[squid-users] Difference between Squid 3.1 & 3.4 regarding HTTPS CONNECT handling

Amos Jeffries squid3 at treenet.co.nz
Sun Jul 12 02:49:04 UTC 2015 

On 10/07/2015 8:30 a.m., Andrew Wood wrote:
> OK heres the difference
> 
> http_port 192.168.10.254:3128 intercept
> http_port 192.168.10.254:3129

You should have port 3128 for the non-interept traffic.

> 
> I had to setup squid on a second port not in intercept mode and set the
> WPAD file to send HTTPS requests there.
> 
> Why will the intercept port accept HTTPS CONNECT requests in 3.1 but not
> 3.4?

3.2+ enforce the requirement that NAT is performed on the same machine
as Squid runs.

Explicit proxy traffic (from WPAD), naturally does not have NAT records
so will fail that requirement check. Thus separate ports are needed for
each of the different HTTP traffic types.

Please also check your intercept rules match
<http://wiki.squid-cache.org/ConfigExamples/Intercept/LinuxRedirect> (or
the equivalent DNAT example). Specifically the *mangle* table rule
preventing external connections directly to the intercept port is very
important to prevent certain attacks that happen nowdays.


PS. Some hints on optimizing your config are inline below...

> On 09/07/15 14:05, Andrew Wood wrote:
>> #squid.conf:
>>
>> #set which port to accept clients on & which interfaces to accept
>> clients on
>> http_port 192.168.10.254:3128 intercept
>> http_port 192.168.100.254:3128 intercept
>>

No need for two ports. Its up to you, but I would do this:
  http_port 3129 intercept
  http_port 3128

Also, note the number of the intercept port should be random. It must
only ever receive traffic for the NAT sub-system so everything you can
do to obfusctae and prevent external connections getting directly to it
is good.


>>
>> #set delay pool to do bandwidth throttling on VLAN2
>> delay_pools 1
>> delay_class 1 2
>> delay_parameters 1 250000/500000 125000/500000
>>
>> #ORd
>> acl AllUsers src all

Just use the built-in "all" and remove this definition entirely.

The only reason to custom-define an 'all' ACL is to attach a custom
deny_info page to it. You are not doing that.


>> acl ToSentryBoxVL1 dstdom_regex ^192.168.10.254$
>> acl ToWPADServer dstdom_regex ^wpad.commsmuseum.local$
>> acl ToPublicWiFiGateway dstdom_regex ^192.168.100.254$

The above ACL are all used sequentially to allow access. You can
simplify (and speed up Squid a bit) by merging those three into one ACL
with three patterns.

Also, there is no need to regex them. Just use raw-IP address in the
dstdomain ACL type.

NP: since you have multicast .local DNS in use, you may want to turn on
Squid 3.4s multicast DNS support:
  dns_multicast_local on
 <http://www.squid-cache.org/Doc/config/dns_multicast_local/>


>> acl PublicWiFiLAN src 192.168.100.0/24
>> acl PrivateLAN src 192.168.10.0/24
>> acl DestinedForPrivateLAN dst 192.168.10.0/24
>> acl DestinedForPublicWiFiLAN dst 192.168.100.0/24
>> acl ProhibitedSitesDomains dstdomain
>> "/var/squidblacklist.org/domains.squid"
>> acl IPAddressForHostname dstdom_regex ^[0-9]+\.[0-9]+\.[0-9]+\.[0-9]+$

raw-IP can also come in IPv6 syntax, and sometimes may have a port
listed. *Even in IPv4-only traffic*

This pattern is better:
^(([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)|(\[([0-9af]+)?:([0-9af:]+)?:([0-9af]+)?\]))(:[0-9]+)?$



>> acl SSLPorts port 443
>>
>> #block users tunneling
>> acl CONNECT method CONNECT
>> http_access deny CONNECT !SSLPorts
>>
>>
>> #disable caching
>> cache deny all
>>
>> #add VLAN2 to delay pool 1
>> delay_access 1 allow PublicWiFiLAN
>>
>> #force traffic coming in on VLAN2 to go out on VLAN2
>> tcp_outgoing_address 192.168.100.254 PublicWiFiLAN
>> tcp_outgoing_address 192.168.10.254 PrivateLAN
>>

Those do not force anything. The iptables outgoing MASQUERADE rule will
replace those addresses with whatever iptables is configured with and is
a far better way to do what you seem to want anyway.

Also note that Debian packages of Squid are IPv6-enabled. So link-local
IPv6 connections may also exist on outbound. If you dont already have
ip6tables rules setup to manage that traffic properly to/from the VPN
its getting urgent.

 And ...

>> #block traffic between VLAN1 & VLAN2
>> #iptables does this for everything EXCEPT stuff coming through Squid
>> #because iptables sees stuff coming out of squid as originating from
>> the localhost
>> #hence iptables FORWARD rules dont apply
>> http_access deny PublicWiFiLAN DestinedForPrivateLAN
>> http_access deny PrivateLAN DestinedForPublicWiFiLAN

... THESE are the rules that actually prevent traffic crossover between
the subnets by Squid.

>>
>> #show splash screen to new users on public wifi to show t&c etc
>> #pass session length as arg to perl script cache +ve & -ve responses
>> for 0 secs so
>> #perl script is always called. Script is responsible for deciding how
>> long a session is valid for
>> #%SRC passes client ip on stdin
>> external_acl_type currentsessiontype ttl=60 negative_ttl=0 %SRC
>> /var/publicwifisessions/checksession.pl
>> acl currentsession external currentsessiontype
>>
>> #will stop on first of these which matches so watch order!
>> http_access deny ProhibitedSitesDomains

>> http_access allow ToPublicWiFiGateway
>> http_access allow ToSentryBoxVL1
>> http_access allow ToWPADServer

See above about these ACLs.

>> http_access deny CONNECT PublicWiFiLAN !currentsession
>> http_access deny PublicWiFiLAN !currentsession

The above two lines overlap each other. You can remove the one with
"CONNECT" in it.


>> http_access deny IPAddressForHostname
>> http_access deny !SafePorts
>> http_access allow PrivateLAN
>> http_access allow PublicWiFiLAN
>> http_access deny AllUsers

See above about this "deny all" customization.


Amos

More information about the squid-users mailing list