[squid-users] Browser circunvents acl's blocking https (intercept mode)

Jok Thuau jok at spikes.com
Sun Apr 17 01:53:00 UTC 2016 

Blocking YouTube (appear to be on your list) is tricky, if the browser is chrome:

https://en.m.wikipedia.org/wiki/QUIC

If you click on the 'green lock' and look at the connection you will see it's not using https (funnily enough, the ads there do!).

Look at the wiki for more info on how to block QUIC.

> On Apr 16, 2016, at 4:10 PM, Sergio Belkin <sebelk at gmail.com> wrote:
> 
> Hi,
> 
> I cannot block some sites using squid 3.4.8, this the configuration. On Firefox, blocking works, browser says:
> 
> `Error code: SSL_ERROR_RX_RECORD_TOO_LONG`
> 
> But on Chromium VersiĆ³n 49.0.2623.108, browser is not affected by the blocking acl's, despite access_logs says:
> 
> ````
> 192.168.80.250 - - [16/Apr/2016:19:53:17 -0300] "CONNECT 172.217.29.14:443 HTTP/1.1" 403 3443 "-" "-" TCP_DENIED:HIER_NONE
> 192.168.80.250 - - [16/Apr/2016:19:53:17 -0300] "NONE error:invalid-request HTTP/0.0" 400 4042 "-" "-" TAG_NONE:HIER_NONE
> 192.168.80.250 - - [16/Apr/2016:19:53:17 -0300] "CONNECT 172.217.29.14:443 HTTP/1.1" 403 3443 "-" "-" TCP_DENIED:HIER_NONE
> 192.168.80.250 - - [16/Apr/2016:19:53:17 -0300] "CONNECT 172.217.29.14:443 HTTP/1.1" 403 3443 "-" "-" TCP_DENIED:HIER_NONE
> 192.168.80.250 - - [16/Apr/2016:19:53:17 -0300] "CONNECT 172.217.29.14:443 HTTP/1.1" 403 3443 "-" "-" TCP_DENIED:HIER_NONE
> 192.168.80.250 - - [16/Apr/2016:19:53:17 -0300] "NONE error:invalid-request HTTP/0.0" 400 4042 "-" "-" TAG_NONE:HIER_NONE
> 192.168.80.250 - - [16/Apr/2016:19:53:17 -0300] "CONNECT 172.217.29.14:443 HTTP/1.1" 403 3443 "-" "-" TCP_DENIED:HIER_NONE
> 192.168.80.250 - - [16/Apr/2016:19:53:17 -0300] " %BA%5D%B71A%E2%90C%BD0:Ep%82%99%FE%88 HTTP/0.0" 400 3638 "-" "-" TAG_NONE:HIER_NONE
> 192.168.80.250 - - [16/Apr/2016:19:53:17 -0300] "CONNECT 172.217.29.14:443 HTTP/1.1" 403 3443 "-" "-" TCP_DENIED:HIER_NONE
> 192.168.80.250 - - [16/Apr/2016:19:53:17 -0300] "NONE error:invalid-request HTTP/0.0" 400 4042 "-" "-" TAG_NONE:HIER_NONE
> 192.168.80.250 - - [16/Apr/2016:19:53:17 -0300] "CONNECT 172.217.29.14:443 HTTP/1.1" 403 3443 "-" "-" TCP_DENIED:HIER_NONE
> 192.168.80.250 - - [16/Apr/2016:19:53:17 -0300] "NONE error:invalid-request HTTP/0.0" 400 4042 "-" "-" TAG_NONE:HIER_NONE
> 192.168.80.250 - - [16/Apr/2016:19:53:17 -0300] " %11Tf%03%A4%83%F3%8C%EE HTTP/0.0" 400 3614 "-" "-" TAG_NONE:HIER_NONE
> 192.168.80.250 - - [16/Apr/2016:19:53:17 -0300] "NONE error:invalid-request HTTP/0.0" 400 4042 "-" "-" TAG_NONE:HIER_NONE
> 192.168.80.250 - - [16/Apr/2016:19:53:23 -0300] "CONNECT 172.217.29.14:443 HTTP/1.1" 403 3443 "-" "-" TCP_DENIED:HIER_NONE
> 192.168.80.250 - - [16/Apr/2016:19:53:23 -0300] "NONE error:invalid-request HTTP/0.0" 400 4042 "-" "-" TAG_NONE:HIER_NONE
> ````
> 
> Debugging I've found this in cache.log:
> 
> ````
> 2016/04/16 20:00:21.924 kid1| client_side.cc(864) swanSong: local=172.217.28.225:443 remote=192.168.80.250:55068 flags=33
> 2016/04/16 20:00:21.925 kid1| Checklist.cc(62) preCheck: 0x7eff3754 checking fast ACLs
> 2016/04/16 20:00:21.925 kid1| Acl.cc(157) matches: checking access_log daemon:/var/log/squid3/access.log
