[squid-users] Config audit for 3.5.3

James Lay jlay at slave-tothe-box.net
Sat Apr 25 12:36:14 UTC 2015 

On Sat, 2015-04-25 at 14:25 +1200, Amos Jeffries wrote:

> On 25/04/2015 12:50 a.m., James Lay wrote:
> > Hey all.
> > 
> > Topic says it....I'm running squid-3.5.3-20150420-r13802 and wanted to
> > see if there's anything glaring that I'm missing/have misconfigured.  My
> > setup is squid is running on a router, one nic external, one nic
> > internal.  This is running as a transparent proxy with iptables doing a
> > redirect to ports 3128 and 3129.  Config below:
> > 
> > #############################################################
> > acl localnet src 192.168.1.0/24
> > 
> > acl SSL_ports port 443
> > acl Safe_ports port 80		# http
> > acl Safe_ports port 443		# https
> > 
> > acl CONNECT method CONNECT
> > acl broken_sites dst 96.16.0.0/15
> > <others redacted>
> > acl broken_sites dst 54.160.0.0/12
> > acl allowed_sites url_regex "/opt/etc/squid/url.txt"
> > acl all_others dst all
> 
> Using "dst all" is very inefficient. It requires Squid to perform DNS
> lookups just to answer "yes". Unless there is some unusual reason
> requiring that you might as well use the provided "all" ACL for faster
> operation.
> 
> 
> > acl SSL method CONNECT
> 
> This is a bit dangerous. CONNECT does not necessarily mean SSL - even
> with the port 443 restriction.  CONNECT could as easily contain a tunnel
> to email server and be pumping spam, or literally any other type of
> traffic to any other server. Spam emails, FTP, BitTorrent, and Skype are
> pretty popular protocols seen with CONNECT.
> 
> So you can easily mistake security rules about SSL and create allow
> policies that make you vulnerable to some nasty attacks.
> 
> Its also a redundant ACL definition with the default CONNECT ACL earlier.
> 
> > 
> > http_access deny !Safe_ports
> > http_access deny CONNECT !SSL_ports
> > 
> > http_access allow manager localhost
> > http_access deny manager
> > 
> > http_access allow allowed_sites
> > http_access allow broken_sites
> > 
> > http_access deny all_others 
> 
> The above being equivalent to "deny all" makes the below rules not do
> anything. I dont know yoru policy, maybe you did.
> 
> Consider whether that is what you expected/wanted to happen.
> 
> 
> > http_access allow localnet
> > http_access allow localhost
> > 
> > http_access deny all
> > icp_access deny all
> > 
> > 
> > sslproxy_cert_error allow broken_sites
> > sslproxy_cert_error deny all
> > 
> > sslproxy_options ALL
> > acl p3129 myportname 3129
> 
> This name "3129" does not match any listening port name. See below...
> 
> 
> > acl step1 at_step SslBump1
> > ssl_bump peek step1
> > #ssl_bump splice broken_sites
> > ssl_bump bump p3129
> > 
> > 
> > http_port 192.168.1.253:3128 intercept 
> 
> ... in the absence of a name= parameter the default name for tis port is
> "192.168.1.253:3128".
> 
> > https_port 192.168.1.253:3129 intercept ssl-bump
> > cert=/opt/sslsplit/sslsplit.crt key=/opt/sslsplit/sslsplitca.key
> > cafile=/opt/sslsplit/sslsplitca.pem generate-host-certificates=on
> > dynamic_cert_mem_cache_size=4MB sslflags=NO_SESSION_REUSE
> 
> ... in the absence of a name= parameter the default name for tis port is
> "192.168.1.253:3129".
> 
> Do you see the pattern?
>  set the name= parameter eplicitly or it becomes teh *string* value of
> the host:port field.
> 
> 
> > 
> > always_direct allow all
> 
> Has no use in your config.
> 
> > 
> > logformat common %>a %[ui %[un [%tl] "%rm %ru HTTP/%rv" %>Hs %<st %Ss:%
> > Sh %ssl::>cert_subject
> 
> Bad: do not re-define built in format definitions please.
> 
> Either use the provided format, or use a different name if you need the
> custom one.
> 
> > 
> > access_log syslog:daemon.info common
> > 
> > refresh_pattern ^ftp:		1440	20%	10080
> > refresh_pattern ^gopher:	1440	0%	1440
> > refresh_pattern -i (cgi-bin|\?)	0	0%	0
> > refresh_pattern .		0	20%	4320
> > 
> > icp_port 3130
> 
> You are initializing ICP port, but also configured "icp_access deny all".
> 
> To disble ICP leave remove the icp_* directives from your config.
> 
> To enable ICP, configure the icp_access to allow some sources to make
> queries.
> 
> > 
> > coredump_dir /opt/var
> > #############################################################
> > 
> > My goal has been to at least get the domain logged on any https access,
> > but alas some sites show:
> > 
> > Apr 24 06:39:32 gateway (squid-1): 192.168.1.101 - -
> > [24/Apr/2015:06:39:32 -0600] "CONNECT 216.58.216.162:443 HTTP/1.1" 200
> > 401 TCP_TUNNEL:ORIGINAL_DST -
> > 
> 
> With interception + your custom rule using %ru you should always see
> raw-IP:port. If you see a TLS SNI domain in there *that* is a bug. "%ru"
> is explicitly asking for the client-presented CONNECT *URL*, not the
> server details.
> 
> 
> That "TCP_TUNNEL" will always happen whenever the protocol found on port
> 443 is not HTTPS.
> 
> Amos
> _______________________________________________
> squid-users mailing list
> squid-users at lists.squid-cache.org
> http://lists.squid-cache.org/listinfo/squid-users


Thank you Amos...that's extremely helpful.

James
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.squid-cache.org/pipermail/squid-users/attachments/20150425/39a33dfb/attachment.html>

More information about the squid-users mailing list