Squid 4 and on_unsupported_protocol

classic Classic list List threaded Threaded
7 messages Options
Reply | Threaded
Open this post in threaded view
|

Squid 4 and on_unsupported_protocol

Vieri
Hi,

I'd like to allow whatsapp web through a transparent tproxy sslbump Squid setup.

The target site is not loading:

wss://web.whatsapp.com/ws

I get TCP_MISS/400 305 GET https://web.whatsapp.com/ws in Squid cache log.

I'm not sure I know how to use the on_unsupported_protocol diective.

I have this in my config file:

acl foreignProtocol squid_error ERR_PROTOCOL_UNKNOWN ERR_TOO_BIG
acl serverTalksFirstProtocol squid_error ERR_REQUEST_START_TIMEOUT
on_unsupported_protocol tunnel foreignProtocol
on_unsupported_protocol tunnel serverTalksFirstProtocol
on_unsupported_protocol respond all

How can I change this to allow websockets through Squid, but preferably only for a specific SRC IP addr. acl?

Regards,

Vieri
_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|

Re: Squid 4 and on_unsupported_protocol

Eliezer Croitoru-3

Hey Vieri,

 

This connections is being bumped and it’s based on a CONNECT connection to the proxy.

I believe what you are looking for is at:

https://wiki.squid-cache.org/ConfigExamples/Chat/Whatsapp

 

Hope It Helps,

Eliezer

 

----

Eliezer Croitoru

Tech Support

Mobile: +972-5-28704261

Email: [hidden email]

 

From: [hidden email]
Sent: Monday, June 29, 2020 7:14 PM
To: [hidden email]
Subject: [squid-users] Squid 4 and on_unsupported_protocol

 

Hi,

 

I'd like to allow whatsapp web through a transparent tproxy sslbump Squid setup.

 

The target site is not loading:

 

wss://web.whatsapp.com/ws

 

I get TCP_MISS/400 305 GET https://web.whatsapp.com/ws in Squid cache log.

 

I'm not sure I know how to use the on_unsupported_protocol diective.

 

I have this in my config file:

 

acl foreignProtocol squid_error ERR_PROTOCOL_UNKNOWN ERR_TOO_BIG

acl serverTalksFirstProtocol squid_error ERR_REQUEST_START_TIMEOUT

on_unsupported_protocol tunnel foreignProtocol

on_unsupported_protocol tunnel serverTalksFirstProtocol

on_unsupported_protocol respond all

 

How can I change this to allow websockets through Squid, but preferably only for a specific SRC IP addr. acl?

 

Regards,

 

Vieri

_______________________________________________

squid-users mailing list

[hidden email]

http://lists.squid-cache.org/listinfo/squid-users

 


_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|

Re: Squid 4 and on_unsupported_protocol

Vieri


On Monday, June 29, 2020, 6:41:41 PM GMT+2, Eliezer Croitoru <[hidden email]> wrote:
>
>
> I believe what you are looking for is at:
> https://wiki.squid-cache.org/ConfigExamples/Chat/Whatsapp
 
Thanks, but the article doesn't work for me.
I still see Firefox complaining (console) about not being able to connect to wss://web.whatsapp.com/ws.

Vieri
_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|

Re: Squid 4 and on_unsupported_protocol

Eliezer Croitoru-3

I can try to re-produce this setup locally to make sure that it works as described in the docs.

So couple details:

  • PC Windows(What OS?) client with firefox
  • Are you Intercepting the traffic or using Squid as a simple forward proxy defined in the browser or OS proxy settings?

 

Can you share a basic squid.conf (cleaned of personal details) to make sure where and how these rules should be applied?

 

Thanks,

Eliezer

 

----

Eliezer Croitoru

Tech Support

Mobile: +972-5-28704261

Email: [hidden email]

 

From: [hidden email]
Sent: Tuesday, June 30, 2020 1:08 AM
To: [hidden email]; [hidden email]
Subject: Re: [squid-users] Squid 4 and on_unsupported_protocol

 

 

 

On Monday, June 29, 2020, 6:41:41 PM GMT+2, Eliezer Croitoru <[hidden email]> wrote:

> 

> 

> I believe what you are looking for is at:

> https://wiki.squid-cache.org/ConfigExamples/Chat/Whatsapp

 

Thanks, but the article doesn't work for me.

I still see Firefox complaining (console) about not being able to connect to wss://web.whatsapp.com/ws.

 

Vieri

 


_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|

Re: Squid 4 and on_unsupported_protocol

Vieri


 On Tuesday, June 30, 2020, 8:50:09 AM GMT+2, Eliezer Croitoru <[hidden email]> wrote:

>
> I can try to re-produce this setup locally to make sure that it works as described in the docs.

Thanks!

> So couple details:
>   * PC Windows(What OS?) client with firefox

Windows 10, Windows 7
Firefox ESR 68.5.0
 
>    * Are you Intercepting the traffic or using Squid as a simple forward proxy defined in the browser or OS proxy settings?

Intercepting with TPROXY.

> Can you share a basic squid.conf (cleaned of personal details) to make sure where and how these rules should be applied?
 
Here it goes (client traffic is intercepted/bumped):

squid.conf:

acl SSL_ports port 443
acl Safe_ports port 80        # http
acl Safe_ports port 21        # ftp
acl Safe_ports port 443        # https
acl Safe_ports port 70        # gopher
acl Safe_ports port 210        # wais
acl Safe_ports port 1025-65535    # unregistered ports
acl Safe_ports port 280        # http-mgmt
acl Safe_ports port 488        # gss-http
acl Safe_ports port 591        # filemaker
acl Safe_ports port 777        # multiling http
acl Safe_ports port 901        # SWAT
acl CONNECT method CONNECT
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
http_access allow localhost manager
http_access deny manager
include /etc/squid/squid.include
include /etc/squid/squid.include.rules
http_access allow localhost
http_access deny all
coredump_dir /var/cache/squid
refresh_pattern ^ftp:        1440    20%    10080
refresh_pattern ^gopher:    1440    0%    1440
refresh_pattern -i (/cgi-bin/|\?) 0    0%    0
refresh_pattern .        0    20%    4320


