[squid-users] How to block www.infobae.com

Amos Jeffries squid3 at treenet.co.nz
Wed Nov 23 05:36:17 UTC 2016 

You can simplify this quite a bit which might make things clearer.

Though please ensure that you are using a current 3.5.19 or later since
you are using SSL-Bump feature. Then run "squid -k parse" and erase the
obsolete options from your config file.


On 23/11/2016 12:40 a.m., chcs wrote:
> My squid (3.5.21) conf file:
> 
> http_port 192.168.10.1:3128 ssl-bump generate-host-certificates=on
> dynamic_cert_mem_cache_size=10MB cert=/usr/local/etc/squid/serverkey.pem
> capath=/usr/local/share/certs/
> cipher=EECDH+ECDSA+AESGCM:EECDH+aRSA+AESGCM:EECDH+ECDSA+SHA384:EECDH+ECDSA+SHA256:EECDH+aRSA+SHA384:EECDH+aRSA+SHA256:EECDH+aRSA+RC4:EECDH:EDH+aRSA:HIGH:!RC4:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!SRP:!DSS
> dhparams=/etc/dh-parameters.2048 options=NO_SSLv2,NO_SSLv3,SINGLE_DH_USE
> 
> http_port 5.5.5.1:3128 ssl-bump generate-host-certificates=on
> dynamic_cert_mem_cache_size=10MB cert=/usr/local/etc/squid/serverkey.pem
> capath=/usr/local/share/certs/
> cipher=EECDH+ECDSA+AESGCM:EECDH+aRSA+AESGCM:EECDH+ECDSA+SHA384:EECDH+ECDSA+SHA256:EECDH+aRSA+SHA384:EECDH+aRSA+SHA256:EECDH+aRSA+RC4:EECDH:EDH+aRSA:HIGH:!RC4:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!SRP:!DSS
> dhparams=/etc/dh-parameters.2048 options=NO_SSLv2,NO_SSLv3,SINGLE_DH_USE
> 
> http_port 127.0.0.1:3128 intercept ssl-bump generate-host-certificates=on
> dynamic_cert_mem_cache_size=10MB cert=/usr/local/etc/squid/serverkey.pem
> capath=/usr/local/share/certs/
> cipher=EECDH+ECDSA+AESGCM:EECDH+aRSA+AESGCM:EECDH+ECDSA+SHA384:EECDH+ECDSA+SHA256:EECDH+aRSA+SHA384:EECDH+aRSA+SHA256:EECDH+aRSA+RC4:EECDH:EDH+aRSA:HIGH:!RC4:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!SRP:!DSS
> dhparams=/etc/dh-parameters.2048 options=NO_SSLv2,NO_SSLv3,SINGLE_DH_USE
> 
> https_port 127.0.0.1:3129 intercept ssl-bump generate-host-certificates=on
> dynamic_cert_mem_cache_size=10MB cert=/usr/local/etc/squid/serverkey.pem
> capath=/usr/local/share/certs/
> cipher=EECDH+ECDSA+AESGCM:EECDH+aRSA+AESGCM:EECDH+ECDSA+SHA384:EECDH+ECDSA+SHA256:EECDH+aRSA+SHA384:EECDH+aRSA+SHA256:EECDH+aRSA+RC4:EECDH:EDH+aRSA:HIGH:!RC4:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!SRP:!DSS
> dhparams=/etc/dh-parameters.2048 options=NO_SSLv2,NO_SSLv3,SINGLE_DH_USE
> 

For all of the above;
* you have not configured an EC cipher to use (tls-dh= option)
  - so none of the ECDHE ciphers will work

* you have disabled DES
  - so none of the DES ciphers will work

* you have disables RC4
 - so none of the RC4 ciphers will work

Please run the comand:
  openssl ciphers -v \
'EECDH+ECDSA+AESGCM:EECDH+aRSA+AESGCM:EECDH+ECDSA+SHA384:EECDH+ECDSA+SHA256:EECDH+aRSA+SHA384:EECDH+aRSA+SHA256:EECDH+aRSA+RC4:EECDH:EDH+aRSA:HIGH:!RC4:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!SRP:!DSS'
 \
  | grep -v EC

to see what ciphers your Squid machine actually has available after that
reduction.

