[squid-users] Safesearch: blocking Google images error
Stanford Prescott
stan.prescott at gmail.com
Fri Sep 4 20:37:12 UTC 2015
> acl s1_tls_connect at_step SslBump1
> acl s2_tls_client_hello at_step SslBump2
> acl s3_tls_server_hello at_step SslBump3
>
> acl tls_server_name_is_ip ssl::server_name_regex \
> ^[0-9]+.[0-9]+.[0-9]+.[0-9]+n
You have a letter 'n' on the end there is that intentional?
It would seem so. I copied that from someone else's "peek-splice"
directives that they said worked well for them. The actual regex in the
perl script that writes squid.conf is *"print FILE "acl
tls_server_name_is_ip ssl::server_name_regex
^[0-9]+\.[0-9]+\.[0-9]+\.[0-9]+$\n\n";*."
> acl google ssl::server_name .google.com
> ssl_bump peek s1_tls_connect all
>
> acl nobumpSites ssl::server_name .wellsfargo.com
>
> ssl_bump splice s2_tls_client_hello nobumpSites
> ssl_bump splice s2_tls_client_hello google
>
> ssl_bump stare s2_tls_client_hello all
>
> ssl_bump bump s3_tls_server_hello all
>
> cache_peer forcesafesearch.google.com parent 443 0 \
> ssl name=GS originserver \
> no-query no-netdb-exchange no-digest
>
> acl search dstdomain .google.com
> cache_peer_access GS allow search
> cache_peer_access GS deny all
I think the fake-CONNECT Squid creates still has only raw-IP:port
details. And with splicing you dont have the decrypt to setup dstdomain
URL details.
For dstdomain you need to match what shows up in access.log as the URI
of these requests.
Does the "google" ACL work in cache_peer_access to use the SNI?
The "dstdomain .google.com" was taken directly from an example that was
provided. When I try to access *google.com <http://google.com>* the error
message says a "secure connection could not be established to
*http://google.com
<http://google.com>". *It seems the "redirect to https" isn't working using
the acl *"acl google ssl::server_name .google.com <http://google.com>*" in
"cache_peer_access". If I enter instead *https://google.com
<https://google.com> *then I don't get that error but inappropriate Google
images are still not blocked. When I look at the access.log, all I see are
IP addresses for the domains for CONECTs like this
*1441396051.210 62 10.3.3.100 TCP_MISS/503 3639 GET
http://www.google.com/ <http://www.google.com/> -
FIRSTUP_PARENT/216.239.38.120 <http://216.239.38.120>
text/html1441396051.330 61 10.3.3.100 TCP_MISS/503 3640 GET
http://www.google.com/favicon.ico <http://www.google.com/favicon.ico> -
FIRSTUP_PARENT/216.239.38.120 <http://216.239.38.120>
text/html1441396051.390 58 10.3.3.100 TCP_MISS/503 3672 GET
http://www.google.com/favicon.ico <http://www.google.com/favicon.ico> -
FIRSTUP_PARENT/216.239.38.120 <http://216.239.38.120>
text/html1441396097.795 81 10.3.3.100 TAG_NONE/200 0 CONNECT
74.125.227.191:443 <http://74.125.227.191:443> -
ORIGINAL_DST/74.125.227.191 <http://74.125.227.191> -1441396097.830 87
10.3.3.100 TAG_NONE/200 0 CONNECT 74.125.227.172:443
<http://74.125.227.172:443> - ORIGINAL_DST/74.125.227.172
<http://74.125.227.172> -1441396098.115 93 10.3.3.100 TAG_NONE/200 0
CONNECT 74.125.227.175:443 <http://74.125.227.175:443> -
ORIGINAL_DST/74.125.227.175 <http://74.125.227.175> -1441396098.877 79
10.3.3.100 TCP_MISS/200 840 POST http://clients1.google.com/ocsp
<http://clients1.google.com/ocsp> - ORIGINAL_DST/74.125.227.168
<http://74.125.227.168> application/ocsp-response1441396098.878 622
10.3.3.100 TAG_NONE/200 0 CONNECT 74.125.227.160:443
<http://74.125.227.160:443> - HIER_NONE/- -1441396098.878 621 10.3.3.100
TCP_TUNNEL/200 5123 CONNECT 74.125.227.160:443 <http://74.125.227.160:443>
- ORIGINAL_DST/74.125.227.160 <http://74.125.227.160> -1441396099.078
92 10.3.3.100 TAG_NONE/200 0 CONNECT 74.125.227.217:443
<http://74.125.227.217:443> - ORIGINAL_DST/74.125.227.217
<http://74.125.227.217> -1441396099.189 106 10.3.3.100 TCP_MISS/200 809
GET
