Squid Version 3.5.20

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
6 messages Options
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Squid Version 3.5.20

Cherukuri, Naresh

Hello All,

 

I installed Squid version 3.5.20 on RHEL 7 and generated selfsigned CA certificates, can you shed some light on how to “Configure regular expression of the Google ReCaptcha URL with ACL”.

 

My requirement :

 

This requirement is to allow Google’s ReCaptcha URL (HTTPS) so associates can successfully use ADP which now utilizes Google’s ReCaptcha which is called via an HTTPS URL, without allowing users to access other Google-related services such as Gmail or Google Drive.

 

Any ideas much appreciated!

 

Thanks,

Naresh


_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Squid Version 3.5.20

Eliezer Croitoru
Hey,

I can try to help you but I do not have enough logs for it.
Also it's not so simple.
Basically you will need to block gmail and google drive themselves in one
rule that will not include other google services.

All The Bests,
Eliezer

----
http://ngtech.co.il/lmgtfy/
Linux System Administrator
Mobile: +972-5-28704261
Email: [hidden email]


From: squid-users [mailto:[hidden email]] On
Behalf Of Cherukuri, Naresh
Sent: Friday, June 23, 2017 23:34
To: [hidden email]
Subject: [squid-users] Squid Version 3.5.20

Hello All,

I installed Squid version 3.5.20 on RHEL 7 and generated selfsigned CA
certificates, can you shed some light on how to "Configure regular
expression of the Google ReCaptcha URL with ACL".

My requirement :

This requirement is to allow Google's ReCaptcha URL (HTTPS) so associates
can successfully use ADP which now utilizes Google's ReCaptcha which is
called via an HTTPS URL, without allowing users to access other
Google-related services such as Gmail or Google Drive.

Any ideas much appreciated!

Thanks,
Naresh

_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Squid Version 3.5.20

Cherukuri, Naresh
Hi Eliezer,

We successfully blocked gmail, google images, google drive and rest all google related. Now we allowing www.google.com and www. google/Recaptcha. We still need to block www.google.com and just allow www.google/recaptcha. Is there a way to do that?

Appreciate your quick turnover!

Thanks&Regards,
Naresh

 
-----Original Message-----
From: Eliezer Croitoru [mailto:[hidden email]]
Sent: Tuesday, June 27, 2017 10:16 AM
To: Cherukuri, Naresh; [hidden email]
Subject: RE: [squid-users] Squid Version 3.5.20

Hey,

I can try to help you but I do not have enough logs for it.
Also it's not so simple.
Basically you will need to block gmail and google drive themselves in one rule that will not include other google services.

All The Bests,
Eliezer

----
http://ngtech.co.il/lmgtfy/
Linux System Administrator
Mobile: +972-5-28704261
Email: [hidden email]


From: squid-users [mailto:[hidden email]] On Behalf Of Cherukuri, Naresh
Sent: Friday, June 23, 2017 23:34
To: [hidden email]
Subject: [squid-users] Squid Version 3.5.20

Hello All,

I installed Squid version 3.5.20 on RHEL 7 and generated selfsigned CA certificates, can you shed some light on how to "Configure regular expression of the Google ReCaptcha URL with ACL".

My requirement :

This requirement is to allow Google's ReCaptcha URL (HTTPS) so associates can successfully use ADP which now utilizes Google's ReCaptcha which is called via an HTTPS URL, without allowing users to access other Google-related services such as Gmail or Google Drive.

Any ideas much appreciated!

Thanks,
Naresh

_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Squid Version 3.5.20

Enrico Heine
Well, I know that issue very good and google is the issue since they should put their captcha on a own subdomain. Then we could effectivley allow only the access to the captcha.

Until that there is no good way to achive this. But there is a non reliable way of blocking google.com

First allow the Connect method for google.com
Acl CONNECT method CONNECT
acl sslconnect dstdomain -i www.google.com
http_access allow CONNECT sslconnect
Then use an url regex and allow google.com/recaptcha

This way sometimes www.google.com is blocked, sometimes not. But access to recaptcha will always work.

Why we can't block it reliable? Well when browser/client wants to connect to https website then the firsr thing the browser trie is open a ssl tunnel to the FQDN
As soon as the tunnel is up it will request the ressource. May it helps if you add a url regex deny between allowing the connect method and allowing the url www.google.com/recaptcha

Written on my mobile..

Br,
Flashdown



Am 27. Juni 2017 17:07:19 MESZ schrieb "Cherukuri, Naresh" <[hidden email]>:
Hi Eliezer,

We successfully blocked gmail, google images, google drive and rest all google related. Now we allowing www.google.com and www. google/Recaptcha. We still need to block www.google.com and just allow www.google/recaptcha. Is there a way to do that?

Appreciate your quick turnover!

Thanks&Regards,
Naresh


-----Original Message-----
From: Eliezer Croitoru [mailto:[hidden email]]
Sent: Tuesday, June 27, 2017 10:16 AM
To: Cherukuri, Naresh; [hidden email]
Subject: RE: [squid-users] Squid Version 3.5.20

Hey,

I can try to help you but I do not have enough logs for it.
Also it's not so simple.
Basically you will need to block gmail and google drive themselves in one rule that will not include other google services.