squid.include:

acl explicit myportname 3128
acl intercepted myportname 3129
acl interceptedssl myportname 3130
http_port 3128
http_port 3129 tproxy
https_port 3130 tproxy ssl-bump generate-host-certificates=on dynamic_cert_mem_cache_size=16MB cert=/etc/ssl/squid/proxyserver.pem sslflags=NO_DEFAULT_CA
tls_outgoing_options flags=DONT_VERIFY_PEER
sslcrtd_program /usr/libexec/squid/security_file_certgen -s /var/lib/squid/ssl_db -M 16MB
sslcrtd_children 40 startup=20 idle=10
cache_dir diskd /var/cache/squid 32 16 256

squid.include.common:

cache_mgr [hidden email]
email_err_data on
error_directory /usr/share/squid/errors/custom
client_lifetime 480 minutes


squid.include.hide:

httpd_suppress_version_string on
dns_v4_first on
via off
forwarded_for transparent


squid.include.rules:

external_acl_type nt_group ttl=0 children-max=50 %LOGIN /usr/libexec/squid/ext_wbinfo_group_acl -K
auth_param negotiate program /usr/libexec/squid/negotiate_kerberos_auth -s HTTP/[hidden email]
auth_param negotiate children 60
auth_param negotiate keep_alive on
acl localnet src 10.0.0.0/8
acl localnet src 192.168.0.0/16
acl ORG_all proxy_auth REQUIRED
external_acl_type bllookup ttl=86400 negative_ttl=86400 children-max=80 children-startup=10 children-idle=3 concurrency=8 %PROTO %DST %PORT %PATH /opt/custom/scripts/run/scripts/firewall/ext_sql_blwl_acl.pl --table=shallalist_bl --categories=adv,aggressive,alcohol,anonvpn,automobile_bikes,automobile_boats,automobile_cars,automobile_planes,chat,costtraps,dating,drugs,dynamic,finance_insurance,finance_moneylending,finance_other,finance_realestate,finance_trading,fortunetelling,forum,gamble,hacking,hobby_cooking,hobby_games-misc,hobby_games-online,hobby_gardening,hobby_pets,homestyle,imagehosting,isp,jobsearch,military,models,movies,music,podcasts,politics,porn,radiotv,recreation_humor,recreation_martialarts,recreation_restaurants,recreation_sports,recreation_travel,recreation_wellness,redirector,religion,remotecontrol,ringtones,science_astronomy,science_chemistry,sex_education,sex_lingerie,shopping,socialnet,spyware,tracker,updatesites,urlshortener,violence,warez,weapons,webphone,webradio,webtv
acl privileged_src_ips src "/SAMBA/proxy-settings/allowed.ips"
acl privileged_extra1_src_ips src "/SAMBA/proxy-settings/allowed.extra1.ips"
acl privileged_user_groups external nt_group "/SAMBA/proxy-settings/allowed.groups"
acl direct_dst_domains dstdomain "/SAMBA/proxy-settings/allowed.direct"
acl good_dst_domains dstdomain "/SAMBA/proxy-settings/allowed.domains"
acl good_dst_domains_with_any_filetype dstdomain "/SAMBA/proxy-settings/allowed.domains.filetypes"
acl good_dst_domains_with_any_mimetype dstdomain "/SAMBA/proxy-settings/allowed.domains.mimetypes"
acl good_urls_any_useragent url_regex "/SAMBA/proxy-settings/allowed.useragents.urls"
acl good_urls url_regex "/SAMBA/proxy-settings/allowed.urls"
acl bad_dst_domains dstdomain "/SAMBA/proxy-settings/denied.domains"
acl bad_dst_ccn_domains dstdomain "/SAMBA/proxy-settings/denied.ccn.domains"
acl bad_dst_ccn_ips dst "/SAMBA/proxy-settings/denied.ccn.ips"
acl limited_dst_domains_1 dstdomain "/SAMBA/proxy-settings/denied.extra1.domains"
acl bad_ads url_regex "/SAMBA/proxy-settings/denied.ads"
acl bad_filetypes urlpath_regex -i "/SAMBA/proxy-settings/denied.filetypes"
acl bad_requested_mimetypes req_mime_type -i "/SAMBA/proxy-settings/denied.mimetypes"
acl limited_requested_mimetypes_1 req_mime_type -i "/SAMBA/proxy-settings/denied.extra1.mimetypes"
acl bad_replied_mimetypes rep_mime_type -i "/SAMBA/proxy-settings/denied.mimetypes"
acl limited_replied_mimetypes_1 rep_mime_type -i "/SAMBA/proxy-settings/denied.extra1.mimetypes"
acl restricted_requested_mimetypes_1 req_mime_type -i "/SAMBA/proxy-settings/denied.restricted1.mimetypes"
acl restricted_replied_mimetypes_1 rep_mime_type -i "/SAMBA/proxy-settings/denied.restricted1.mimetypes"
acl restricted_good_dst_domains_1 dstdomain "/SAMBA/proxy-settings/allowed.restricted1.domains"
acl restricted_src_ips_1 dst "/SAMBA/proxy-settings/allowed.restricted1.ips"
acl explicit_only_src_ips src "/SAMBA/proxy-settings/restricted.ips"
acl explicit_only_user_groups external nt_group "/SAMBA/proxy-settings/restricted.groups"
acl explicit_only_dst_domains dstdomain "/SAMBA/proxy-settings/restricted.domains"
acl bl_lookup external bllookup
acl bad_urlshorteners dstdomain "/etc/squidGuard/db/HMANshallalist/urlshortener/domains"
acl redirected_domains_1 dstdomain .some.domain.com .some.other.domain.com
acl redirected_domains_2 dstdomain anotherdomain.com
acl redirected_urls_1 url_regex ^https://domain.com/path/
