transparent http and https filter with white-list only

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
4 messages Options
Reply | Threaded
Open this post in threaded view
|

transparent http and https filter with white-list only

Sergey Klusov
Hello. I'm trying to get working transparent setup allowing only certain
domains and have problem that in order to allow https "ssl_bump splice
allowed_domains" i have to "http_access allow all", thus allowing all
other http traffic through. Otherwise https traffic is not allowed at all.

Here is my config:

=======config=======
http_port 10.96.243.1:3128 intercept options=NO_SSLv3:NO_SSLv2
http_port 10.96.243.1:3130 options=NO_SSLv3:NO_SSLv2
https_port 10.96.243.1:3129 intercept ssl-bump
options=ALL:NO_SSLv3:NO_SSLv2 connection-auth=off
cert=/etc/squid/squidCA.pem
acl localnet src 10.0.0.0/8     # RFC1918 possible internal network

acl SSL_ports port 443
acl Safe_ports port 80          # http
acl Safe_ports port 443         # https
acl CONNECT method CONNECT

acl http_allow dstdomain "/etc/squid/http_allow_domains.txt"
acl https_allow ssl::server_name "/etc/squid/https_allow_domains.txt"

sslproxy_cert_error allow all
sslproxy_flags DONT_VERIFY_PEER

acl step1 at_step SslBump1
ssl_bump peek step1
ssl_bump splice https_allow
ssl_bump terminate all

cache deny all

http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
http_access allow localhost manager
http_access deny manager

http_access allow all http_allow
http_access allow all https_allow
http_access deny all

always_direct allow all

coredump_dir /var/spool/squid

refresh_pattern .               0       0%      0

logformat ssl %ts.%03tu %6tr %>a %la:%lp %Ss/%03>Hs %<st %rm %ssl::>sni
%ru %[un %Sh/%<a %mt
access_log daemon:/var/log/squid/access.log logformat=ssl
================cut==============

files with domain names:
=====================
# cat http_allow_domains.txt
.google.com
# cat https_allow_domains.txt
.google.com
=====================

With this config http filtering works and https://google.com request
gets replied with self-signed squid deny message.
If i replace "http_access deny all" with "http_access allow all", https
filtering starts working, allowing https://google.com and resetting
other https requests, BUT it allows any http traffic as well!

What do i do wrong?
I need my server to pass "/etc/squid/http_allow_domains.txt" HTTP and
"/etc/squid/https_allow_domains.txt" HTTPS domains ONLY.
_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|

Re: transparent http and https filter with white-list only

Amos Jeffries
Administrator
On 28/01/2017 12:36 a.m., Sergey Klusov wrote:
> Hello. I'm trying to get working transparent setup allowing only certain
> domains and have problem that in order to allow https "ssl_bump splice
> allowed_domains" i have to "http_access allow all", thus allowing all
> other http traffic through. Otherwise https traffic is not allowed at all.
>
> Here is my config:
>

Some comments inline to improve it.

Also, what version of Squid are you using?
 I will assume that you are following the best practice advice and using
at least 3.5.19.  If not, please try to upgrade.


> =======config=======
> http_port 10.96.243.1:3128 intercept options=NO_SSLv3:NO_SSLv2
> http_port 10.96.243.1:3130 options=NO_SSLv3:NO_SSLv2

Setting SSL-related options on http_port's is not useful when they are
not doing SSL-Bump.

> https_port 10.96.243.1:3129 intercept ssl-bump
> options=ALL:NO_SSLv3:NO_SSLv2 connection-auth=off
> cert=/etc/squid/squidCA.pem
> acl localnet src 10.0.0.0/8     # RFC1918 possible internal network
>
> acl SSL_ports port 443
> acl Safe_ports port 80          # http
> acl Safe_ports port 443         # https
> acl CONNECT method CONNECT
>
> acl http_allow dstdomain "/etc/squid/http_allow_domains.txt"
> acl https_allow ssl::server_name "/etc/squid/https_allow_domains.txt"
>
> sslproxy_cert_error allow all
> sslproxy_flags DONT_VERIFY_PEER

Not good. Remember this is a security protocol you are playing around with.

