[squid-users] Bypassed Proxy

Sameh Onaissi sameh.onaissi at solcv.com
Thu Dec 22 21:50:33 UTC 2016 

Hi Paul and thank you for your reply.

I did try the extension and Squid blocked it right away.

The user has hotspot shield installed on his PC, which I believe is a similar extension to the one you mentioned.
My squid.conf blocks domains, I have a bypass list of IPs for local company servers and Skype For Business.

The user has hotspot shield installed, both the chrome extension and the desktop software, although the chrome extension is always Off from what I have seen (red icon when off, green when on).

He is getting by squid with some sort of VPN, I thought squid can be configured against such things?




On Dec 22, 2016, at 4:34 PM, Paul Freeman <paul.freeman at emlchem.com.au<mailto:paul.freeman at emlchem.com.au>> wrote:

Sam,
I haven’t followed your thread closely so what I am about to mentio may already have been discussed.  Apologies if this is the case.

As Alex says, the connections to youtube receive a 503 but then there are successful connects on port 443 to numerous site by IP address rather than hostname.

Doing a reverse lookup on the IP addresses shows some are in the northghost.com<http://northghost.com/> dns domain name.

I looked up northghost.com<http://northghost.com/> and they offer an app for mobiles or an add-on for Chrome called Touch VPN.  Perhaps this might be being used by your user although I don’t really know how it works and whether it really is how the user appears to be pypassing the proxy.

In your squid.conf or other access control systems, do you allow urls specified by IP as well as hostnames?

Paul

NOTE: This email contains my personal opinions and comments which do not necessarily represent those of my employer.


From: squid-users [mailto:squid-users-bounces at lists.squid-cache.org] On Behalf Of Sameh Onaissi
Sent: Friday, 23 December 2016 8:03 AM
To: squid-users at lists.squid-cache.org<mailto:squid-users at lists.squid-cache.org>
Subject: Re: [squid-users] Bypassed Proxy

Hello,


Eliezer’s recommended fix did not work.

The user was on YouTube watching UFC all day today.

Here’s a copy of the log at the time.
1482436450.285    353 10.0.0.105 TAG_NONE/200 0 CONNECT 167.114.159.186:443 - ORIGINAL_DST/167.114.159.186 -
1482436450.303      0 10.0.0.105 TAG_NONE/503 4462 CONNECTs.youtube.com<http://s.youtube.com/>:443 - HIER_NONE/- text/html
1482436450.318   4756 10.0.0.105 TAG_NONE/200 0 CONNECT 139.59.225.84:443 - ORIGINAL_DST/139.59.225.84 -
1482436450.340      0 10.0.0.105 TAG_NONE/503 4456 CONNECTs.youtube.com<http://s.youtube.com/>:443 - HIER_NONE/- text/html
1482436450.567    839 10.0.0.105 TAG_NONE/200 0 CONNECT 188.166.70.138:443 - ORIGINAL_DST/188.166.70.138 -
1482436450.585      0 10.0.0.105 TAG_NONE/503 4459 CONNECTs.youtube.com<http://s.youtube.com/>:443 - HIER_NONE/- text/html
1482436450.650    373 10.0.0.105 TAG_NONE/200 0 CONNECT 85.203.7.35:443 - ORIGINAL_DST/85.203.7.35 -
1482436450.669      0 10.0.0.105 TAG_NONE/503 4450 CONNECTs.youtube.com<http://s.youtube.com/>:443 - HIER_NONE/- text/html
1482436450.682   1969 10.0.0.105 TAG_NONE/200 0 CONNECT 139.59.225.84:443 - ORIGINAL_DST/139.59.225.84 -
1482436450.706    386 10.0.0.105 TAG_NONE/200 0 CONNECT 188.166.73.9:443 - ORIGINAL_DST/188.166.73.9 -
1482436450.740   6540 10.0.0.105 TAG_NONE/200 0 CONNECT 85.203.18.254:443 - ORIGINAL_DST/85.203.18.254 -
1482436450.784      0 10.0.0.105 TAG_NONE/503 4456 CONNECTs.youtube.com<http://s.youtube.com/>:443 - HIER_NONE/- text/html
1482436450.784      0 10.0.0.105 TAG_NONE/503 4453 CONNECTs.youtube.com<http://s.youtube.com/>:443 - HIER_NONE/- text/html
1482436450.784      0 10.0.0.105 TAG_NONE/503 4456 CONNECTs.youtube.com<http://s.youtube.com/>:443 - HIER_NONE/- text/html
1482436450.909    469 10.0.0.105 TAG_NONE/200 0 CONNECT 138.68.93.229:443 - ORIGINAL_DST/138.68.93.229 -
1482436450.927   1882 10.0.0.105 TAG_NONE/200 0 CONNECT 208.123.223.254:443 - ORIGINAL_DST/208.123.223.254 -
1482436450.940      0 10.0.0.105 TAG_NONE/503 4456 CONNECTs.youtube.com<http://s.youtube.com/>:443 - HIER_NONE/- text/html
1482436450.955      0 10.0.0.105 TAG_NONE/503 4462 CONNECTs.youtube.com<http://s.youtube.com/>:443 - HIER_NONE/- text/html
1482436451.063    197 10.0.0.105 TAG_NONE/200 0 CONNECT 208.123.223.254:443 - ORIGINAL_DST/208.123.223.254 -
1482436451.080      0 10.0.0.105 TAG_NONE/503 4462 CONNECTs.youtube.com<http://s.youtube.com/>:443 - HIER_NONE/- text/html
1482436451.217    434 10.0.0.105 TAG_NONE/200 0 CONNECT 138.68.97.9:443 - ORIGINAL_DST/138.68.97.9 -
1482436451.236      0 10.0.0.105 TAG_NONE/503 4450 CONNECTs.youtube.com<http://s.youtube.com/>:443 - HIER_NONE/- text/html
1482436451.322    271 10.0.0.105 TAG_NONE/200 0 CONNECT 65.52.108.76:443 - ORIGINAL_DST/65.52.108.76 -
1482436451.345    479 10.0.0.105 TAG_NONE/200 0 CONNECT 138.68.93.229:443 - ORIGINAL_DST/138.68.93.229 -
1482436451.361      0 10.0.0.105 TAG_NONE/503 4456 CONNECTs.youtube.com<http://s.youtube.com/>:443 - HIER_NONE/- text/html
1482436451.498   4240 10.0.0.105 TAG_NONE/200 0 CONNECT 139.59.225.84:443 - ORIGINAL_DST/139.59.225.84 -
1482436451.530      0 10.0.0.105 TAG_NONE/503 4456 CONNECTs.youtube.com<http://s.youtube.com/>:443 - HIER_NONE/- text/html
1482436451.909    817 10.0.0.105 TAG_NONE/200 0 CONNECT 188.166.70.138:443 - ORIGINAL_DST/188.166.70.138 -