https://googleads.g.doubleclick.net/pagead/drt/si?ogt=1&pli=1&auth=DQAAAMQAAAA4q0535ee2zf0UOZwVQ6_S4mSWjf5Kb4fXl9x3McqtJiWrkQIQToYoQiKlpOleH4gYm8RDSWUaDvvHLQqnRZUq0hgjBst5H7svmtOGMUQJWwIv_orC8WVMfxr91CPgT5DFQ-5IULxyQsXmTMj9gOrFQ6S3PA86VzwCr1buDy8gaOeX_wF-hzw52PmkI5fEDNXwc5rhvhFkZ0epUswSyOMIWKqbgKDwcM3MpxD8WsDKiPdKyTD7qlNjZfxKqKO2EBJD2pbu24zhvuCHX7baeaPt
<https://googleads.g.doubleclick.net/pagead/drt/si?ogt=1&pli=1&auth=DQAAAMQAAAA4q0535ee2zf0UOZwVQ6_S4mSWjf5Kb4fXl9x3McqtJiWrkQIQToYoQiKlpOleH4gYm8RDSWUaDvvHLQqnRZUq0hgjBst5H7svmtOGMUQJWwIv_orC8WVMfxr91CPgT5DFQ-5IULxyQsXmTMj9gOrFQ6S3PA86VzwCr1buDy8gaOeX_wF-hzw52PmkI5fEDNXwc5rhvhFkZ0epUswSyOMIWKqbgKDwcM3MpxD8WsDKiPdKyTD7qlNjZfxKqKO2EBJD2pbu24zhvuCHX7baeaPt>
- ORIGINAL_DST/74.125.227.217 <http://74.125.227.217>
image/gif1441396112.635 99 10.3.3.100 TAG_NONE/200 0 CONNECT
74.125.227.175:443 <http://74.125.227.175:443> -
ORIGINAL_DST/74.125.227.175 <http://74.125.227.175> -1441396114.575 85
10.3.3.100 TAG_NONE/200 0 CONNECT 74.125.227.191:443
<http://74.125.227.191:443> - ORIGINAL_DST/74.125.227.191
<http://74.125.227.191> -1441396123.684 92 10.3.3.100 TAG_NONE/200 0
CONNECT 74.125.227.191:443 <http://74.125.227.191:443> -
ORIGINAL_DST/74.125.227.191 <http://74.125.227.191> -1441396124.205 87
10.3.3.100 TAG_NONE/200 0 CONNECT 74.125.227.175:443
<http://74.125.227.175:443> - ORIGINAL_DST/74.125.227.175
<http://74.125.227.175> -1441396127.192 84 10.3.3.100 TAG_NONE/200 0
CONNECT 74.125.227.205:443 <http://74.125.227.205:443> -
ORIGINAL_DST/74.125.227.205 <http://74.125.227.205> -*
I don't know how to tell if the SNI is being used in cache_peer_access
other than as I mentioned above only IP addresses appear in access.log for
the .google.com domain.
The flag DONT_VERIFY_PEER tells Squid not to even bother checking any
security on the outgoing server connection when going DIRECT (not to the
cache_peer). Making the sslproxy_cert_error rules useless.
You've mentioned this before. The problem is with my squid.conf if it
doesn't have DONT_VERIFY_PEER ssl-bump does not work at all. Is there a
better way to setup ssl-bump than what I have that doesn't use
DONT_VERIFY_PEER?
Here is my complete squid.conf. Hope it is helpful.
*visible_hostname smoothwallu3# Uncomment the following to send debug info
to /var/log/squid/cache.log#debug_options ALL,1 33,2 28,9# ACCESS CONTROLS#
----------------------------------------------------------------acl
localhostgreen src 10.3.3.1acl localnetgreen src 10.3.3.0/24
<http://10.3.3.0/24>acl SSL_ports port 445 443 441 563acl Safe_ports port
80 # httpacl Safe_ports port 81 # smoothwall httpacl
Safe_ports port 21 # ftp acl Safe_ports port 445 443 441 563
# https, snewsacl Safe_ports port 70 # gopheracl Safe_ports
port 210 # wais acl Safe_ports port 1025-65535 #
unregistered portsacl Safe_ports port 280 # http-mgmtacl
Safe_ports port 488 # gss-http acl Safe_ports port 591
# filemakeracl Safe_ports port 777 # multiling
httpacl CONNECT method CONNECT# TAG: http_access#
----------------------------------------------------------------http_access
allow localhosthttp_access deny !Safe_portshttp_access deny CONNECT
!SSL_portshttp_access allow localnetgreenhttp_access allow CONNECT
localnetgreenhttp_access allow localhostgreenhttp_access allow CONNECT
localhostgreen# http_port and
https_port#----------------------------------------------------------------------------#
For forward-proxy port. Squid uses this port to serve error pages, ftp
icons and communication with other
proxies.#----------------------------------------------------------------------------http_port
3127http_port 10.3.3.1:800 <http://10.3.3.1:800> intercepthttps_port
10.3.3.1:808 <http://10.3.3.1:808> intercept ssl-bump
generate-host-certificates=on dynamic_cert_mem_cache_size=4MB
cert=/var/smoothwall/mods/proxy/ssl_cert/squidCA.pemhttp_port 127.0.0.1:800
<http://127.0.0.1:800> interceptsslproxy_session_cache_size 4 MBssl_bump
none localhostgreenacl s1_tls_connect at_step SslBump1acl
s2_tls_client_hello at_step SslBump2acl s3_tls_server_hello at_step
SslBump3acl tls_server_name_is_ip ssl::server_name_regex
^[0-9]+.[0-9]+.[0-9]+.[0-9]+nacl google ssl::server_name .google.com