acl good_useragents req_header User-Agent Firefox/
acl good_useragents req_header User-Agent Edge/
acl good_useragents req_header User-Agent Microsoft-CryptoAPI/
acl src_ips_with_any_useragent src "/SAMBA/proxy-settings/allowed.useragents.ips"
acl dst_domains_with_any_useragent dstdomain "/SAMBA/proxy-settings/allowed.useragents.domains"
acl dst_ips_with_any_useragent dst "/SAMBA/proxy-settings/allowed.useragents.dst.ips"
http_access deny explicit !ORG_all
http_access deny explicit SSL_ports
http_access deny intercepted !localnet
http_access deny interceptedssl !localnet
acl foreignProtocol squid_error ERR_PROTOCOL_UNKNOWN ERR_TOO_BIG
acl serverTalksFirstProtocol squid_error ERR_REQUEST_START_TIMEOUT
on_unsupported_protocol tunnel foreignProtocol
on_unsupported_protocol tunnel serverTalksFirstProtocol
on_unsupported_protocol respond all
http_access allow CONNECT interceptedssl SSL_ports
http_access deny !good_useragents !src_ips_with_any_useragent !dst_domains_with_any_useragent !dst_ips_with_any_useragent !good_urls_any_useragent
deny_info <a href="http://inf-fw2.domain.org/proxy-error/?a=%a&B=%B&e=%e&E=%E&H=%H&i=%i&M=%M&o=%o&R=%R&T=%T&U=%U&u=%u&w=%w&x=%x&acl=bad_useragents">http://inf-fw2.domain.org/proxy-error/?a=%a&B=%B&e=%e&E=%E&H=%H&i=%i&M=%M&o=%o&R=%R&T=%T&U=%U&u=%u&w=%w&x=%x&acl=bad_useragents good_useragents
deny_info <a href="http://inf-fw2.domain.org/proxy-error/?a=%a&B=%B&e=%e&E=%E&H=%H&i=%i&M=%M&o=%o&R=%R&T=%T&U=%U&u=%u&w=%w&x=%x&acl=bad_useragents">http://inf-fw2.domain.org/proxy-error/?a=%a&B=%B&e=%e&E=%E&H=%H&i=%i&M=%M&o=%o&R=%R&T=%T&U=%U&u=%u&w=%w&x=%x&acl=bad_useragents src_ips_with_any_useragent
deny_info <a href="http://inf-fw2.domain.org/proxy-error/?a=%a&B=%B&e=%e&E=%E&H=%H&i=%i&M=%M&o=%o&R=%R&T=%T&U=%U&u=%u&w=%w&x=%x&acl=bad_useragents">http://inf-fw2.domain.org/proxy-error/?a=%a&B=%B&e=%e&E=%E&H=%H&i=%i&M=%M&o=%o&R=%R&T=%T&U=%U&u=%u&w=%w&x=%x&acl=bad_useragents dst_domains_with_any_useragent
deny_info <a href="http://inf-fw2.domain.org/proxy-error/?a=%a&B=%B&e=%e&E=%E&H=%H&i=%i&M=%M&o=%o&R=%R&T=%T&U=%U&u=%u&w=%w&x=%x&acl=bad_useragents">http://inf-fw2.domain.org/proxy-error/?a=%a&B=%B&e=%e&E=%E&H=%H&i=%i&M=%M&o=%o&R=%R&T=%T&U=%U&u=%u&w=%w&x=%x&acl=bad_useragents dst_ips_with_any_useragent
http_access allow localnet !explicit_only_src_ips good_dst_domains
http_access allow localnet !explicit_only_src_ips good_urls
http_access allow localnet !explicit_only_src_ips good_urls_any_useragent
http_access allow localnet !explicit_only_src_ips privileged_src_ips
http_reply_access allow localnet !explicit_only_src_ips privileged_src_ips
http_reply_access allow localnet !explicit_only_src_ips good_dst_domains
http_reply_access allow localnet !explicit_only_src_ips good_urls
http_access allow explicit_only_src_ips explicit_only_dst_domains
http_access deny explicit_only_src_ips
http_access deny redirected_domains_1
deny_info 302:http://some.domain.com redirected_domains_1
http_access deny redirected_domains_2
deny_info 302:https://anotherdomain.com redirected_domains_2
http_access deny redirected_urls_1
deny_info 302:http://some.domain.com redirected_urls_1
http_access deny !privileged_src_ips bad_urlshorteners
deny_info <a href="http://fwprox.domain.org/proxy-error/?a=%a&B=%B&e=%e&E=%E&H=%H&i=%i&M=%M&o=%o&R=%R&T=%T&U=%U&u=%u&w=%w&x=%x&acl=bad_urlshorteners">http://fwprox.domain.org/proxy-error/?a=%a&B=%B&e=%e&E=%E&H=%H&i=%i&M=%M&o=%o&R=%R&T=%T&U=%U&u=%u&w=%w&x=%x&acl=bad_urlshorteners bad_urlshorteners
http_access allow restricted_requested_mimetypes_1 restricted_good_dst_domains_1
http_access allow restricted_requested_mimetypes_1 restricted_src_ips_1
http_reply_access allow restricted_replied_mimetypes_1 restricted_good_dst_domains_1
http_reply_access allow restricted_replied_mimetypes_1 restricted_src_ips_1
http_access allow limited_requested_mimetypes_1 privileged_extra1_src_ips limited_dst_domains_1
http_reply_access allow limited_replied_mimetypes_1 privileged_extra1_src_ips limited_dst_domains_1
http_access deny restricted_requested_mimetypes_1
http_reply_access deny restricted_replied_mimetypes_1
deny_info <a href="http://fwprox.domain.org/proxy-error/?a=%a&B=%B&e=%e&E=%E&H=%H&i=%i&M=%M&o=%o&R=%R&T=%T&U=%U&u=%u&w=%w&x=%x&acl=bad_mimetypes">http://fwprox.domain.org/proxy-error/?a=%a&B=%B&e=%e&E=%E&H=%H&i=%i&M=%M&o=%o&R=%R&T=%T&U=%U&u=%u&w=%w&x=%x&acl=bad_mimetypes restricted_replied_mimetypes_1