All The Bests,
Eliezer

----
http://ngtech.co.il/lmgtfy/
Linux System Administrator
Mobile: +972-5-28704261
Email: [hidden email]


From: squid-users [mailto:[hidden email]] On Behalf Of Cherukuri, Naresh
Sent: Friday, June 23, 2017 23:34
To: [hidden email]
Subject: [squid-users] Squid Version 3.5.20

Hello All,

I installed Squid version 3.5.20 on RHEL 7 and generated selfsigned CA certificates, can you shed some light on how to "Configure regular expression of the Google ReCaptcha URL with ACL".

My requirement :

This requirement is to allow Google's ReCaptcha URL (HTTPS) so associates can successfully use ADP which now utilizes Google's ReCaptcha which is called via an HTTPS URL, without allowing users to access other Google-related services such as Gmail or Google Drive.

Any ideas much appreciated!

Thanks,
Naresh



squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users

_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Squid Version 3.5.20

Cherukuri, Naresh

Hi,

 

Thank You for quick turnover, as per your request I changed squid config like below, still I going to www.google.com

acl CONNECT method CONNECT

acl sslconnect dstdomain -i https://www.google.com

acl GoogleRecaptcha url_regex ^https://www.google.com/recaptcha/$

http_access allow CONNECT sslconnect

http_access allow backoffice_users GoogleRecaptcha

 

 

Thanks& Regards,

Naresh

From: Flashdown [mailto:[hidden email]]
Sent: Tuesday, June 27, 2017 11:37 AM
To: [hidden email]; Cherukuri, Naresh; Eliezer Croitoru
Subject: Re: [squid-users] Squid Version 3.5.20

 

Well, I know that issue very good and google is the issue since they should put their captcha on a own subdomain. Then we could effectivley allow only the access to the captcha.

Until that there is no good way to achive this. But there is a non reliable way of blocking google.com

First allow the Connect method for google.com
Acl CONNECT method CONNECT
acl sslconnect dstdomain -i www.google.com
http_access allow CONNECT sslconnect
Then use an url regex and allow google.com/recaptcha

This way sometimes www.google.com is blocked, sometimes not. But access to recaptcha will always work.

Why we can't block it reliable? Well when browser/client wants to connect to https website then the firsr thing the browser trie is open a ssl tunnel to the FQDN
As soon as the tunnel is up it will request the ressource. May it helps if you add a url regex deny between allowing the connect method and allowing the url www.google.com/recaptcha

Written on my mobile..

Br,
Flashdown


Am 27. Juni 2017 17:07:19 MESZ schrieb "Cherukuri, Naresh" <[hidden email]>:

Hi Eliezer,

We successfully blocked gmail, google images, google drive and rest all google related. Now we allowing www.google.com and www. google/Recaptcha. We still need to block www.google.com and just allow www.google/recaptcha. Is there a way to do that?

Appreciate your quick turnover!

Thanks&Regards,
Naresh


-----Original Message-----
From: Eliezer Croitoru [[hidden email]]
Sent: Tuesday, June 27, 2017 10:16 AM
To: Cherukuri, Naresh; [hidden email]
Subject: RE: [squid-users] Squid Version 3.5.20

Hey,

I can try to help you but I do not have enough logs for it.
Also it's not so simple.
Basically you will need to block gmail and google drive themselves in one rule that will not include other google services.

All The Bests,
Eliezer

----
http://ngtech.co.il/lmgtfy/
Linux System Administrator
Mobile: +972-5-28704261
Email: [hidden email]


From: squid-users [[hidden email]] On Behalf Of Cherukuri, Naresh
Sent: Friday, June 23, 2017 23:34
To: [hidden email]
Subject: [squid-users] Squid Version 3.5.20

Hello All,

I installed Squid version 3.5.20 on RHEL 7 and generated selfsigned CA certificates, can you shed some light on how to "Configure regular expression of the Google ReCaptcha URL with ACL".

My requirement :

This requirement is to allow Google's ReCaptcha URL (HTTPS) so associates can successfully use ADP which now utilizes Google's ReCaptcha which is called via an HTTPS URL, without allowing users to access other Google-related services such as Gmail or Google Drive.

Any ideas much appreciated!

Thanks,
Naresh


squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users

_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Squid Version 3.5.20

Amos Jeffries
Administrator
On 28/06/17 03:46, Cherukuri, Naresh wrote:

> Hi,
>
> Thank You for quick turnover, as per your request I changed squid config
> like below, still I going to www.google.com
>
> acl CONNECT method CONNECT
>
> acl sslconnect dstdomain -i https://www.google.com
>
> acl GoogleRecaptcha url_regex ^https://www.google.com/recaptcha/$
>
> http_access allow CONNECT sslconnect
>

Er. That will never work.

* Firstly because "https://..." are not valid dstdomain values.

* Secondly because as the CONNECT message uses an authority-form URL
structure, not an absolute-form URL.

Your Squid will simply not see the https:// URL unless you are
decrypting the TLS tunnel inside the CONNECT payload.  That means
SSL-Bump functionality is mandatory for what you are attempting to do.

Also, be aware that Google services are using HSTS and certificate
pinning. So SSL-Bump is much more likely not to work for their URLs.

Amos
_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Loading...