[squid-users] Squid 3.5.10 SSL Bump whitelist domains

Amos Jeffries squid3 at treenet.co.nz
Thu Oct 22 14:56:32 UTC 2015 

On 23/10/2015 3:01 a.m., luizcasey at gmail.com wrote:
> Here is the config I am currently using based on your suggestion earlier. However it does not start. I have also added some questions to each for verification purposes to make sure I am understanding what is actually going on.
> 
> https_port 4827 intercept ssl-bump generate-host-certificates=on dynamic_cert_mem_cache_size=4MB cert=/etc/squid/certs/squid.crt key=/etc/squid/certs/squid.key
> http_port 3401 intercept
> 
> logformat squid %tl.%03tu %6tr %>a %Ss/%03Hs %<st %rm %ru %[un %Sh/%<a %mt
> access_log /var/log/squid/access.log squid
> 
> cache deny all < — No caching.

Prevent things being stored in Squid's cache is what that does, yes.

> 
> acl step1 at_step SslBump1 <— What is this doing ??

Creating an ACL which will only match during SSL-Bump operations at step 1.

> acl whitelist_ssl ssl::server_name "/etc/squid/git_allowed_domains/allowed_domains” <— Create whitelist for SSL 

Sort of yes, sort of no.

This is creating an ACL which will match if some domain name(s) are used
in CONNECT authority-URI (at SSL-Bump step 1 or 2), TLS SNI values (at
SSL-Bump step 2), or X.509 certificate SubjectAltName field (at SSL-Bump
step 3).


> 
> ssl_bump peek step1   <— Try to find server_name ?

Try to find client handshake details. One of those is the SNI which is
often the best available datum on what domain the client is trying to
connect to.

This will always match at step 1. So peek is aways done to find SNI,
NPN, ALPN etc.


> ssl_bump splice whitelist_ssl <— Ignore whitlist_ssl domains and let it through

At step 2 attempt to match the whitelist ACL against the details we have
for server domain names. SNI if known, otherwise the CONNECT requests
authority-URI.

At step 3 (because this is checked at both step 2 and 3). Attempt to
match the whitelist ACL against the X.509 certificate SubjectAltName
details.


> ssl_bump bump net_bump <— ??? This I don’t get since there is no net_bump acl ? Should this just be all ?
> ssl_bump splice all <— Splice everything else that couldn’t be bumped ??
> 

What is supposed to happen if the whitelist does not match ?
Take your policy requirement and make Squid do it.



> acl http proto http  <— Allow http photo

No. Create an ACL which matches when URL scheme is "http://"


> acl whitelist dstdomain "/etc/squid/git_allowed_domains/allowed_domains” <— Create whitelist for http

Yes.


> 
> acl https proto https  <— Allow https 

No. Create an ACL which matches when URL scheme is "https://"


> acl port_80 port 80  <— Allow port 80. Is this redundant ??

No. Create an ACL which matches when URL port is 80.


> acl port_443 port 443 < — Allow port 443. Is this redundant ??

No. Create an ACL which matches when URL port is 443.


> 
> http_access allow http port_80 whitelist    <— Allow whitelisted domains on port 80 

No. Allows requests where there is a URL scheme http:// AND going to
port 80 AND on the whitelist.

> http_access allow https port_443 whitelist_ssl <— Allow whitelisted domains on 443
> 

No. Allows requests where there is a URL scheme https:// AND going to
port 443 AND on the whitelist.

NP: HTTPS requests arrive as CONNECT mesage to URL with no scheme, and
going to port 443. May be a hostname not on the whitelist. For
intercepted traffic this request message will always have a raw-IP
instead of a hostname or domain name.


> http_access deny al <— Deny all 

No. deny whatever "al" matches.

Then the default action of allowing everything else.

> 
> 
> #######LOGS
> 
> 2015/10/22 09:41:10| Processing: access_log /var/log/squid/access.log squid
> 2015/10/22 09:41:10| Processing: cache deny all
> 2015/10/22 09:41:10| Processing: acl step1 at_step SslBump1
> 2015/10/22 09:41:10| Processing: acl whitelist_ssl ssl::server_name "/etc/squid/git_allowed_domains/allowed_domains"
> 2015/10/22 09:41:10| Processing: ssl_bump peek step1
> 2015/10/22 09:41:10| Processing: ssl_bump splice whitelist_ssl
> 2015/10/22 09:41:10| Processing: ssl_bump bump net_bump     <——— I assume again this is because no all for net_bump.

Don't assume. Squid tells you what is wrong:

> 2015/10/22 09:41:10| ACL not found: net_bump
> FATAL: Bungled /etc/squid/squid.conf line 22: ssl_bump bump net_bump

... and what is being done about it:

> Squid Cache (Version 3.5.10): Terminated abnormally.
> CPU Usage: 0.012 seconds = 0.003 user + 0.009 sys
> Maximum Resident Size: 26208 KB
> Page faults with physical i/o: 0
> 
> 
> If I change "ssl_bump bump net_bump" to "ssl_bump bump all” It starts up but it still fails to allow any https through even those on the whitelist_ssl file but allows http to those domains. Not sure what I am doing wrong here.
> 

That is because the traffic is mostly intercepted and those
fake/synthetic CONNECT requests have "CONNECT IP:port HTTP/1.1".

raw-IPs are not in your whitelist. Your http_access rules do not permit
non-whitelisted URI to be serviced. Thus they are rejected before
bumping even starts to find out what the SNI/domain the client was
trying to connect to was.

Amos

More information about the squid-users mailing list