acl whitelist ssl::server_name not working

classic Classic list List threaded Threaded
2 messages Options
Reply | Threaded
Open this post in threaded view
|

acl whitelist ssl::server_name not working

John Lowry
Thanks to Alex Rousskov's excellent explanation in
http://squid-web-proxy-cache.1019090.n4.nabble.com/Cannot-configure-squid-4-6-to-splice-without-bumping-td4688482.html,
I have been able to set up Squid as a transparent proxy that splices
HTTPS connections.

I want to set up a whitelist. First, I tried to configure SquidGuard
but I couldn't find a way to pass the servername to SquidGuard when
connections were spliced.

So now I'm trying to use ACLs to whitelist by hostname.

acl whitelist ssl::server_name "/etc/squid/whitelist.txt" --client-requested

But I can't get it to work.The logs appeared to indicate that URLs in
the whitelist were first denied then bumped:

14/Nov/2019:08:46:25 -0800 192.168.2.43 TCP_DENIED/- 0 CONNECT
104.17.67.73:443 - HIER_NONE/- - www.headroyce.org
14/Nov/2019:08:46:25 -0800 192.168.2.43 NONE/- 3793 GET
https://www.headroyce.org/ - HIER_NONE/- text/html www.headroyce.org

I think that the ACLs are trying to match a spliced connection against
the IP address rather than SNI server name.

Any idea what I'm doing wrong here?

I'd also like to present a good error message if the outcome is
denied, and never bump connections.

My config is:

acl CONNECT method CONNECT
acl whitelist ssl::server_name "/etc/squid/whitelist.txt" --client-requested
http_access allow whitelist
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
http_access allow localhost manager
http_access deny manager
include /etc/squid/conf.d/*
http_access allow localhost
http_access deny all
http_port 3127
http_port 3128 intercept
https_port 3129 intercept ssl-bump
tls-cert=/etc/squid/ssl_cert/myCA.pem
tls-key=/etc/squid/ssl_cert/myCA.pem
ssl_bump peek all
ssl_bump splice all
logformat sslbump     %tl %>a %Ss/%03<Hs %<st %rm %>ru %[un %Sh/%<a
%mt %ssl::>sni
access_log daemon:/var/log/squid/access.log sslbump
debug_options ALL,3 28,9
_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|

Re: acl whitelist ssl::server_name not working

Alex Rousskov
On 11/14/19 12:29 PM, John Lowry wrote:
> I have been able to set up Squid as a transparent proxy that splices
> HTTPS connections.

> now I'm trying to use ACLs to whitelist by hostname.
>
> acl whitelist ssl::server_name "/etc/squid/whitelist.txt" --client-requested


FWIW, I do not know whether the above syntax is supported. I recommend
starting with a single whitelisted name. For example:

  acl whitelist ssl::server_name --client-requested example.com

and then, if the above works, migrate to importing parameters from a
file (but start with one domain name in that file):

  acl whitelist ssl::server_name --client-requested
"/etc/squid/whitelist.txt"


> But I can't get it to work.The logs appeared to indicate that URLs in
> the whitelist were first denied then bumped:
>
> 14/Nov/2019:08:46:25 -0800 192.168.2.43 TCP_DENIED/- 0 CONNECT
> 104.17.67.73:443 - HIER_NONE/- - www.headroyce.org
> 14/Nov/2019:08:46:25 -0800 192.168.2.43 NONE/- 3793 GET
> https://www.headroyce.org/ - HIER_NONE/- text/html www.headroyce.org
>
> I think that the ACLs are trying to match a spliced connection against
> the IP address rather than SNI server name.
>
> Any idea what I'm doing wrong here?

If you only want to act based on SNI, then do not use an http_access
rule during step1 when SNI is not yet known. There may be several ways
to accomplish that. However, in most cases, you want to act ASAP,
regardless of whether the [sufficient] information came from the TCP
layer or the TLS layer. If that is your use case, then it is OK to apply
the http_access rule during step1 as well (assuming your ACL will simply
not match when there is not enough information yet).


> http_access allow whitelist

Even if the request is for an "unsafe" port? I doubt you want this rule
so high. See squid.conf.default for the recommended access controls order.


> http_access deny !Safe_ports
> http_access deny CONNECT !SSL_ports
> http_access allow localhost manager
> http_access deny manager
> include /etc/squid/conf.d/*
> http_access allow localhost
> http_access deny all

FYI: The last rule will deny access to non-localhost CONNECT requests
during step1 if they do not carry enough information to qualify for the
whitelist exception.

Keep in mind that http_access rules are evaluated several times during a
single master transaction. For details, please see
https://wiki.squid-cache.org/Features/SslPeekAndSplice


HTH,

Alex.
_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users