Both of the above lines hide critical details you need to figure out
what is going wrong. They can be useful as a spot-check (only!) to
figure out if the problem is related to cert verification or something
else. But DO NOT use them for regular traffic, not even testing traffic.

You may find that there are certain _specific_ errors that you need to
let through. Add the appropriate flags, SSL options, ACLs checks
sslproxy_cert_error lines for those as needed, dont just ignore all
possible errors like above does.

>
> acl step1 at_step SslBump1
> ssl_bump peek step1
> ssl_bump splice https_allow
> ssl_bump terminate all
>

Looks okay. Just to be clear you understand that:
 The above means that the TLS/SSL is spliced only if the client SNI
contains a domain in your whitelist.
 All other traffic will be terminated ... maybe with an HTTP error page.


> cache deny all
>
> http_access deny !Safe_ports
> http_access deny CONNECT !SSL_ports
> http_access allow localhost manager
> http_access deny manager
>
> http_access allow all http_allow
> http_access allow all https_allow

The ssl::server_name ACL will not work outside of the ssl_bump
directive. Delete the above line.


Also, I am not seeing is any line which permits the raw-IP CONNECT
message which your Squid processes first to decide whether ssl_bump will
be applied to the intercepted TCP connections.

 That is why the "allow all" makes things "work". It lets those CONNECT
request through.

You can read the details about how bumping happens at
<http://wiki.squid-cache.org/Features/SslPeekAndSplice#Processing_steps>
 The CONNECT request mentioned in step 1.ii is your problem.

To fix it in a very targeted way add these lines (mind the wrap sorry):

 acl rawIP dstdom_regex
^(([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)|(\[([0-9a-f]+)?:([0-9a-f:]+)?:([0-9a-f]+|0-9\.]+)?\])):443$

 acl bumpPort myportname 10.96.243.1:3129

 http_access allow CONNECT bumpPort rawIP


> http_access deny all
>
> always_direct allow all
>

That always_direct line is not useful. Remove it.

HTH
Amos
_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|

Re: transparent http and https filter with white-list only

Alex Rousskov
On 02/01/2017 07:46 AM, Amos Jeffries wrote:
> On 28/01/2017 12:36 a.m., Sergey Klusov wrote:
>> acl step1 at_step SslBump1
>> ssl_bump peek step1
>> ssl_bump splice https_allow
>> ssl_bump terminate all


>  All other traffic will be terminated ... maybe with an HTTP error page.

Bugs not withstanding, the terminate action should close the client TCP
connection without serving the error page.



> The ssl::server_name ACL will not work outside of the ssl_bump directive.

Each SslBump step gives the ACL more [reliable] information, but the ACL
is not confined to the ssl_bump rules. Using this ACL before (or without
any) ssl_bump steps is almost pointless because it can probably only
match "none", but using it during or after those steps is fine, even
outside the ssl_bump directive context. This clarification is based on
my interpretation of v5 code.

This aspect may not be relevant to your squid.conf, but I wanted to
clarify it in case somebody uses this email thread for other purposes.


Cheers,

Alex.

_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|

Re: transparent http and https filter with white-list only

Sergey Klusov
In reply to this post by Sergey Klusov

> Date: Thu, 2 Feb 2017 03:46:44 +1300
> From: Amos Jeffries <[hidden email]>
> To: [hidden email]
> Subject: Re: [squid-users] transparent http and https filter with
> white-list only
> Message-ID: <[hidden email]>
> Content-Type: text/plain; charset=utf-8
>
> On 28/01/2017 12:36 a.m., Sergey Klusov wrote:
>> Hello. I'm trying to get working transparent setup allowing only certain
>> domains and have problem that in order to allow https "ssl_bump splice
>> allowed_domains" i have to "http_access allow all", thus allowing all
>> other http traffic through. Otherwise https traffic is not allowed at all.
>>
>> Here is my config:
>>
> Some comments inline to improve it.
>
> Also, what version of Squid are you using?
>   I will assume that you are following the best practice advice and using
> at least 3.5.19.  If not, please try to upgrade.
just installed from centos7 repo, using yum
Squid Cache: Version 3.5.20

