[squid-users] Config audit for 3.5.3

Amos Jeffries squid3 at treenet.co.nz
Sat Apr 25 02:25:12 UTC 2015 

On 25/04/2015 12:50 a.m., James Lay wrote:
> Hey all.
> 
> Topic says it....I'm running squid-3.5.3-20150420-r13802 and wanted to
> see if there's anything glaring that I'm missing/have misconfigured.  My
> setup is squid is running on a router, one nic external, one nic
> internal.  This is running as a transparent proxy with iptables doing a
> redirect to ports 3128 and 3129.  Config below:
> 
> #############################################################
> acl localnet src 192.168.1.0/24
> 
> acl SSL_ports port 443
> acl Safe_ports port 80		# http
> acl Safe_ports port 443		# https
> 
> acl CONNECT method CONNECT
> acl broken_sites dst 96.16.0.0/15
> <others redacted>
> acl broken_sites dst 54.160.0.0/12
> acl allowed_sites url_regex "/opt/etc/squid/url.txt"
> acl all_others dst all

Using "dst all" is very inefficient. It requires Squid to perform DNS
lookups just to answer "yes". Unless there is some unusual reason
requiring that you might as well use the provided "all" ACL for faster
operation.


> acl SSL method CONNECT

This is a bit dangerous. CONNECT does not necessarily mean SSL - even
with the port 443 restriction.  CONNECT could as easily contain a tunnel
to email server and be pumping spam, or literally any other type of
traffic to any other server. Spam emails, FTP, BitTorrent, and Skype are
pretty popular protocols seen with CONNECT.

So you can easily mistake security rules about SSL and create allow
policies that make you vulnerable to some nasty attacks.

Its also a redundant ACL definition with the default CONNECT ACL earlier.

> 
> http_access deny !Safe_ports
> http_access deny CONNECT !SSL_ports
> 
> http_access allow manager localhost
> http_access deny manager
> 
> http_access allow allowed_sites
> http_access allow broken_sites
> 
> http_access deny all_others 

The above being equivalent to "deny all" makes the below rules not do
anything. I dont know yoru policy, maybe you did.

Consider whether that is what you expected/wanted to happen.


> http_access allow localnet
> http_access allow localhost
> 
> http_access deny all
> icp_access deny all
> 
> 
> sslproxy_cert_error allow broken_sites
> sslproxy_cert_error deny all
> 
> sslproxy_options ALL
> acl p3129 myportname 3129

This name "3129" does not match any listening port name. See below...


> acl step1 at_step SslBump1
> ssl_bump peek step1
> #ssl_bump splice broken_sites
> ssl_bump bump p3129
> 
> 
> http_port 192.168.1.253:3128 intercept 

... in the absence of a name= parameter the default name for tis port is
"192.168.1.253:3128".

> https_port 192.168.1.253:3129 intercept ssl-bump
> cert=/opt/sslsplit/sslsplit.crt key=/opt/sslsplit/sslsplitca.key
> cafile=/opt/sslsplit/sslsplitca.pem generate-host-certificates=on
> dynamic_cert_mem_cache_size=4MB sslflags=NO_SESSION_REUSE

... in the absence of a name= parameter the default name for tis port is
"192.168.1.253:3129".

Do you see the pattern?
 set the name= parameter eplicitly or it becomes teh *string* value of
the host:port field.


> 
> always_direct allow all

Has no use in your config.

> 
> logformat common %>a %[ui %[un [%tl] "%rm %ru HTTP/%rv" %>Hs %<st %Ss:%
> Sh %ssl::>cert_subject

Bad: do not re-define built in format definitions please.

Either use the provided format, or use a different name if you need the
custom one.

> 
> access_log syslog:daemon.info common
> 
> refresh_pattern ^ftp:		1440	20%	10080
> refresh_pattern ^gopher:	1440	0%	1440
> refresh_pattern -i (cgi-bin|\?)	0	0%	0
> refresh_pattern .		0	20%	4320
> 
> icp_port 3130

You are initializing ICP port, but also configured "icp_access deny all".

To disble ICP leave remove the icp_* directives from your config.

To enable ICP, configure the icp_access to allow some sources to make
queries.

> 
> coredump_dir /opt/var
> #############################################################
> 
> My goal has been to at least get the domain logged on any https access,
> but alas some sites show:
> 
> Apr 24 06:39:32 gateway (squid-1): 192.168.1.101 - -
> [24/Apr/2015:06:39:32 -0600] "CONNECT 216.58.216.162:443 HTTP/1.1" 200
> 401 TCP_TUNNEL:ORIGINAL_DST -
> 

With interception + your custom rule using %ru you should always see
raw-IP:port. If you see a TLS SNI domain in there *that* is a bug. "%ru"
is explicitly asking for the client-presented CONNECT *URL*, not the
server details.


That "TCP_TUNNEL" will always happen whenever the protocol found on port
443 is not HTTPS.

Amos

More information about the squid-users mailing list