filtering HTTPS sites with transparent child Squid

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
3 messages Options
Reply | Threaded
Open this post in threaded view
|

filtering HTTPS sites with transparent child Squid

Stegner, Martin

Hi everyone,

 

I’ve set up a Squid as a transparent child-proxy. Every request is redirected to another Squid with the content filtering add-on e2guardian. I encounter the problem that the transparent child Squid only forwards IP-Addresses to the e2guardian when HTTPS is used and so e2guardian cant filter anything because it can only filter by URL.

 

Here are some parts of the config:

 

http_port 3130

http_port 3128 intercept

https_port 3129 intercept ssl-bump cert=/etc/squid/cert/squid.pem

 

ssl_bump splice all          (if I use any other option than splice nothing works for some reason)

 

cache_peer 172.16.0.252 parent 8080 0 default no-query no-digest

 

Is there any possibility that the transparent child Squid forwards the URL tot he main Squid proxy?

 

Thanks everyone

Martin

 

_______________________________________________

 

Stadt Coburg

Amt für Informations- und Kommunikationstechnik

Abteilungsleiter Systemadministration Schulen

Uferstraße 7, 96450 Coburg

Tel. 09561-89 1166

Fax 09561-89 61166

E-Mail: [hidden email]

http://www.coburg.de

http://schulen.coburg.de

 


_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|

Re: filtering HTTPS sites with transparent child Squid

Amos Jeffries
Administrator
On 27/11/17 21:20, Stegner, Martin wrote:
> Hi everyone,
>
> I’ve set up a Squid as a transparent child-proxy. Every request is
> redirected to another Squid with the content filtering add-on
> e2guardian. I encounter the problem that the transparent child Squid
> only forwards IP-Addresses to the e2guardian when HTTPS is used and so
> e2guardian cant filter anything because it can only filter by URL.
>

A good demonstration of why calling a URL-rewrite helper a "content
filter" is completely wrong.

Real content filters receive the actual content and can filter it. ICAP
and eCAP exist for that and get passed the decrypted HTTPS messages (if
any).



> Here are some parts of the config:
>
> http_port 3130
>
> http_port 3128 intercept
>
> https_port 3129 intercept ssl-bump cert=/etc/squid/cert/squid.pem
>
> ssl_bump splice all          (if I use any other option than splice
> nothing works for some reason)

Splice tells Squid to not decrypt. Thus no content access on those
transactions.


>
> cache_peer 172.16.0.252 parent 8080 0 default no-query no-digest
>
> Is there any possibility that the transparent child Squid forwards the
> URL tot he main Squid proxy?

It already is passing what it has. "The" URI of the message being
processed happens to be an authority-form URI. see
<https://tools.ietf.org/html/rfc7230#section-5.3.3>.


.. and also;

* Squid requires a secure server connection to deliver decrypted content
to. So the cache_peer needs to have the 'ssl' option and be accepting
TLS proxy connections to receive anything other than the spliced traffic.

* The CONNECT message has to complete and the TLS inside it decrypted
before any URL with "https://" scheme is known. When bumping to do the
decrypt the above criteria applies.

* HTTP/1.1 connections contain many pipelined requests. So there are
potentially many https:// URLs involved inside the crypto - it is not
possible to know in advance of decryption what those might be.


Amos
_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|

Re: filtering HTTPS sites with transparent child Squid

FredB

> >
> > I’ve set up a Squid as a transparent child-proxy. Every request is
> > redirected to another Squid with the content filtering add-on
> > e2guardian. I encounter the problem that the transparent child
> > Squid
> > only forwards IP-Addresses to the e2guardian when HTTPS is used and
> > so
> > e2guardian cant filter anything because it can only filter by URL.
> >
>


In your case enable SSLMITM in e2guardian


> A good demonstration of why calling a URL-rewrite helper a "content
> filter" is completely wrong.


Actually E2guardian is also a proxy, proxy chaining mode  


>
> Real content filters receive the actual content and can filter it.
> ICAP
> and eCAP exist for that and get passed the decrypted HTTPS messages
> (if
> any).
>

Next version, soon, very soon :)

Fred
_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users