[squid-users] Squid ignores crlfile options

Sebastian Kirschner s.kirschner at afa-finanz.de
Fri Oct 2 11:11:31 UTC 2015 

Thanks Amos for the reply ,

I will trim the config with your recommendations but a few questions exists on my side.

" If you mean it to be used to verify the *server* certificates then you need to configure sslproxy_crlfile instead."

	I guess that was what im looking for :-) , 
	but I couldn’t find something about that configuration directives on the squid doc configuration site and my squid ignores the options
	because its unrecognized.

"> request_body_max_size 0 KB

Seriously? POST and PUT are forbidden to send data anywhere?"

	Should the value be ignored because it’s a zero ?
	Here the part of the Squid configuration document 
		"If you set this parameter to a zero (the default), there will be no limit imposed."

" build-info requires a string. Whoever provided this package needs to fix that."
	I was the builder :-) , could you give me a hint about that ?

Mit freundlichen Grüßen / Best Regards

Sebastian 

Message: 4
Date: Fri, 2 Oct 2015 02:51:56 +1300
From: Amos Jeffries <squid3 at treenet.co.nz>
To: squid-users at lists.squid-cache.org
Subject: Re: [squid-users] Squid ignores crlfile options
Message-ID: <560D3A7C.2020408 at treenet.co.nz>
Content-Type: text/plain; charset=utf-8

On 1/10/2015 11:54 p.m., Sebastian Kirschner wrote:
> Hi
> 
> I´m using squid (3.5.9) as transparent https proxy with build options (see below) and config (see below , I removed some uninteresting things from the config like caching).
> 
> To get the system more secure I would like to add crl checking (at the moment static , later maybe dynamic if it's possible with my skills :-) ) and ocsp (later) .
> I´m using the site https://revoked.grc.com/ to test my config.
> To do it I downloaded the certificate from the site , checked if a CRL URI is available and downloaded the crl.
> Converted the format of the crl from DER to pem and inserted it my squid.conf  "crlfile=/tmp/crl/glob.pem sslflags=VERIFY_CRL".
> 
> I tested the "crl.pem" with openssl and the site https://revoked.grc.com/  is revoked in the crl.
> 
> But why squid seems to ignore the crlfile option / file ? 

Because it is only relevant on http(s)_port when there is TLS client certificate authentication being verified. You do not have that configured.


> Also I tested to use the crl in DER format but it still wouldn’t work , even didn’t saw an error in the log when the file isn’t available.

It is not even loaded unless the clientca= is configured. Which turns on client cert authentication.


If you mean it to be used to verify the *server* certificates then you need to configure sslproxy_crlfile instead.


> #config
> http_port local.ip.adress:3128 ssl-bump generate-host-certificates=on 
> dynamic_cert_mem_cache_size=10MB 
> cert=/usr/pbi/squid-amd64/local/etc/squid/serverkey.pem 
> capath=/usr/pbi/squid-amd64/local/share/certs/ 
> crlfile=/tmp/crl/glob.pem sslflags=VERIFY_CRL
> 
> http_port 127.0.0.1:3128 intercept ssl-bump 
> generate-host-certificates=on dynamic_cert_mem_cache_size=10MB 
> cert=/usr/pbi/squid-amd64/local/etc/squid/serverkey.pem 
> capath=/usr/pbi/squid-amd64/local/share/certs/ 
> crlfile=/tmp/crl/glob.pem sslflags=VERIFY_CRL
> 
> https_port 127.0.0.1:3129 intercept ssl-bump 
> generate-host-certificates=on dynamic_cert_mem_cache_size=10MB 
> cert=/usr/pbi/squid-amd64/local/etc/squid/serverkey.pem 
> capath=/usr/pbi/squid-amd64/local/share/certs/ 
> crlfile=/tmp/crl/glob.pem sslflags=VERIFY_CRL
> 
> icp_port 0

This is a default, remove the icp_port line.

> dns_v4_first on
> pid_filename /var/run/squid/squid.pid

This is a default, remove the pid_filename line.

> cache_effective_user proxy
> cache_effective_group proxy

Check your build options (squid -v), your proxy is built to use the account 'squid'. It is usually a good idea to stick with the


> error_default_language de-de
> icon_directory /usr/pbi/squid-amd64/local/etc/squid/icons
> visible_hostname pfsense

visible_hostname needs to be FQDN and publicly resolvable. It is the DNS hostname people use to access your proxy for thise icons you configured (amongst other things).

> cache_mgr admin at pfsense-onesty.loc
> access_log /var/squid/logs/access.log
> cache_log /var/squid/logs/cache.log
> cache_store_log none

This is a default, remove the cache_store_log line.

> netdb_filename /var/squid/logs/netdb.state pinger_enable on 
> pinger_program /usr/pbi/squid-amd64/local/libexec/squid/pinger

This is probably a default too, if so remove the pinger lines. It will run unless disabled.

