[squid-users] Squid 3.5.5 ssl_bump and ufdbGuard

[Marcus Kool]

First an introduction in blocking HTTPS:
HTTPS is a protocol that is designed to be non-interceptable, and if it is intercepted, the browser will notify the user about this interception.
This is very different from HTTP which can easily be intercepted and the interceptor can redirect a browser using a defined HTTP code for redirection.
So blocking HTTP sites is easy since the HTTP protocol supports redirection and because of the redirection feature, a blocked URL can be redirected to a human readable web page saying "site X is 
blocked since you have no access rights".

Blocking HTTPS by redirecting a browser request is not possible since HTTPS is encrypted.
To block such request, squidGuard and ufdbGuard can only instruct Squid to replace the HTTPS URL with another HTTPS URL.
squidGuard, which development stopped in 2010, does not support a HTTPS redirection URL and instead, sends the redirection URL for HTTP.
ufdbGuard uses 2 redirection URLs: one for HTTP and one for HTTPS, so the blocked HTTPS-based URL is redirected to another HTTPS-based URL.
But the browser notes this and display a warning. Most likely that the certificate is wrong.
After accepting the warning, a human-readable message about access being denied, is displayed.

Squids ssl-dump feature, if configured, changes the above.
ssl-bump intercepts HTTPS traffic but the browser detects this and warns about it.
To get rid of the warning permanently, one installs the certificate that Squid uses in the browser's certificate store.

Blocking HTTPS, however, remains a difficult issue.
For HTTPS websites, Squid sends to ufdbGuard/squidGuard first a CONNECT-URL and after that a GET-URL or POST-URL.
The CONNECT is not blockable in a sense that it can happen without browser warnings, so for a forbidden HTTPS site, the URL redirector must PASS the CONNECT-URL and wait for the GET/POST which it can 
block later.
This strategy works for regular HTTPS sites, where the site uses SSL-wrapped HTTP.
However, this strategy fails for all other sites that use different protocols, for example: chat, VPN, remote access software and SSH.
So for SSH, Squid only sends a CONNECT-URL to the URL redirector and it must decide whether to pass or allow on the CONNECT since there are no future GET/POST URLs that it may block.
This complicates things a lot.
The next version of ufdbGuard will have new features to attempt to get around these issues.

On 07/20/2015 06:36 PM, Stanford Prescott wrote:
> This probably more rightly belongs in the ufdbGuard mailing list, but SF has been down for several days and I cannot post there. There is a bit of overlap with ssl_bump and ufdGuard with one of the
> issues I am having. Maybe someone here who uses ufdbGuard or squidGuard could help me?

SF works now...

> I am trying to replace our implementation of the old squidGuard with ufdbGuard on Smoothwall Express v3.1 firewall distro. I have gotten ufdbGuard running and filtering with Squid 3.5.5 using
> ssl_bump.My questions:
>
> 1. With ssl_bump and squidGuard I was able to use the urlfilter to block https sites like facebook.com <http://facebook.com>. Allowed https sites would load in my browser without errors with ssl_bump
> and squidGuard active. With ssl_bump and ufdbGuard it is a lot more complicated, it seems.

Are you saying that blocking https://www.example.com with ufdbGuard and ssl-bumps works ?
What is the redirection URL ?

> -Squid+ssl_bump and ufdbGuard running I can access all HTTP sites without errors. I cannot access any HTTPS sites at all. I get "Untrusted connection" errors when trying to load any HTTPS site.

"*any* HTTPS site" ??
Awkward at least.  Can you send me your entire ufdbguardd.log and squid.conf ?  NOT on this list.

> -If I restart squid without ssl_bump and ufdbGuard still running, I can then access all HTTP and HTTPS sites and categories that I have blocked do get blocked, but only HTTP.sites. All HTTPS sites
> will load, but none get blocked that are supposed to be.

Again, awkward.  I have a suspicion that something is wrong in your configuration.

> -If I then restart squid+ssl_bump (and ufdbGuard still running) I can now access all HTTP and HTTPS sites. Also, all HTTP and HTTPS sites that are supposed to be blocked by category, like porn for
> instance, do get blocked like they are supposed to be. Except for domains in the alwaysdeny category (but that will be a question for another time).

Again, awkward...

> -When ufdbGuard and squid+ssl_bump are started (in that order) I see processes running for squid, ssl_crtd, and ufdbguardd. I do not see any processes for squid_redirect and ufdbgclient. If I enter
> and load a website and then check the processes running I then see squid_redirect and ufdbgclient. Is that supposed to happen like that?

Squid starts processes when it needs to and its behaviour is also controlled by the url_rewrite_children parameter.
If you have "url_rewrite_children 30 startup=3 idle=2 concurrency=2" you should see 3 processes after a fresh start.

I do not know "squid_redirect" processes.
What do you have configured for squid_redirect ?

> 2. I am using the Shalla blacklists for testing. I haven't been able to sign up for a URLfilterDB free trial because I only use yahoo.com <http://yahoo.com> and gmail.com <http://gmail.com> for my
> email. Plus, I don't want to pay for a subscription until I know I have this working. When I convert the Shalla blacklists to ufdb format using ufdbConvertDB, only the domains are converted to the
> ufdb format (domains.ufdb). The urls files are not converted, even when using the "-u urls" switch.

A trial is free. You do not pay if the trial was unsatisfactory.
ufdbConvertDB converts the files 'domains' and the optional file 'urls' into 'domains.ufdb'.  A 'urls.ufdb' file never exists since everything is in 'domains.ufdb'.

I think that almost all items are releated to ufdbGuard, so you can email the support desk of ufdbguard directly for assistance.
The support desk answers also those who use ufdbguard with a free database.

Marcus

> My current ufdbGuard.conf file is attached..
>
>