deny_info <a href="http://fwprox.domain.org/proxy-error/?a=%a&B=%B&e=%e&E=%E&H=%H&i=%i&M=%M&o=%o&R=%R&T=%T&U=%U&u=%u&w=%w&x=%x&acl=bad_mimetypes">http://fwprox.domain.org/proxy-error/?a=%a&B=%B&e=%e&E=%E&H=%H&i=%i&M=%M&o=%o&R=%R&T=%T&U=%U&u=%u&w=%w&x=%x&acl=bad_mimetypes restricted_requested_mimetypes_1
http_access deny limited_requested_mimetypes_1
http_reply_access deny limited_replied_mimetypes_1
deny_info <a href="http://fwprox.domain.org/proxy-error/?a=%a&B=%B&e=%e&E=%E&H=%H&i=%i&M=%M&o=%o&R=%R&T=%T&U=%U&u=%u&w=%w&x=%x&acl=bad_mimetypes">http://fwprox.domain.org/proxy-error/?a=%a&B=%B&e=%e&E=%E&H=%H&i=%i&M=%M&o=%o&R=%R&T=%T&U=%U&u=%u&w=%w&x=%x&acl=bad_mimetypes limited_requested_mimetypes_1
deny_info <a href="http://fwprox.domain.org/proxy-error/?a=%a&B=%B&e=%e&E=%E&H=%H&i=%i&M=%M&o=%o&R=%R&T=%T&U=%U&u=%u&w=%w&x=%x&acl=bad_mimetypes">http://fwprox.domain.org/proxy-error/?a=%a&B=%B&e=%e&E=%E&H=%H&i=%i&M=%M&o=%o&R=%R&T=%T&U=%U&u=%u&w=%w&x=%x&acl=bad_mimetypes limited_replied_mimetypes_1
http_access deny !privileged_src_ips bad_dst_domains
deny_info <a href="http://fwprox.domain.org/proxy-error/?a=%a&B=%B&e=%e&E=%E&H=%H&i=%i&M=%M&o=%o&R=%R&T=%T&U=%U&u=%u&w=%w&x=%x&acl=bad_dst_domains">http://fwprox.domain.org/proxy-error/?a=%a&B=%B&e=%e&E=%E&H=%H&i=%i&M=%M&o=%o&R=%R&T=%T&U=%U&u=%u&w=%w&x=%x&acl=bad_dst_domains bad_dst_domains
http_access deny bad_dst_ccn_domains
deny_info <a href="http://fwprox.domain.org/proxy-error/?a=%a&B=%B&e=%e&E=%E&H=%H&i=%i&M=%M&o=%o&R=%R&T=%T&U=%U&u=%u&w=%w&x=%x&acl=bad_dst_ccn">http://fwprox.domain.org/proxy-error/?a=%a&B=%B&e=%e&E=%E&H=%H&i=%i&M=%M&o=%o&R=%R&T=%T&U=%U&u=%u&w=%w&x=%x&acl=bad_dst_ccn bad_dst_ccn_domains
http_access deny bad_dst_ccn_ips
deny_info <a href="http://fwprox.domain.org/proxy-error/?a=%a&B=%B&e=%e&E=%E&H=%H&i=%i&M=%M&o=%o&R=%R&T=%T&U=%U&u=%u&w=%w&x=%x&acl=bad_dst_ccn">http://fwprox.domain.org/proxy-error/?a=%a&B=%B&e=%e&E=%E&H=%H&i=%i&M=%M&o=%o&R=%R&T=%T&U=%U&u=%u&w=%w&x=%x&acl=bad_dst_ccn bad_dst_ccn_ips
http_access allow privileged_extra1_src_ips limited_dst_domains_1
http_access deny limited_dst_domains_1
deny_info <a href="http://fwprox.domain.org/proxy-error/?a=%a&B=%B&e=%e&E=%E&H=%H&i=%i&M=%M&o=%o&R=%R&T=%T&U=%U&u=%u&w=%w&x=%x&acl=limited_dst_domains_1">http://fwprox.domain.org/proxy-error/?a=%a&B=%B&e=%e&E=%E&H=%H&i=%i&M=%M&o=%o&R=%R&T=%T&U=%U&u=%u&w=%w&x=%x&acl=limited_dst_domains_1 limited_dst_domains_1
http_access deny bad_filetypes !good_dst_domains_with_any_filetype
http_reply_access deny bad_filetypes !good_dst_domains_with_any_filetype
deny_info <a href="http://fwprox.domain.org/proxy-error/?a=%a&B=%B&e=%e&E=%E&H=%H&i=%i&M=%M&o=%o&R=%R&T=%T&U=%U&u=%u&w=%w&x=%x&acl=bad_filetypes">http://fwprox.domain.org/proxy-error/?a=%a&B=%B&e=%e&E=%E&H=%H&i=%i&M=%M&o=%o&R=%R&T=%T&U=%U&u=%u&w=%w&x=%x&acl=bad_filetypes bad_filetypes
http_access deny bad_requested_mimetypes !good_dst_domains_with_any_mimetype
http_reply_access deny bad_replied_mimetypes !good_dst_domains_with_any_mimetype
deny_info <a href="http://fwprox.domain.org/proxy-error/?a=%a&B=%B&e=%e&E=%E&H=%H&i=%i&M=%M&o=%o&R=%R&T=%T&U=%U&u=%u&w=%w&x=%x&acl=bad_mimetypes">http://fwprox.domain.org/proxy-error/?a=%a&B=%B&e=%e&E=%E&H=%H&i=%i&M=%M&o=%o&R=%R&T=%T&U=%U&u=%u&w=%w&x=%x&acl=bad_mimetypes bad_requested_mimetypes
deny_info <a href="http://fwprox.domain.org/proxy-error/?a=%a&B=%B&e=%e&E=%E&H=%H&i=%i&M=%M&o=%o&R=%R&T=%T&U=%U&u=%u&w=%w&x=%x&acl=bad_mimetypes">http://fwprox.domain.org/proxy-error/?a=%a&B=%B&e=%e&E=%E&H=%H&i=%i&M=%M&o=%o&R=%R&T=%T&U=%U&u=%u&w=%w&x=%x&acl=bad_mimetypes bad_replied_mimetypes
http_access allow localnet bl_lookup
deny_info <a href="http://fwprox.domain.org/proxy-error/?a=%a&B=%B&e=%e&E=%E&H=%H&i=%i&M=%M&o=%o&R=%R&T=%T&U=%U&u=%u&w=%w&x=%x&acl=bad_dst_domains_bl">http://fwprox.domain.org/proxy-error/?a=%a&B=%B&e=%e&E=%E&H=%H&i=%i&M=%M&o=%o&R=%R&T=%T&U=%U&u=%u&w=%w&x=%x&acl=bad_dst_domains_bl all
debug_options rotate=1 ALL,1
append_domain .domain.org
reply_header_access Alternate-Protocol deny all
acl DiscoverSNIHost at_step SslBump1
acl NoSSLIntercept ssl::server_name_regex "/SAMBA/proxy-settings/allowed.direct"
ssl_bump peek DiscoverSNIHost
ssl_bump splice NoSSLIntercept
ssl_bump bump all
icap_enable on
icap_send_client_ip on
icap_send_client_username on
icap_client_username_encode off
icap_client_username_header X-Authenticated-User
icap_preview_enable on
icap_preview_size 1024
icap_service antivirus respmod_precache bypass=0 icap://127.0.0.1:1344/clamav
adaptation_access antivirus allow all
include /etc/squid/squid.include.common
include /etc/squid/squid.include.hide
cache_mem 32 MB
max_filedescriptors 65536
icap_service_failure_limit -1
icap_persistent_connections off