> 2016/04/16 20:00:21.925 kid1| Acl.cc(157) matches: checking (access_log daemon:/var/log/squid3/access.log line)
> 2016/04/16 20:00:21.925 kid1| Acl.cc(177) matches: checked: (access_log daemon:/var/log/squid3/access.log line) = 1
> 2016/04/16 20:00:21.926 kid1| Acl.cc(177) matches: checked: access_log daemon:/var/log/squid3/access.log = 1
> 2016/04/16 20:00:21.926 kid1| Checklist.cc(55) markFinished: 0x7eff3754 answer ALLOWED for match
> ````
> 
> Please could you help? Am I missing something? Below, my configuration:
> 
> ````
> acl localnet src 192.168.0.0/16 # RFC1918 possible internal network
> acl SSL_ports port 443
> acl Safe_ports port 80          # http
> acl Safe_ports port 21          # ftp
> acl Safe_ports port 443         # https
> acl Safe_ports port 70          # gopher
> acl Safe_ports port 210         # wais
> acl Safe_ports port 1025-65535  # unregistered ports
> acl Safe_ports port 280         # http-mgmt
> acl Safe_ports port 488         # gss-http
> acl Safe_ports port 591         # filemaker
> acl Safe_ports port 777         # multiling http
> acl CONNECT method CONNECT
> acl tvsamsung src 192.168.80.160
> acl sarmiento src 192.168.80.248
> acl netbook src 192.168.80.245
> acl dompermitidos dstdomain "/etc/squid3/rules/whitelistdom"
> acl streaming dstdomain "/etc/squid3/rules/streaming"
> acl test  dstdomain .debian.org
> acl streamingips dst "/etc/squid3/rules/streamingips"
> acl sergiocel src 192.168.80.249
> acl tiempojuanse time SMTWHFA 10:00-13:00
> acl tiempojuanse time SMTWHFA 16:00-22:00
> acl yt dstdomain .youtube.com
> acl facebook dstdomain .facebook.com
> http_access deny !Safe_ports
> http_access deny CONNECT !SSL_ports
> http_access allow localhost manager
> http_access deny manager
> always_direct allow all
> ssl_bump none all
> sslproxy_cert_error allow all
> sslproxy_flags DONT_VERIFY_PEER
> http_access allow  tvsamsung
> http_access deny yt
> http_access allow facebook
> http_access deny  streaming
> http_access deny  streamingips
> http_access allow dompermitidos
> http_access allow  sarmiento
> http_access allow localnet
> http_access allow localhost
> http_access deny all
> http_port 3128
> http_port 3127 intercept
> https_port 8080 intercept ssl-bump generate-host-certificates=on dynamic_cert_mem_cache_size=4MB cert=/home/proxy/ssl_cert/example.com.cert key=/home/proxy/ssl_cert/example.com.private
> sslcrtd_program /usr/lib/squid3/ssl_crtd -s /var/spool/squid3_ssldb -M 4MB
> access_log daemon:/var/log/squid3/access.log combined
> coredump_dir /var/spool/squid3
> refresh_pattern ^ftp:           1440    20%     10080
> refresh_pattern ^gopher:        1440    0%      1440
> refresh_pattern -i (/cgi-bin/|\?) 0     0%      0
> refresh_pattern .               0       20%     4320
> ````
> 
> Thanks in advance!
> -- 
> --
> Sergio Belkin
> LPIC-2 Certified - http://www.lpi.org
> _______________________________________________
> squid-users mailing list
> squid-users at lists.squid-cache.org
> http://lists.squid-cache.org/listinfo/squid-users
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.squid-cache.org/pipermail/squid-users/attachments/20160416/fd385694/attachment.html>

More information about the squid-users mailing list