<http://google.com>ssl_bump peek s1_tls_connect allssl_bump splice
s2_tls_client_hello googlessl_bump stare s2_tls_client_hello allssl_bump
bump s3_tls_server_hello allcache_peer forcesafesearch.google.com
<http://forcesafesearch.google.com> parent 443 0 ssl name=GS originserver
no-query no-netdb-exchange no-digestacl search dstdomain .google.com/imghp
<http://google.com/imghp>cache_peer_access GS allow searchcache_peer_access
GS deny allsslproxy_cert_error allow
tls_server_name_is_ipsslproxy_cert_error deny allsslproxy_flags
DONT_VERIFY_PEERsslcrtd_program /var/smoothwall/mods/proxy/libexec/ssl_crtd
-s /var/smoothwall/mods/proxy/lib/ssl_db -M 4MBsslcrtd_children
5http_access deny allcache_replacement_policy heap
GDSFmemory_replacement_policy heap GDSF# CACHE OPTIONS#
----------------------------------------------------------------------------cache_effective_user
squidcache_effective_group squidcache_swap_high 100cache_swap_low
80cache_access_log stdio:/var/log/squid/access.logcache_log
/var/log/squid/cache.logcache_mem 64 MBcache_dir diskd
/var/spool/squid/cache 1024 16 256maximum_object_size 33
MBminimum_object_size 0 KBrequest_body_max_size 0 KB# OTHER OPTIONS#
----------------------------------------------------------------------------#via
offforwarded_for offpid_filename /var/run/squid.pidshutdown_lifetime 10
seconds#icp_port 3130half_closed_clients offumask 022logfile_rotate
0strip_query_terms off*
On Fri, Sep 4, 2015 at 2:09 PM, Amos Jeffries <squid3 at treenet.co.nz> wrote:
> On 5/09/2015 5:48 a.m., Stanford Prescott wrote:
> > I have tried to enable safe searching with Squid 3.5.7 using ssl-bump
> > splice but when I enable it, browsing to https://google.com generates a
> > Squid error page saying there is no valid certificate. Browsing to all
> > other https sites loads the pages correctly and all other SSL-bump sites
> > get bumped and displayed correctly.
> >
> > Has anyone had any luck getting this to work? Here is the relevant
> > squid.conf entries
> >
>
> Please use 3.5.8. The ssl_bump behaviour got some more important fixes
> recently.
>
>
> >
> > acl s1_tls_connect at_step SslBump1
> > acl s2_tls_client_hello at_step SslBump2
> > acl s3_tls_server_hello at_step SslBump3
> >
> > acl tls_server_name_is_ip ssl::server_name_regex \
> > ^[0-9]+.[0-9]+.[0-9]+.[0-9]+n
>
> You have a letter 'n' on the end there is that intentional?
>
> >
> > acl google ssl::server_name .google.com
> > ssl_bump peek s1_tls_connect all
> >
> > acl nobumpSites ssl::server_name .wellsfargo.com
> >
> > ssl_bump splice s2_tls_client_hello nobumpSites
> > ssl_bump splice s2_tls_client_hello google
> >
> > ssl_bump stare s2_tls_client_hello all
> >
> > ssl_bump bump s3_tls_server_hello all
> >
> > cache_peer forcesafesearch.google.com parent 443 0 \
> > ssl name=GS originserver \
> > no-query no-netdb-exchange no-digest
> >
> > acl search dstdomain .google.com
> > cache_peer_access GS allow search
> > cache_peer_access GS deny all
>
> I think the fake-CONNECT Squid creates still has only raw-IP:port
> details. And with splicing you dont have the decrypt to setup dstdomain
> URL details.
>
> For dstdomain you need to match what shows up in access.log as the URI
> of these requests.
>
> Does the "google" ACL work in cache_peer_access to use the SNI?
>
>
> >
> > sslproxy_cert_error allow tls_server_name_is_ip
> >
> > sslproxy_cert_error deny all
> > sslproxy_flags DONT_VERIFY_PEER
> >
>
> The flag DONT_VERIFY_PEER tells Squid not to even bother checking any
> security on the outgoing server connection when going DIRECT (not to the
> cache_peer). Making the sslproxy_cert_error rules useless.
>
>
> Amos
>
> _______________________________________________
> squid-users mailing list
> squid-users at lists.squid-cache.org
> http://lists.squid-cache.org/listinfo/squid-users
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.squid-cache.org/pipermail/squid-users/attachments/20150904/94699e25/attachment-0001.html>
More information about the squid-users
mailing list