Regards,

Vieri
_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|

Re: Squid 4 and on_unsupported_protocol

Eliezer Croitoru-3
Hey Vieri,

I have tested the wiki pages again to make sure it's not misleading  and..
I have used the next regex:
## START OF FILE
# Web.whatsapp.com
^(w[0-9]+|[a-z]+\.)?web\.whatsapp\.com$

# Whatsapp CDN issue
.whatsapp\.net$
## EOF

Which seems a bit more accurate then what's in the wiki.
If it works for your use case the same I think the should be updated.

Eliezer

----
Eliezer Croitoru
Tech Support
Mobile: +972-5-28704261
Email: [hidden email]

-----Original Message-----
From: Vieri [mailto:[hidden email]]
Sent: Tuesday, June 30, 2020 11:57 AM
To: Squid Users; Eliezer Croitoru
Subject: Re: [squid-users] Squid 4 and on_unsupported_protocol



 On Tuesday, June 30, 2020, 8:50:09 AM GMT+2, Eliezer Croitoru <[hidden email]> wrote:

>
> I can try to re-produce this setup locally to make sure that it works as described in the docs.

Thanks!

> So couple details:
>   * PC Windows(What OS?) client with firefox

Windows 10, Windows 7
Firefox ESR 68.5.0
 
>    * Are you Intercepting the traffic or using Squid as a simple forward proxy defined in the browser or OS proxy settings?

Intercepting with TPROXY.

> Can you share a basic squid.conf (cleaned of personal details) to make sure where and how these rules should be applied?
 
Here it goes (client traffic is intercepted/bumped):

squid.conf:

acl SSL_ports port 443
acl Safe_ports port 80        # http
acl Safe_ports port 21        # ftp
acl Safe_ports port 443        # https
acl Safe_ports port 70        # gopher
acl Safe_ports port 210        # wais
acl Safe_ports port 1025-65535    # unregistered ports
acl Safe_ports port 280        # http-mgmt
acl Safe_ports port 488        # gss-http
acl Safe_ports port 591        # filemaker
acl Safe_ports port 777        # multiling http
acl Safe_ports port 901        # SWAT
acl CONNECT method CONNECT
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
http_access allow localhost manager
http_access deny manager
include /etc/squid/squid.include
include /etc/squid/squid.include.rules
http_access allow localhost
http_access deny all
coredump_dir /var/cache/squid
refresh_pattern ^ftp:        1440    20%    10080
refresh_pattern ^gopher:    1440    0%    1440
refresh_pattern -i (/cgi-bin/|\?) 0    0%    0
refresh_pattern .        0    20%    4320


squid.include:

acl explicit myportname 3128
acl intercepted myportname 3129
acl interceptedssl myportname 3130
http_port 3128
http_port 3129 tproxy
https_port 3130 tproxy ssl-bump generate-host-certificates=on dynamic_cert_mem_cache_size=16MB cert=/etc/ssl/squid/proxyserver.pem sslflags=NO_DEFAULT_CA
tls_outgoing_options flags=DONT_VERIFY_PEER
sslcrtd_program /usr/libexec/squid/security_file_certgen -s /var/lib/squid/ssl_db -M 16MB
sslcrtd_children 40 startup=20 idle=10
cache_dir diskd /var/cache/squid 32 16 256

squid.include.common:

cache_mgr [hidden email]
email_err_data on
error_directory /usr/share/squid/errors/custom
client_lifetime 480 minutes


squid.include.hide:

httpd_suppress_version_string on
dns_v4_first on
via off
forwarded_for transparent


squid.include.rules:

external_acl_type nt_group ttl=0 children-max=50 %LOGIN /usr/libexec/squid/ext_wbinfo_group_acl -K
auth_param negotiate program /usr/libexec/squid/negotiate_kerberos_auth -s HTTP/[hidden email]
auth_param negotiate children 60
auth_param negotiate keep_alive on
acl localnet src 10.0.0.0/8
acl localnet src 192.168.0.0/16
acl ORG_all proxy_auth REQUIRED
external_acl_type bllookup ttl=86400 negative_ttl=86400 children-max=80 children-startup=10 children-idle=3 concurrency=8 %PROTO %DST %PORT %PATH /opt/custom/scripts/run/scripts/firewall/ext_sql_blwl_acl.pl --table=shallalist_bl --categories=adv,aggressive,alcohol,anonvpn,automobile_bikes,automobile_boats,automobile_cars,automobile_planes,chat,costtraps,dating,drugs,dynamic,finance_insurance,finance_moneylending,finance_other,finance_realestate,finance_trading,fortunetelling,forum,gamble,hacking,hobby_cooking,hobby_games-misc,hobby_games-online,hobby_gardening,hobby_pets,homestyle,imagehosting,isp,jobsearch,military,models,movies,music,podcasts,politics,porn,radiotv,recreation_humor,recreation_martialarts,recreation_restaurants,recreation_sports,recreation_travel,recreation_wellness,redirector,religion,remotecontrol,ringtones,science_astronomy,science_chemistry,sex_education,sex_lingerie,shopping,socialnet,spyware,tracker,updatesites,urlshortener,violence,warez,weapons,webphone,webradio,webtv
acl privileged_src_ips src "/SAMBA/proxy-settings/allowed.ips"
acl privileged_extra1_src_ips src "/SAMBA/proxy-settings/allowed.extra1.ips"
acl privileged_user_groups external nt_group "/SAMBA/proxy-settings/allowed.groups"
acl direct_dst_domains dstdomain "/SAMBA/proxy-settings/allowed.direct"
acl good_dst_domains dstdomain "/SAMBA/proxy-settings/allowed.domains"
acl good_dst_domains_with_any_filetype dstdomain "/SAMBA/proxy-settings/allowed.domains.filetypes"
acl good_dst_domains_with_any_mimetype dstdomain "/SAMBA/proxy-settings/allowed.domains.mimetypes"
acl good_urls_any_useragent url_regex "/SAMBA/proxy-settings/allowed.useragents.urls"
acl good_urls url_regex "/SAMBA/proxy-settings/allowed.urls"
acl bad_dst_domains dstdomain "/SAMBA/proxy-settings/denied.domains"
acl bad_dst_ccn_domains dstdomain "/SAMBA/proxy-settings/denied.ccn.domains"
acl bad_dst_ccn_ips dst "/SAMBA/proxy-settings/denied.ccn.ips"
acl limited_dst_domains_1 dstdomain "/SAMBA/proxy-settings/denied.extra1.domains"
acl bad_ads url_regex "/SAMBA/proxy-settings/denied.ads"
acl bad_filetypes urlpath_regex -i "/SAMBA/proxy-settings/denied.filetypes"
acl bad_requested_mimetypes req_mime_type -i "/SAMBA/proxy-settings/denied.mimetypes"
acl limited_requested_mimetypes_1 req_mime_type -i "/SAMBA/proxy-settings/denied.extra1.mimetypes"
acl bad_replied_mimetypes rep_mime_type -i "/SAMBA/proxy-settings/denied.mimetypes"
acl limited_replied_mimetypes_1 rep_mime_type -i "/SAMBA/proxy-settings/denied.extra1.mimetypes"
acl restricted_requested_mimetypes_1 req_mime_type -i "/SAMBA/proxy-settings/denied.restricted1.mimetypes"
acl restricted_replied_mimetypes_1 rep_mime_type -i "/SAMBA/proxy-settings/denied.restricted1.mimetypes"
acl restricted_good_dst_domains_1 dstdomain "/SAMBA/proxy-settings/allowed.restricted1.domains"
acl restricted_src_ips_1 dst "/SAMBA/proxy-settings/allowed.restricted1.ips"
acl explicit_only_src_ips src "/SAMBA/proxy-settings/restricted.ips"
acl explicit_only_user_groups external nt_group "/SAMBA/proxy-settings/restricted.groups"
acl explicit_only_dst_domains dstdomain "/SAMBA/proxy-settings/restricted.domains"
acl bl_lookup external bllookup
acl bad_urlshorteners dstdomain "/etc/squidGuard/db/HMANshallalist/urlshortener/domains"
acl redirected_domains_1 dstdomain .some.domain.com .some.other.domain.com
acl redirected_domains_2 dstdomain anotherdomain.com
acl redirected_urls_1 url_regex ^https://domain.com/path/
acl good_useragents req_header User-Agent Firefox/
acl good_useragents req_header User-Agent Edge/
acl good_useragents req_header User-Agent Microsoft-CryptoAPI/
acl src_ips_with_any_useragent src "/SAMBA/proxy-settings/allowed.useragents.ips"
acl dst_domains_with_any_useragent dstdomain "/SAMBA/proxy-settings/allowed.useragents.domains"
acl dst_ips_with_any_useragent dst "/SAMBA/proxy-settings/allowed.useragents.dst.ips"
http_access deny explicit !ORG_all
http_access deny explicit SSL_ports
http_access deny intercepted !localnet
http_access deny interceptedssl !localnet
acl foreignProtocol squid_error ERR_PROTOCOL_UNKNOWN ERR_TOO_BIG