> sslcrtd_program /usr/pbi/squid-amd64/local/libexec/squid/ssl_crtd -s 
> /var/squid/lib/ssl_db -M 4MB -b 2048 sslcrtd_children 5
> 
> logfile_rotate 7
> debug_options rotate=7
> shutdown_lifetime 3 seconds
> acl localnet src  local.network.range
> forwarded_for on

This is a default, remove the forwarded_for line.

> uri_whitespace strip
> 
> acl dynamic urlpath_regex cgi-bin ?
> cache deny dynamic

Remove the above if you want to actually cache much content. Squid has been okay with caching this stuff since 2.7.

> 
> acl allsrc src all

Don't. Really. "all" is a built-in ACL, just use it.

> acl safeports port 21 70 80 210 280 443 488 563 591 631 777 901  3128 
> 3127 1025-65535 acl sslports port 443 563
> 
> acl purge method PURGE
> acl connect method CONNECT
> 
> acl HTTP proto HTTP
> acl HTTPS proto HTTPS
> acl allowed_subnets src local.network.range

You defined localnet to that already. Meaning you can replace all uses of "allowed_subnets" with "localnet".

> acl whitelist dstdom_regex -i '/var/squid/acl/whitelist.acl'
> http_access allow manager localhost
> 
> http_access deny manager
> http_access allow purge localhost
> http_access deny purge

Best practice is now to move all the above http_access lines with their slow and DoS-vulnerable ACL processing down below the CONNECT line following...

> http_access deny !safeports
> http_access deny CONNECT !sslports
> 
> request_body_max_size 0 KB

Seriously? POST and PUT are forbidden to send data anywhere?

> delay_pools 1
> delay_class 1 2
> delay_parameters 1 -1/-1 -1/-1
> delay_initial_bucket_level 100
> delay_access 1 allow allsrc

Hmm. A delay pool that does not do anything, and every byte of traffic is processed through it.
Completely useless waste of CPU cycles and memory. Remove all of the above lines.

> 
> always_direct allow whitelist

You don't use cache_peer. The above line is useless. Remove it.

> ssl_bump none whitelist

Do not mix deprecated bumping modes with non-deprecated.
Use "splice" instead of "none" in the above rule...

Then notice that dstdom_regex ACL will not work in ssl_bump. So you may as well remove the line entirely.

Your peek/splice rules below with "bypass" ACL seem to be doing what you intended this to do.



> # Package Integration
> url_rewrite_program /usr/pbi/squidguard-amd64/bin/squidGuard -c 
> /usr/pbi/squidguard-amd64/etc/squidGuard/squidGuard.conf
> url_rewrite_bypass off
> url_rewrite_children 16 startup=8 idle=4 concurrency=0
> 
> # Custom options before auth
> #debug_options all,1 20,0 36,0 41,0 47,0 79,0 90,0 92,0 debug_options 
> 83,6
> 
> acl step1 at_step SslBump1
> acl step2 at_step SslBump2
> acl step3 at_step SslBump3

Note that step2 and step3 are not being used. You can remove those lines.

> 
> acl bypass ssl::server_name .google.de .sparkasse.de .postbank.de acl 
> wupdate ssl::server_name .windowsupdate.com .microsoft.com
> 
> ssl_bump peek step1
> ssl_bump peek bypass wupdate
> ssl_bump splice bypass wupdate
> ssl_bump bump all
> 
> sslproxy_cert_error allow wupdate

Note that ssl::server_name probably won't work in this sslproxy_* rules.

> sslproxy_cert_error deny all
> 
> # Always allow access to whitelist domains http_access allow whitelist 
> # Setup allowed acls # Allow local network(s) on interface(s) 
> http_access allow allowed_subnets http_access allow localnet

Note that localnet == allowed_subnets, so the allowed_subnets line can be removed.

> # Default block all to be sure
> http_access deny allsrc

Really s/allsrc/all/

<snip>
> 
> 
> #build options
> configure options: '--with-default-user=squid'
'--bindir=/usr/pbi/squid-amd64/local/sbin'
'--sbindir=/usr/pbi/squid-amd64/local/sbin'
'--datadir=/usr/pbi/squid-amd64/local/etc/squid'
'--libexecdir=/usr/pbi/squid-amd64/local/libexec/squid'
'--localstatedir=/var'
'--sysconfdir=/usr/pbi/squid-amd64/local/etc/squid'
'--with-logdir=/var/squid/logs'
'--with-pidfile=/var/run/squid/squid.pid'
> '--with-swapdir=/var/squid/cache' '--without-gnutls' '--enable-auth'
> '--enable-build-info'
<snip>


build-info requires a string. Whoever provided this package needs to fix that.


Amos

More information about the squid-users mailing list