Stuck Filtering HTTPS URL

classic Classic list List threaded Threaded
2 messages Options
Reply | Threaded
Open this post in threaded view
|

Stuck Filtering HTTPS URL

Garbacik, Joe

I am trying to permit access to something like the following, https://www.example.com/world, without providing access to the whole site.

 

I have a basic configuration with the pertinent items as follows:

http_port 3128 ssl-bump \

  cert=/etc/squid/ssl_certs.d/myCA.pem \

  generate-host-certificates=on \

  dynamic_cert_mem_cache_size=16MB \

  options=SINGLE_DH_USE,SINGLE_ECDH_USE,NO_SSLv3,CIPHER_SERVER_PREFERENCE cipher=ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA:!ECDHE-RSA-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!AES256-GCM-SHA384:!AES128-GCM-SHA256:!AES256-SHA256:!AES128-SHA256:!AES256-SHA:!AES128-SHA:!DES-CBC3-SHA:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!3DES:!MD5:!PSK:!RC4  sslflags=NO_SESSION_REUSE \

  tls-dh=prime256v1:/etc/squid/dhparams.d/dhparam.pem

 

sslcrtd_program /usr/lib64/squid/security_file_certgen -s /var/cache/squid/ssl_db -M 16MB

acl step1 at_step SslBump1

acl step2 at_step SslBump2

acl step3 at_step SslBump3

ssl_bump peek step1

ssl_bump bump  all

                           

acl DSTDOMAIN_ALLOW dstdomain www.example.com

acl URLPATH_ALLOW urlpath_regex -i ^/world/*

http_access allow SrcSubnet DSTDOMAIN_ALLOW URLPATH_ALLOW

note ruleid Rule-10-GCP.conf  SrcSubnet DSTDOMAIN_ALLOW URLPATH_ALLOW

note ruletype ALLOW  SrcSubnet DSTDOMAIN_ALLOW URLPATH_ALLOW

 

 

 

Dumping the log into debug mode I see that what appears that it can obtain the path but then fails the connection. If I am reading it properly, it seems to fail the SSL connection after decrypting it without passing thru any ACLs. I've tried researching the delated error message from the log. It there a better way to troubleshoot this error or should I not expect to filter a full URL via HTTPS ?

 

2019/08/12 10:40:29.053 kid1| 23,3| Uri.cc(371) parse: Split URL 'www.example.com:443' into proto='', host='www.example.com', port='443', path=''

2019/08/12 10:40:29.055 kid1| 28,5| Acl.cc(124) matches: checking DSTDOMAIN_ALLOW

2019/08/12 10:40:29.055 kid1| 28,3| DomainData.cc(110) match: aclMatchDomainList: checking 'www.example.com'

2019/08/12 10:40:29.055 kid1| 28,3| DomainData.cc(115) match: aclMatchDomainList: 'www.example.com' found

2019/08/12 10:40:29.055 kid1| 28,3| Acl.cc(151) matches: checked: DSTDOMAIN_ALLOW_1 = 1

2019/08/12 10:40:29.055 kid1| 28,5| Acl.cc(124) matches: checking URLPATH_ALLOW

2019/08/12 10:40:29.055 kid1| 28,3| Acl.cc(151) matches: checked: URLPATH_ALLOW = -1   

2019/08/12 10:40:29.055 kid1| 33,4| ServerBump.cc(26) ServerBump: will peek at www.example.com:443

2019/08/12 10:40:29.062 kid1| 83,3| Handshake.cc(497) parseSniExtension: host_name=www.example.com

….