>
>> =======config=======
>> http_port 10.96.243.1:3128 intercept options=NO_SSLv3:NO_SSLv2
>> http_port 10.96.243.1:3130 options=NO_SSLv3:NO_SSLv2
> Setting SSL-related options on http_port's is not useful when they are
> not doing SSL-Bump.

ok. just copy-pasted from some internet site about ssl_bump

>
>> https_port 10.96.243.1:3129 intercept ssl-bump
>> options=ALL:NO_SSLv3:NO_SSLv2 connection-auth=off
>> cert=/etc/squid/squidCA.pem
>> acl localnet src 10.0.0.0/8     # RFC1918 possible internal network
>>
>> acl SSL_ports port 443
>> acl Safe_ports port 80          # http
>> acl Safe_ports port 443         # https
>> acl CONNECT method CONNECT
>>
>> acl http_allow dstdomain "/etc/squid/http_allow_domains.txt"
>> acl https_allow ssl::server_name "/etc/squid/https_allow_domains.txt"
>>
>> sslproxy_cert_error allow all
>> sslproxy_flags DONT_VERIFY_PEER
> Not good. Remember this is a security protocol you are playing around with.
>
> Both of the above lines hide critical details you need to figure out
> what is going wrong. They can be useful as a spot-check (only!) to
> figure out if the problem is related to cert verification or something
> else. But DO NOT use them for regular traffic, not even testing traffic.
>
> You may find that there are certain _specific_ errors that you need to
> let through. Add the appropriate flags, SSL options, ACLs checks
> sslproxy_cert_error lines for those as needed, dont just ignore all
> possible errors like above does.

this setup only purpose is to just allow clients to connect only to
small set of certain sites
i suppose client's browser will do all checks?

>> acl step1 at_step SslBump1
>> ssl_bump peek step1
>> ssl_bump splice https_allow
>> ssl_bump terminate all
>>
> Looks okay. Just to be clear you understand that:
>   The above means that the TLS/SSL is spliced only if the client SNI
> contains a domain in your whitelist.
>   All other traffic will be terminated ... maybe with an HTTP error page.
That's all i need. In fact i would prefer to not use squid at all for
that purpose, but can't find any good free DPI solution.

>
>
>> cache deny all
>>
>> http_access deny !Safe_ports
>> http_access deny CONNECT !SSL_ports
>> http_access allow localhost manager
>> http_access deny manager
>>
>> http_access allow all http_allow
>> http_access allow all https_allow
> The ssl::server_name ACL will not work outside of the ssl_bump
> directive. Delete the above line.
Ok

>
> Also, I am not seeing is any line which permits the raw-IP CONNECT
> message which your Squid processes first to decide whether ssl_bump will
> be applied to the intercepted TCP connections.
>
>   That is why the "allow all" makes things "work". It lets those CONNECT
> request through.
>
> You can read the details about how bumping happens at
> <http://wiki.squid-cache.org/Features/SslPeekAndSplice#Processing_steps>
>   The CONNECT request mentioned in step 1.ii is your problem.
>
> To fix it in a very targeted way add these lines (mind the wrap sorry):
>
>   acl rawIP dstdom_regex
> ^(([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)|(\[([0-9a-f]+)?:([0-9a-f:]+)?:([0-9a-f]+|0-9\.]+)?\])):443$
>
>   acl bumpPort myportname 10.96.243.1:3129
>
>   http_access allow CONNECT bumpPort rawIP

i've worked around like this:

acl http_proto proto http
http_access allow !http

but will try your variant too
thanks.

>
>> http_access deny all
>>
>> always_direct allow all
>>
> That always_direct line is not useful. Remove it.
ok

_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users