[squid-users] Bypassed Proxy

Sameh Onaissi sameh.onaissi at solcv.com
Wed Dec 21 22:19:41 UTC 2016 

HI Eliezer,


squid.conf: http://pastebin.com/7Nusciiu

sqiudguard.conf: http://pastebin.com/DiRgD23c


I think the client is using a Google chrome extension: https://chrome.google.com/webstore/detail/hotspot-shield-free-vpn-p/nlbejmccbhkncgokjcmghpfloaajcffj?hl=en

(can’t get cache logs now as client is disconnected)




On Dec 21, 2016, at 1:43 PM, Eliezer Croitoru <eliezer at ngtech.co.il<mailto:eliezer at ngtech.co.il>> wrote:

How does squid.conf looks now?
It’s probably a typo or some settings exception.
You need to debug and check first if squidguard receives the request details
and what it does with it.
To see the relevant details you will need to use squid debug_options:
http://wiki.squid-cache.org/KnowledgeBase/DebugSections

Specifically section 61.
You should add to squid.conf the line
debug_options ALL,1 61,6

And your cache.log will be flooded with details about any request that is
being passed to squidguard.
I believe that this should be a start point that will show you if squid is
sending the request to squidguard and how squidguard answers.
If you want more help share with a paste the current squid.conf and
squidguard.conf.
This way even if it’s not related directly to squid we can see if there is a
hole in the setup you don’t see yet.

Eliezer

----
http://ngtech.co.il/lmgtfy/
Linux System Administrator
Mobile: +972-5-28704261
Email: eliezer at ngtech.co.il


From: squid-users [mailto:squid-users-bounces at lists.squid-cache.org] On
Behalf Of Sameh Onaissi
Sent: Wednesday, December 21, 2016 7:14 PM
To: squid-users at lists.squid-cache.org
Subject: [squid-users] Bypassed Proxy

Hello all,

I got a transparent squid installed on Ubuntu 16.04

Using squid guard, I am blocking certain websites, including youtube.

Anytime a user tries accessing it, he/she is redirected to an access denied
page.

Except for ONE user!

One user is somehow, able to access you tube through squid!
That IP is not on the exempt list, and has no special configurations.

access.log:

1482339083.228      0 10.0.0.162 TAG_NONE/503 4459 CONNECT s.youtube.com:443
- HIER_NONE/- text/html
1482339083.324      0 10.0.0.162 TAG_NONE/503 4450 CONNECT s.youtube.com:443
- HIER_NONE/- text/html
1482339083.331      0 10.0.0.162 TAG_NONE/503 4459 CONNECT s.youtube.com:443
- HIER_NONE/- text/html
1482339083.422      0 10.0.0.162 TAG_NONE/503 4459 CONNECT s.youtube.com:443
- HIER_NONE/- text/html
1482339083.436      0 10.0.0.162 TAG_NONE/503 4450 CONNECT s.youtube.com:443
- HIER_NONE/- text/html
1482339083.517      0 10.0.0.162 TAG_NONE/503 4459 CONNECT s.youtube.com:443
- HIER_NONE/- text/html
1482339086.251      0 10.0.0.162 TAG_NONE/503 4450 CONNECT s.youtube.com:443
- HIER_NONE/- text/html


Any other user tries and gets:

1482339588.002    350 10.0.0.40 TCP_MISS/200 611 GET
https://www.youtube.com/ - HIER_DIRECT/190.xxx.xxx.xxx text/html

That is the redirect html page.

My deny list where youtube is:

var/lib/squidguard/db/deny/urls has http://www.youtube.com
var/lib/squidguard/db/deny/domains has http://youtube.com


Any idea to how he is doing it?

I can add a rule to specifically deny 10.0.0.162, but I want to know how he
is doing it to prevent it for others. Also this is a dynamic IP.

Thank you,
Sam





-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.squid-cache.org/pipermail/squid-users/attachments/20161221/b242926b/attachment.html>

More information about the squid-users mailing list