Squid 3.5.15 - ERR_CONNECTION_REFUSED while accessing blocked non-HTTPS pages.

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
2 messages Options
Reply | Threaded
Open this post in threaded view
|

Squid 3.5.15 - ERR_CONNECTION_REFUSED while accessing blocked non-HTTPS pages.

Irakli Gobejishvili
Hello everyone.

I am successfully filtering HTTPS traffic with intercept/PBR setup and users get my custom ERR_ACCESS_DENIED page from Squid. Permitted pages (both HTTP/HTTPS) also work absolutely fine.

The problem is, when users try to access filtered page with HTTP request, then they get ERR_CONNECTION_REFUSED in their browsers, instead of seeing that custom deny page and I see nothing in access.log, as if Squid never even got the request. If I remove that domain from deny ACL or access it via HTTPS, then it works fine and can be seen in access.log. What can I do to fix this?


Relevant fragment from configuration:

acl CONNECT method CONNECT
reply_header_access Alternate-Protocol deny all

ssl_bump stare all
ssl_bump bump all
sslproxy_cert_error allow all
sslproxy_flags DONT_VERIFY_PEER

acl BADSITES ssl::server_name "/etc/squid/BADSITES"
acl USERS src 10.10.80.0/24

http_access deny BADSITES USERS
http_access allow USERS

http_port 3128
https_port 3130 intercept ssl-bump connection-auth=off generate-host-certificates=on dynamic_cert_mem_cache_size=8MB cert=/etc/squid/ssl_cert/CA.pem

_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|

Re: Squid 3.5.15 - ERR_CONNECTION_REFUSED while accessing blocked non-HTTPS pages.

Amos Jeffries
Administrator
SSL-Bump featres in Squid are still very volatile. What appear to be
minor change can have big behaviour differences and security fixes
between any two releases. It is not worth anyones time (including yours)
re-debugging and re-fixing an older release for things that have already
been fixed.

So, Rule #1 when using those features is to follow new releases. If any
problems are encountered try the very latest to see if it is fixed.
Today that is 3.5.25, or if 3.5 is still affected the 4.0.19 beta.


On 13/04/2017 2:24 a.m., Irakli Gobejishvili wrote:

> Hello everyone.
>
> I am successfully filtering HTTPS traffic with intercept/PBR setup and
> users get my custom ERR_ACCESS_DENIED page from Squid. Permitted pages
> (both HTTP/HTTPS) also work absolutely fine.
>
> The problem is, when users try to access filtered page with HTTP request,
> then they get ERR_CONNECTION_REFUSED in their browsers, instead of seeing
> that custom deny page and I see nothing in access.log, as if Squid never
> even got the request. If I remove that domain from deny ACL or access it
> via HTTPS, then it works fine and can be seen in access.log. What can I do
> to fix this?

What is the exact traffic behaviour that is going on?

"filtering HTTPS traffic with intercept/PBR setup" tells us nothing
about the tiny but critical input details that the security systems huge
differences in correct vs wrong behaviour hinge on.

 and what do you think Squid is doing in reaction to that?



>
> Relevant fragment from configuration:
>
> acl CONNECT method CONNECT
> reply_header_access Alternate-Protocol deny all
>
> ssl_bump stare all
> ssl_bump bump all
> sslproxy_cert_error allow all
> sslproxy_flags DONT_VERIFY_PEER

Ah, sure. Things can look like they are working well when you hide all
possible TLS/SSL errors from yourself (and the users).

Anything major could be going on and you simply not seeing it.


>
> acl BADSITES ssl::server_name "/etc/squid/BADSITES"
> acl USERS src 10.10.80.0/24
>

Missing:
 http_access deny !Safe_ports
 http_access deny CONNECT !SSL_Ports
 http_acecss deny !localhost manager

> http_access deny BADSITES USERS
> http_access allow USERS
>

Missing:
 http_access deny all


> http_port 3128
> https_port 3130 intercept ssl-bump connection-auth=off
> generate-host-certificates=on dynamic_cert_mem_cache_size=8MB
> cert=/etc/squid/ssl_cert/CA.pem
>

Amos

_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users