acl serverTalksFirstProtocol squid_error ERR_REQUEST_START_TIMEOUT
on_unsupported_protocol tunnel foreignProtocol
on_unsupported_protocol tunnel serverTalksFirstProtocol
on_unsupported_protocol respond all
http_access allow CONNECT interceptedssl SSL_ports
http_access deny !good_useragents !src_ips_with_any_useragent !dst_domains_with_any_useragent !dst_ips_with_any_useragent !good_urls_any_useragent
deny_info <a href="http://inf-fw2.domain.org/proxy-error/?a=%a&B=%B&e=%e&E=%E&H=%H&i=%i&M=%M&o=%o&R=%R&T=%T&U=%U&u=%u&w=%w&x=%x&acl=bad_useragents">http://inf-fw2.domain.org/proxy-error/?a=%a&B=%B&e=%e&E=%E&H=%H&i=%i&M=%M&o=%o&R=%R&T=%T&U=%U&u=%u&w=%w&x=%x&acl=bad_useragents good_useragents
deny_info <a href="http://inf-fw2.domain.org/proxy-error/?a=%a&B=%B&e=%e&E=%E&H=%H&i=%i&M=%M&o=%o&R=%R&T=%T&U=%U&u=%u&w=%w&x=%x&acl=bad_useragents">http://inf-fw2.domain.org/proxy-error/?a=%a&B=%B&e=%e&E=%E&H=%H&i=%i&M=%M&o=%o&R=%R&T=%T&U=%U&u=%u&w=%w&x=%x&acl=bad_useragents src_ips_with_any_useragent
deny_info <a href="http://inf-fw2.domain.org/proxy-error/?a=%a&B=%B&e=%e&E=%E&H=%H&i=%i&M=%M&o=%o&R=%R&T=%T&U=%U&u=%u&w=%w&x=%x&acl=bad_useragents">http://inf-fw2.domain.org/proxy-error/?a=%a&B=%B&e=%e&E=%E&H=%H&i=%i&M=%M&o=%o&R=%R&T=%T&U=%U&u=%u&w=%w&x=%x&acl=bad_useragents dst_domains_with_any_useragent
deny_info <a href="http://inf-fw2.domain.org/proxy-error/?a=%a&B=%B&e=%e&E=%E&H=%H&i=%i&M=%M&o=%o&R=%R&T=%T&U=%U&u=%u&w=%w&x=%x&acl=bad_useragents">http://inf-fw2.domain.org/proxy-error/?a=%a&B=%B&e=%e&E=%E&H=%H&i=%i&M=%M&o=%o&R=%R&T=%T&U=%U&u=%u&w=%w&x=%x&acl=bad_useragents dst_ips_with_any_useragent
http_access allow localnet !explicit_only_src_ips good_dst_domains
http_access allow localnet !explicit_only_src_ips good_urls
http_access allow localnet !explicit_only_src_ips good_urls_any_useragent
http_access allow localnet !explicit_only_src_ips privileged_src_ips
http_reply_access allow localnet !explicit_only_src_ips privileged_src_ips
http_reply_access allow localnet !explicit_only_src_ips good_dst_domains
http_reply_access allow localnet !explicit_only_src_ips good_urls
http_access allow explicit_only_src_ips explicit_only_dst_domains
http_access deny explicit_only_src_ips
http_access deny redirected_domains_1
deny_info 302:http://some.domain.com redirected_domains_1
http_access deny redirected_domains_2
deny_info 302:https://anotherdomain.com redirected_domains_2
http_access deny redirected_urls_1
deny_info 302:http://some.domain.com redirected_urls_1
http_access deny !privileged_src_ips bad_urlshorteners
deny_info <a href="http://fwprox.domain.org/proxy-error/?a=%a&B=%B&e=%e&E=%E&H=%H&i=%i&M=%M&o=%o&R=%R&T=%T&U=%U&u=%u&w=%w&x=%x&acl=bad_urlshorteners">http://fwprox.domain.org/proxy-error/?a=%a&B=%B&e=%e&E=%E&H=%H&i=%i&M=%M&o=%o&R=%R&T=%T&U=%U&u=%u&w=%w&x=%x&acl=bad_urlshorteners bad_urlshorteners
http_access allow restricted_requested_mimetypes_1 restricted_good_dst_domains_1
http_access allow restricted_requested_mimetypes_1 restricted_src_ips_1
http_reply_access allow restricted_replied_mimetypes_1 restricted_good_dst_domains_1
http_reply_access allow restricted_replied_mimetypes_1 restricted_src_ips_1
http_access allow limited_requested_mimetypes_1 privileged_extra1_src_ips limited_dst_domains_1
http_reply_access allow limited_replied_mimetypes_1 privileged_extra1_src_ips limited_dst_domains_1
http_access deny restricted_requested_mimetypes_1
http_reply_access deny restricted_replied_mimetypes_1
deny_info <a href="http://fwprox.domain.org/proxy-error/?a=%a&B=%B&e=%e&E=%E&H=%H&i=%i&M=%M&o=%o&R=%R&T=%T&U=%U&u=%u&w=%w&x=%x&acl=bad_mimetypes">http://fwprox.domain.org/proxy-error/?a=%a&B=%B&e=%e&E=%E&H=%H&i=%i&M=%M&o=%o&R=%R&T=%T&U=%U&u=%u&w=%w&x=%x&acl=bad_mimetypes restricted_replied_mimetypes_1
deny_info <a href="http://fwprox.domain.org/proxy-error/?a=%a&B=%B&e=%e&E=%E&H=%H&i=%i&M=%M&o=%o&R=%R&T=%T&U=%U&u=%u&w=%w&x=%x&acl=bad_mimetypes">http://fwprox.domain.org/proxy-error/?a=%a&B=%B&e=%e&E=%E&H=%H&i=%i&M=%M&o=%o&R=%R&T=%T&U=%U&u=%u&w=%w&x=%x&acl=bad_mimetypes restricted_requested_mimetypes_1
http_access deny limited_requested_mimetypes_1
http_reply_access deny limited_replied_mimetypes_1
deny_info <a href="http://fwprox.domain.org/proxy-error/?a=%a&B=%B&e=%e&E=%E&H=%H&i=%i&M=%M&o=%o&R=%R&T=%T&U=%U&u=%u&w=%w&x=%x&acl=bad_mimetypes">http://fwprox.domain.org/proxy-error/?a=%a&B=%B&e=%e&E=%E&H=%H&i=%i&M=%M&o=%o&R=%R&T=%T&U=%U&u=%u&w=%w&x=%x&acl=bad_mimetypes limited_requested_mimetypes_1