2019/08/12 10:40:29.062 kid1| 28,3| DomainData.cc(115) match: aclMatchDomainList: 'www.example.com' found

2019/08/12 10:40:29.062 kid1| 28,3| Acl.cc(151) matches: checked: DSTDOMAIN_ALLOW = 1

2019/08/12 10:40:29.062 kid1| 28,5| Acl.cc(124) matches: checking URLPATH_ALLOW

2019/08/12 10:40:29.062 kid1| 28,3| Acl.cc(151) matches: checked: URLPATH_ALLOW = -1

2019/08/12 10:40:29.064 kid1| 33,5| client_side.cc(3023) getSslContextStart: SSL crtd request: new_certificate 2999 host=www.example.com

2019/08/12 10:40:29.065 kid1| 33,5| client_side.cc(2860) sslCrtdHandleReply: Certificate for www.example.com was successfully recieved from ssl_crtd

2019/08/12 10:40:29.081 kid1| 11,2| client_side.cc(1323) parseHttpRequest: HTTP Client REQUEST:

---------

GET /world HTTP/1.1

Host: www.example.com

User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:68.0) Gecko/20100101 Firefox/68.0

Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8

Accept-Language: en-US,en;q=0.5

Accept-Encoding: gzip, deflate, br

DNT: 1

Connection: keep-alive

2019/08/12 10:40:29.081 kid1| 23,3| Uri.cc(371) parse: Split URL 'https://www.example.com/world' into proto='https', host='www.example.com', port='443', path='/world'

2019/08/12 10:40:29.081 kid1| 33,5| Http1Server.cc(188) buildHttpRequest: normalize 1 Host header using www.example.com

2019/08/12 10:40:29.081 kid1| 33,3| client_side.cc(641) clientSetKeepaliveFlag: http_ver = HTTP/1.1

2019/08/12 10:40:29.081 kid1| 33,3| client_side.cc(642) clientSetKeepaliveFlag: method = GET

2019/08/12 10:40:29.081 kid1| 33,4| client_side.cc(1471) quitAfterError: Will close after error: local=10. 200. 200. 200:3128 remote=10.1.2.3:64913 FD 13 flags=1

2019/08/12 10:40:29.081 kid1| 33,5| client_side.cc(1492) serveDelayedError: Responding with delated error for https://www.example.com/world

2019/08/12 10:40:29.081 kid1| 11,5| HttpRequest.cc(459) detailError: current error details: 1/0

2019/08/12 10:40:29.081 kid1| 33,5| Stream.cc(109) pullData: 0 written 0 into local=10.200. 200. 200:3128 remote=10.1.2.3:64913 FD 13 flags=1

2019/08/12 10:40:29.081 kid1| 33,5| Stream.cc(133) getNextRangeOffset: range: 0; http offset 0; reply 0

2019/08/12 10:40:29.081 kid1| 33,5| store_client.cc(319) doCopy: store_client::doCopy: co: 0, hi: 3760

2019/08/12 10:40:29.081 kid1| 33,3| Pipeline.cc(35) front: Pipeline 0x2c6cb40 front 0x2c71fc0*4

2019/08/12 10:40:29.081 kid1| 33,3| Pipeline.cc(35) front: Pipeline 0x2c6cb40 front 0x2c71fc0*4

2019/08/12 10:40:29.081 kid1| 11,2| Stream.cc(266) sendStartOfMessage: HTTP Client local=10.193.161.197:3128 remote=10.63.200.153:64913 FD 13 flags=1

2019/08/12 10:40:29.081 kid1| 11,2| Stream.cc(267) sendStartOfMessage: HTTP Client REPLY:

---------

HTTP/1.1 403 Forbidden

 


_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|

Re: Stuck Filtering HTTPS URL

Alex Rousskov
On 8/12/19 3:16 PM, Garbacik, Joe wrote:
> I am trying to permit access to something like the following,
> https://www.example.com/world, without providing access to the whole site.

> 2019/08/12 10:40:29.081 kid1| 33,4| client_side.cc(1471) quitAfterError: Will close after error:...

> HTTP/1.1 403 Forbidden

> http_access allow SrcSubnet DSTDOMAIN_ALLOW URLPATH_ALLOW

You are probably (implicitly) denying the CONNECT request sent by client
to Squid. Squid needs to process that CONNECT request (that does not
have URL paths) before Squid can bump the TLS tunnel (and see in-tunnel
requests with URLs that have paths). If you deny CONNECT, Squid will
bump the client connection and respond with a (delayed) "access denied"
error to the first in-tunnel request, regardless of what that first
in-tunnel request is.

Rule of thumb: Make everything work, including SslBump, _before_
applying custom filtering rules.

Alex.
_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users