I know 503 is an error, but the user was using youtube without any hassles.
Those IPs are for Digital Ocean and Alentus Corporation.

Squid is being “fooled” somehow.
 I did notice the 503, which made it more confusing to me.
The reason I investigated the issue was because I saw youtube working on the client’s PC with a blue shield-like icon along with some words on top of the youtube page (was not close enough to see the exact logo/words). The video was working fine, but that blue shield extension seems to be the reason behind “fooling” squid.

Both the chrome extension and the Desktop client are installed on the machine.

I tried replicating that, but I couldn’t even connect the client.

What should I be looking for in cache.log?


Thanks again!

Sam

On Dec 21, 2016, at 6:59 PM, Sameh Onaissi <sameh.onaissi at solcv.com<mailto:sameh.onaissi at solcv.com>> wrote:






On Dec 21, 2016, at 6:51 PM, Alex Rousskov <rousskov at measurement-factory.com<mailto:rousskov at measurement-factory.com>> wrote:

On 12/21/2016 10:14 AM, Sameh Onaissi wrote:


One user is somehow, able to access you tube through squid!


1482339083.228      0 10.0.0.162 TAG_NONE/503 4459 CONNECT s.youtube.com<http://s.youtube.com/>:443 - HIER_NONE/- text/html

What makes you think this user was able to access youtube? AFAICT, Squid
responded with an error (TAG_NONE/503) and did not contact the origin
server (HIER_NONE/-).

I did notice the 503, which made it more confusing to me.
The reason I investigated the issue was because I saw youtube working on the client’s PC with a blue shield-like icon along with some words on top of the youtube page (was not close enough to see the exact logo/words). The video was working fine, but that blue shield extension seems to be the reason behind “fooling” squid.

In any case, I applied the ACL’s to the squid.conf as Eliezer recommended, now I’ll wait till the user comes back in tomorrow to see if it worked.



I understand that you want Squid to redirect users instead of responding
with an error. This 503 response could be due to Squid being unable to
bump the user connection for some reason. Successful bumping is required
to redirect users.

You may see more details inside that error response itself. Others on
the list may be able to help you to get to that response in Squid logs
or packet captures.


HTH,

Alex.

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.squid-cache.org/pipermail/squid-users/attachments/20161222/b0f38216/attachment-0001.html>

More information about the squid-users mailing list