deny_info <a href="http://fwprox.domain.org/proxy-error/?a=%a&B=%B&e=%e&E=%E&H=%H&i=%i&M=%M&o=%o&R=%R&T=%T&U=%U&u=%u&w=%w&x=%x&acl=bad_mimetypes">http://fwprox.domain.org/proxy-error/?a=%a&B=%B&e=%e&E=%E&H=%H&i=%i&M=%M&o=%o&R=%R&T=%T&U=%U&u=%u&w=%w&x=%x&acl=bad_mimetypes limited_replied_mimetypes_1
http_access deny !privileged_src_ips bad_dst_domains
deny_info <a href="http://fwprox.domain.org/proxy-error/?a=%a&B=%B&e=%e&E=%E&H=%H&i=%i&M=%M&o=%o&R=%R&T=%T&U=%U&u=%u&w=%w&x=%x&acl=bad_dst_domains">http://fwprox.domain.org/proxy-error/?a=%a&B=%B&e=%e&E=%E&H=%H&i=%i&M=%M&o=%o&R=%R&T=%T&U=%U&u=%u&w=%w&x=%x&acl=bad_dst_domains bad_dst_domains
http_access deny bad_dst_ccn_domains
deny_info <a href="http://fwprox.domain.org/proxy-error/?a=%a&B=%B&e=%e&E=%E&H=%H&i=%i&M=%M&o=%o&R=%R&T=%T&U=%U&u=%u&w=%w&x=%x&acl=bad_dst_ccn">http://fwprox.domain.org/proxy-error/?a=%a&B=%B&e=%e&E=%E&H=%H&i=%i&M=%M&o=%o&R=%R&T=%T&U=%U&u=%u&w=%w&x=%x&acl=bad_dst_ccn bad_dst_ccn_domains
http_access deny bad_dst_ccn_ips
deny_info <a href="http://fwprox.domain.org/proxy-error/?a=%a&B=%B&e=%e&E=%E&H=%H&i=%i&M=%M&o=%o&R=%R&T=%T&U=%U&u=%u&w=%w&x=%x&acl=bad_dst_ccn">http://fwprox.domain.org/proxy-error/?a=%a&B=%B&e=%e&E=%E&H=%H&i=%i&M=%M&o=%o&R=%R&T=%T&U=%U&u=%u&w=%w&x=%x&acl=bad_dst_ccn bad_dst_ccn_ips
http_access allow privileged_extra1_src_ips limited_dst_domains_1
http_access deny limited_dst_domains_1
deny_info <a href="http://fwprox.domain.org/proxy-error/?a=%a&B=%B&e=%e&E=%E&H=%H&i=%i&M=%M&o=%o&R=%R&T=%T&U=%U&u=%u&w=%w&x=%x&acl=limited_dst_domains_1">http://fwprox.domain.org/proxy-error/?a=%a&B=%B&e=%e&E=%E&H=%H&i=%i&M=%M&o=%o&R=%R&T=%T&U=%U&u=%u&w=%w&x=%x&acl=limited_dst_domains_1 limited_dst_domains_1
http_access deny bad_filetypes !good_dst_domains_with_any_filetype
http_reply_access deny bad_filetypes !good_dst_domains_with_any_filetype
deny_info <a href="http://fwprox.domain.org/proxy-error/?a=%a&B=%B&e=%e&E=%E&H=%H&i=%i&M=%M&o=%o&R=%R&T=%T&U=%U&u=%u&w=%w&x=%x&acl=bad_filetypes">http://fwprox.domain.org/proxy-error/?a=%a&B=%B&e=%e&E=%E&H=%H&i=%i&M=%M&o=%o&R=%R&T=%T&U=%U&u=%u&w=%w&x=%x&acl=bad_filetypes bad_filetypes
http_access deny bad_requested_mimetypes !good_dst_domains_with_any_mimetype
http_reply_access deny bad_replied_mimetypes !good_dst_domains_with_any_mimetype
deny_info <a href="http://fwprox.domain.org/proxy-error/?a=%a&B=%B&e=%e&E=%E&H=%H&i=%i&M=%M&o=%o&R=%R&T=%T&U=%U&u=%u&w=%w&x=%x&acl=bad_mimetypes">http://fwprox.domain.org/proxy-error/?a=%a&B=%B&e=%e&E=%E&H=%H&i=%i&M=%M&o=%o&R=%R&T=%T&U=%U&u=%u&w=%w&x=%x&acl=bad_mimetypes bad_requested_mimetypes
deny_info <a href="http://fwprox.domain.org/proxy-error/?a=%a&B=%B&e=%e&E=%E&H=%H&i=%i&M=%M&o=%o&R=%R&T=%T&U=%U&u=%u&w=%w&x=%x&acl=bad_mimetypes">http://fwprox.domain.org/proxy-error/?a=%a&B=%B&e=%e&E=%E&H=%H&i=%i&M=%M&o=%o&R=%R&T=%T&U=%U&u=%u&w=%w&x=%x&acl=bad_mimetypes bad_replied_mimetypes
http_access allow localnet bl_lookup
deny_info <a href="http://fwprox.domain.org/proxy-error/?a=%a&B=%B&e=%e&E=%E&H=%H&i=%i&M=%M&o=%o&R=%R&T=%T&U=%U&u=%u&w=%w&x=%x&acl=bad_dst_domains_bl">http://fwprox.domain.org/proxy-error/?a=%a&B=%B&e=%e&E=%E&H=%H&i=%i&M=%M&o=%o&R=%R&T=%T&U=%U&u=%u&w=%w&x=%x&acl=bad_dst_domains_bl all
debug_options rotate=1 ALL,1
append_domain .domain.org
reply_header_access Alternate-Protocol deny all
acl DiscoverSNIHost at_step SslBump1
acl NoSSLIntercept ssl::server_name_regex "/SAMBA/proxy-settings/allowed.direct"
ssl_bump peek DiscoverSNIHost
ssl_bump splice NoSSLIntercept
ssl_bump bump all
icap_enable on
icap_send_client_ip on
icap_send_client_username on
icap_client_username_encode off
icap_client_username_header X-Authenticated-User
icap_preview_enable on
icap_preview_size 1024
icap_service antivirus respmod_precache bypass=0 icap://127.0.0.1:1344/clamav
adaptation_access antivirus allow all
include /etc/squid/squid.include.common
include /etc/squid/squid.include.hide
cache_mem 32 MB
max_filedescriptors 65536
icap_service_failure_limit -1
icap_persistent_connections off


Regards,

Vieri

_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|

Re: Squid 4 and on_unsupported_protocol

Vieri
On Tuesday, June 30, 2020, 1:41:57 PM GMT+2, Eliezer Croitor <[hidden email]> wrote:

> ^(w[0-9]+|[a-z]+\.)?web\.whatsapp\.com$

Yes, it does. I should have seen that... Thanks for your help!

Vieri
_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users