[squid-users] Filtering HTTPS URLs

Victor Hugo fourtrials at gmail.com
Thu Feb 11 22:37:02 UTC 2016 

Hi Panda,

Thanks for the suggestion.

I'm assuming from Panda and Amos's responses that what I'm trying to
achieve should actually be possible?

I tried adding what you suggested but unfortunately it didn't work.

New Config (based on Panda's suggestion):
acl localnet src 10.0.0.0/8 # RFC1918 possible internal network
acl localnet src 172.16.0.0/12 # RFC1918 possible internal network
acl localnet src 192.168.0.0/16 # RFC1918 possible internal network
acl localnet src fc00::/7       # RFC 4193 local private network range
acl localnet src fe80::/10      # RFC 4291 link-local (directly plugged)
machines
acl localnet src 132.234.0.0/16 # ANDREWN: Griffith University network
acl SSL_ports port 443
acl Safe_ports port 80 # http
acl Safe_ports port 21 # ftp
acl Safe_ports port 443 # https
acl Safe_ports port 70 # gopher
acl Safe_ports port 210 # wais
acl Safe_ports port 1025-65535 # unregistered ports
acl Safe_ports port 280 # http-mgmt
acl Safe_ports port 488 # gss-http
acl Safe_ports port 591 # filemaker
acl Safe_ports port 777 # multiling http
acl CONNECT method CONNECT
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
http_access allow localhost manager
http_access deny manager
acl whitelist-regex url_regex -i reddit.com/r/news
http_port 3129 ssl-bump cert=/opt/squid-3.5.13/etc/squid3/ssl_cert/myCA.pem
generate-host-certificates=on dynamic_cert_mem_cache_size=4MB

Browsing to https://www.reddit.com/r/news still gives the following in the
access.log:
1455229976.342      0 132.234.20.39 TCP_DENIED/200 0 CONNECT
www.reddit.com:443 - HIER_NONE/- -
1455229976.423      0 132.234.20.39 TAG_NONE/403 4011 GET
https://www.reddit.com/r/news - HIER_NONE/- text/html
1455229976.537      0 132.234.20.39 TCP_DENIED/200 0 CONNECT
www.reddit.com:443 - HIER_NONE/- -

Will now try Amos's suggestions of looking further into the ssl options and
trying 4.0.5 release and email the list to say how it goes.

thanks.
Victor

On Thu, Feb 11, 2016 at 11:46 PM, Panda Admin <pandanonomous at gmail.com>
wrote:

> Try adding
> acl step1 at_step SslBump1
> ssl_bump peek step1 bump_sites
>
> This worked for me.  Just a suggestion:)
>
>
> On Thu, Feb 11, 2016 at 3:59 AM, Amos Jeffries <squid3 at treenet.co.nz>
> wrote:
>
>> On 11/02/2016 1:05 p.m., Victor Hugo wrote:
>> > Hi,
>> >
>> > I was wondering if it is possible to filter HTTPS URLs using squid (for
>> > example to blacklist reddit.com but allow
>> https://www.reddit.com/r/news/)?
>> >
>> > I thought this may be possible using ssl_bump and url_regex. I have been
>> > trying this using squid 3.5.13 but with no success.
>> >
>> > Here is the squid configuration that I have tried but doesn't seem to
>> work
>> > (it works for http sites though):
>> >
>>
>> <snip>
>> >
>> > acl whitelist-regex url_regex -i reddit.com/r/news
>> > http_port 3129 ssl-bump
>> cert=/opt/squid-3.5.13/etc/squid3/ssl_cert/myCA.pem
>> > generate-host-certificates=on dynamic_cert_mem_cache_size=4MB
>> > acl bump_sites ssl::server_name .reddit.com
>> > ssl_bump bump bump_sites
>> > ssl_bump splice !bump_sites
>> > http_access allow whitelist-regex
>> > http_access allow localhost
>> > http_access deny all
>>
>> > Relevant access.log output (IP addresses redacted to x.x.x.x):
>> > 1455145755.589      0 x.x.x.x TCP_DENIED/200 0 CONNECT
>> www.reddit.com:443 -
>> > HIER_NONE/- -
>>
>> So this is the bump happening, as you wanted.
>>
>> > 1455145755.669      0 x.x.x.x TAG_NONE/403 4011 GET
>> > https://www.reddit.com/r/news - HIER_NONE/- text/html
>>
>> And something else has 403 (Forbidden) the request. Your ACL and
>> http_access config looks fine. So I dont think its that.
>>
>>
>> The first oddity is that your ssl_bump rules are doing bump without
>> having fetched the clientHello details yet. So this is a "client-first"
>> bumping situation in which Squid first negotiates TLS / HTTPS with the
>> client, then completely separately negotiates TLS/HTTPS with the server.
>>  - any errors in the server TLS might result in something like this 403
>> (though it should be a 5xx status, it may not always be).
>>  - the sslproxy_* settings are entirely what controls the server
>> connection TLS.
>>
>>
>> Second oddity is that its saying DENIED/200. 200 is 'allowed' in CONNECT
>> actions. This could be a logging bug, or a sign of something going wrong
>> in the bumping stage that alters the CONNECT logging as well.
>>
>>
>> Are you able to experiment with using the Squid-4.0.5 release? there are
>> some bumping bug fixes that are only in that release series.
>>
>> Amos
>>
>> _______________________________________________
>> squid-users mailing list
>> squid-users at lists.squid-cache.org
>> http://lists.squid-cache.org/listinfo/squid-users
>>
>
>
> _______________________________________________
> squid-users mailing list
> squid-users at lists.squid-cache.org
> http://lists.squid-cache.org/listinfo/squid-users
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.squid-cache.org/pipermail/squid-users/attachments/20160212/35ff4623/attachment.html>

More information about the squid-users mailing list