[squid-users] Squid 3.5.10 SSL Bump whitelist domains issue

Amos Jeffries squid3 at treenet.co.nz
Thu Oct 22 08:28:35 UTC 2015

On 22/10/2015 7:31 a.m., luizcasey wrote:
> Hello, So what I am trying to accomplish here is to basically have a
> whitelist of domains that is allowed via http/https.

What you have actually configured is a whitelist with MUCH narrower
criteria than that.

> If the UID is
> squid,apache, or root then basically you will bypass squid and anything
> is allowed.

Ok. That is iptables/ip6tables. Not Squid related.

> This was working well on 3.4.2 however once I moved to
> 3.5.10 it no longer works properly. I also noticed that there are “new”
> features peek,slice etc which is probably my issue since I was not using
> it. I have tried several combination and have only gotten it to work for
> http traffic. All https traffic is currently being blocked by the
> configuration. Below are my configurations. I don’t need to "inspect"
> any of the traffic just want to have a whitelist of allowed domains if
> you are not UID squid,apache, or root via http/https. Any help would be
> appreciated !!

I'm not sure how you define "inspect" exactly. But the config implies
that your Squid actually does need to do TLS inspection.

> ##### IPTABLES
> $iptables -L -t nat
> Chain PREROUTING (policy ACCEPT)
> target     prot opt source               destination
> target     prot opt source               destination
> Chain OUTPUT (policy ACCEPT)
> target     prot opt source               destination
> natoutlogaccept  tcp  --  anywhere             anywhere            multiport dports http,https owner UID match squid
> natoutlogaccept  tcp  --  anywhere             anywhere            multiport dports http,https owner UID match apache
> natoutlogaccept  tcp  --  anywhere             anywhere            multiport dports http,https owner UID match root
> REDIRECT   tcp  --  anywhere             anywhere            tcp dpt:http redir ports 3401

Note that 3401 is the SNMP protocol port.

> REDIRECT   tcp  --  anywhere             anywhere            tcp dpt:https redir ports 4827
> Chain natoutlogaccept (3 references)
> target     prot opt source               destination
> LOG        all  --  anywhere             anywhere            LOG level debug prefix `nat out iptables accept '
> ACCEPT     all  --  anywhere             anywhere
> ##### Squid.conf
> sslproxy_cert_error allow all
> sslproxy_flags DONT_VERIFY_PEER

Like Yuri said the above line(s) are bad. Very bad.
They are instructing Squid not to verify the TLS to upstream servers are
secure. That allows any MITM upstream to be done on them without any
type of warning or alerts. Not only that but Squid will relay valid TLS
security to the clients, so they believe everything is just fine when in
fact they could be badly hijacked.

> sslcrtd_program /usr/lib64/squid/ssl_crtd -s /home/squid/ssl_db -M 4MB
> sslcrtd_children 50
> https_port 4827 intercept ssl-bump generate-host-certificates=on dynamic_cert_mem_cache_size=4MB cert=/etc/squid/certs/squid.aarp.org.crt key=/etc/squid/certs/squid.key
> # HTTPS forward port
> https_port cert=/etc/squid/certs/squid.crt key=/etc/squid/certs/squid.key
> http_port 3401 transparent
> # HTTP forward port
> http_port
> logformat squid %tl.%03tu %6tr %>a %Ss/%03Hs %<st %rm %ru %[un %Sh/%<a %mt
> access_log /var/log/squid/access.log squid
> always_direct allow all

The always_direct hack from Squid-3.1 bumping is no longer useful.

> cache deny all
> cache_dir ufs /home/squid/cache 100 16 256
> acl step1 at_step SslBump1
> acl step2 at_step SslBump2
> acl step3 at_step SslBump3
> acl nobumpSites ssl::server_name "/etc/squid/allowed_domains/allowed_domains"
> ssl_bump peek step1 all
> ssl_bump splice nobumpSites
> ssl_bump bump
> acl http proto http
> acl https proto https
> acl port_80 port 80
> acl port_443 port 443
> http_access allow http port_80 nobumpSites
> http_access allow https port_443 nobumpSites

I think the problem here is that you are requiring the "http://" and
"https://" scheme be part of the URLs.

Your description of the whitelist did not mention any such criteria.

Squid-3.5 uses CONNECT requests (where the URL has *no* scheme segment)
to represent the initial TCP SYN connection happening before the HTTPS
stream starts. Your whitelist rules here will reject those because they
lack the https:// scheme portion. And thus reject all HTTPS traffic.

> http_access deny all
> ##### allowed_domains
> .cnn.com <http://cnn.com/>
> .google.com <http://google.com/>
> .facebook.com <http://facebook.com/>
> ….etc 
> #### squid log
> TAG_NONE/403 350 HEAD https://www.facebook.com/ <https://www.facebook.com/> - HIER_NONE/- text/html
> TCP_MISS/200 593 GET http://www.cnn.com/ <http://www.cnn.com/>

I'm not sure why you are displaying these log lines. Everything appears
to be fine for them.


More information about the squid-users mailing list