

I also don't want to cache due to flash drive issues. Is this possible?

Its the same cert in /root/ and /certs/ before anyone points it out.

Nothing has been appearing in the log files either but this is no
surprise.

Been up till 1am last few nights on this so you assistance is very
appreciated.

Thank you very much,

Joe

acl localnet src 10.0.0.0/8
acl localnet src 172.16.0.0/12
acl localnet src 192.168.1.0/16
acl localnet src fc00::/7
acl localnet src fe80::/10
 
acl ssl_ports port 443
 
acl safe_ports port 80
acl safe_ports port 21
acl safe_ports port 443
acl safe_ports port 70
acl safe_ports port 210
acl safe_ports port 1025-65535
acl safe_ports port 280
acl safe_ports port 488
acl safe_ports port 591
acl safe_ports port 777
acl connect method connect
 
#acl safe_ports port 3128
http_port 3128 ssl-bump generate-host-certificates=on
dynamic_cert_mem_cache_size=1MB cert=/root/myCA.pem
 
http_access deny !safe_ports
http_access deny connect !ssl_ports
 
http_access allow localhost manager
http_access deny manager
 
http_access deny to_localhost
 
http_access allow localnet
http_access allow localhost
 
#http_port 3128 intercept

acl BadWords url_regex "/etc/badwords"
http_access deny Badwords
 
cache deny all
 
#ssl_bump bump all
#http_port 3128 ssl-bump generate-host-certificates=on
dynamic_cert_mem_cache_size=1MB cert=/root/myCA.pem
 
http_access deny all
 
refresh_pattern ^ftp: 1440 20% 10080
refresh_pattern ^gopher: 1440 0% 1440
refresh_pattern -i (/cgi-bin/|\?) 0 0% 0
refresh_pattern . 0 20% 4320
 
access_log /squid.log
cache_log /squid1.log
cache_store_log stdio:/squid2.log
logfile_rotate 0
 
logfile_daemon /dev/null
 
#http_port 3128 intercept
 
#cache deny all
 
#ssl_bump bump all
#http_port 3128 ssl-bump generate-host-certificates=on
dynamic_cert_mem_cache_size=1MB cert=/root/myCA.pem


_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|

Re: SSL Bump for regex URL comparison

Amos Jeffries
Administrator
On 16/11/17 02:32, Joe Foster wrote:

> Good afternoon,
>
> I have a small router onto which I have installed Squid.
>
> I am trying to filter HTTPS urls for bad words on a blocked list.
>
> It will require the client on the safe side of the router to install the
> certificate, this isn't an issue as it's an open process and not an
> illigal MITM attack.
>
> Below is my squid.conf
>
> As you will see I have been playing around with where to put the code
> and what code to put in.
>
> I only have a small amount of flash drive so I have put the auto-gen
> cert directory in /tmp/. I am aware this is volatile memory but until I
> have a better solution I will be doing this.

Since /tmp is subject to random deletion of content you will need to
make sure you always shutdown Squid and re-run the ssl_crtd (etc.)
create command to re-generate the cert DB structures whenever the device
erases its /tmp content. Otherwise your proxy will crash and/or client
connections will start being terminated with strange looking errors.


IMO you would probably be better off setting the cert DB to a very small
size suitable for your limited space - or disabling it entirely [more on
that below].

>
> I have put a firewall rule in to forward 443 to 3128.
>
> https://wiki.squid-cache.org/Features/SslBump
> https://wiki.squid-cache.org/SquidFaq/SquidAcl
>
> I also don't want to cache due to flash drive issues. Is this possible?
>

 From the documentation of the SSL-Bump settings:
  <http://www.squid-cache.org/Doc/config/http_port/>
"
   dynamic_cert_mem_cache_size=SIZE
     Approximate total RAM size spent on cached generated
     certificates. If set to zero, caching is disabled. The
     default value is 4MB.
"

> Its the same cert in /root/ and /certs/ before anyone points it out.
>
> Nothing has been appearing in the log files either but this is no
> surprise.
>
> Been up till 1am last few nights on this so you assistance is very
> appreciated.

That sounds like you are having a problem. But I don't see any mention
of what that is exactly.

Amos
_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|

Re: SSL Bump for regex URL comparison

Joe Foster
Hello Amos,

The problem is the connections are not getting through. It just acts like there is no WiFi connection. 

Adding the cert db every start up isn’t an issue. 

I was thinking of having a small cert cache locally instead thinking about it since. 

The connections just aren’t being made. No ssl warning. 

Thank you

Joe


On Thu, 16 Nov 2017 at 08:15, Amos Jeffries <[hidden email]> wrote:
On 16/11/17 02:32, Joe Foster wrote:
> Good afternoon,
>
> I have a small router onto which I have installed Squid.
>
> I am trying to filter HTTPS urls for bad words on a blocked list.
>
> It will require the client on the safe side of the router to install the
> certificate, this isn't an issue as it's an open process and not an
> illigal MITM attack.
>
> Below is my squid.conf
>
> As you will see I have been playing around with where to put the code
> and what code to put in.
>
> I only have a small amount of flash drive so I have put the auto-gen
> cert directory in /tmp/. I am aware this is volatile memory but until I
> have a better solution I will be doing this.

Since /tmp is subject to random deletion of content you will need to
make sure you always shutdown Squid and re-run the ssl_crtd (etc.)
create command to re-generate the cert DB structures whenever the device
erases its /tmp content. Otherwise your proxy will crash and/or client
connections will start being terminated with strange looking errors.


IMO you would probably be better off setting the cert DB to a very small
size suitable for your limited space - or disabling it entirely [more on
that below].

>
> I have put a firewall rule in to forward 443 to 3128.
>
> https://wiki.squid-cache.org/Features/SslBump
> https://wiki.squid-cache.org/SquidFaq/SquidAcl
>
> I also don't want to cache due to flash drive issues. Is this possible?
>

 From the documentation of the SSL-Bump settings:
  <http://www.squid-cache.org/Doc/config/http_port/>
"
   dynamic_cert_mem_cache_size=SIZE
     Approximate total RAM size spent on cached generated
     certificates. If set to zero, caching is disabled. The
     default value is 4MB.
"

> Its the same cert in /root/ and /certs/ before anyone points it out.
>
> Nothing has been appearing in the log files either but this is no
> surprise.
>
> Been up till 1am last few nights on this so you assistance is very
> appreciated.

That sounds like you are having a problem. But I don't see any mention
of what that is exactly.

Amos
_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users

_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|

Re: SSL Bump for regex URL comparison

Matus UHLAR - fantomas
On 16.11.17 08:21, Joe Foster wrote:
>The problem is the connections are not getting through. It just acts like
>there is no WiFi connection.

what exactly is the error? Does squid receive those connections?
does squid reject them?

--
Matus UHLAR - fantomas, [hidden email] ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
We are but packets in the Internet of life (userfriendly.org)
_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users