> icp_port 0
> dns_v4_first on
> pid_filename /var/run/squid/squid.pid
> cache_effective_user squid
> cache_effective_group proxy
> error_default_language es
> icon_directory /usr/local/etc/squid/icons
> visible_hostname chcs
> cache_mgr chca at hotmail.com
> access_log /var/squid/logs/access.log
> cache_log /var/squid/logs/cache.log
> cache_store_log none
> netdb_filename /var/squid/logs/netdb.state
> pinger_enable on
> pinger_program /usr/local/libexec/squid/pinger

Most of the above are default values. Check them against your Squid
version documentation and remove the ones that actually are default.
 <http://www.squid-config.org/Doc/config/>

> sslcrtd_program /usr/local/libexec/squid/ssl_crtd -s /var/squid/lib/ssl_db
> -M 4MB -b 2048
> sslcrtd_children 5
> sslproxy_capath /usr/local/share/certs/
> sslproxy_options NO_SSLv2,NO_SSLv3,SINGLE_DH_USE
> sslproxy_cipher
> EECDH+ECDSA+AESGCM:EECDH+aRSA+AESGCM:EECDH+ECDSA+SHA384:EECDH+ECDSA+SHA256:EECDH+aRSA+SHA384:EECDH+aRSA+SHA256:EECDH+aRSA+RC4:EECDH:EDH+aRSA:HIGH:!RC4:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!SRP:!DSS
> 

Similar problem as with the ports. Only the EC ciphers should work here
because client does not need to configure a cipher.


> logfile_rotate 10
> debug_options rotate=10

Above are more defaults you can remove.

> shutdown_lifetime 3 seconds
> # Allow local network(s) on interface(s)
> acl localnet src  192.168.10.0/24 5.5.5.0/24

Your LAN contains global IP address space 5.5.5.0/24?

> forwarded_for on
> via off
> httpd_suppress_version_string on
> uri_whitespace strip
> 
> acl dynamic urlpath_regex cgi-bin \?
> cache deny dynamic

You already have the required refresh_pattern to handle these objects
correctly. You may want to consider removing the above two lines.


> 
> cache_mem 1200 MB
> maximum_object_size_in_memory 256 KB
> memory_replacement_policy heap GDSF
> cache_replacement_policy heap LFUDA
> minimum_object_size 0 KB
> maximum_object_size 50 MB
> cache_dir aufs /var/squid/cache 128000 32 256

These...
> offline_mode off
> cache_swap_low 90
> cache_swap_high 95
> cache allow all

... are more unnecessary defaults.


> # Add any of your own refresh_pattern entries above these.
> refresh_pattern ^ftp:    1440  20%  10080
> refresh_pattern ^gopher:  1440  0%  1440
> refresh_pattern -i (/cgi-bin/|\?) 0  0%  0
> refresh_pattern .    0  20%  4320
> 

If you actually read the text in the comments below you will see that
most of these lines can be erased from your config file:

> # Setup some default acls
> # From 3.2 further configuration cleanups have been done to make things
> easier and safer. The manager, localhost, and to_localhost ACL definitions
> are now built-in.
> # acl localhost src 127.0.0.1/32
> acl allsrc src all
> acl safeports port 21 70 80 210 280 443
> acl sslports port 443 563 8500 443 563
> 
> # From 3.2 further configuration cleanups have been done to make things
> easier and safer. The manager, localhost, and to_localhost ACL definitions
> are now built-in.
> #acl manager proto cache_object
> 

NP: the "allsrc" ACL is pointless. "all" works just fine still. It is
built-in too.

... leaving you with just:
 acl safeports port 21 70 80 210 280 443
 acl sslports port 443 563 8500 443 563

(though why you rename the default Safe_ports and SSL_ports ACLs is
beyond me).

> acl purge method PURGE
> acl connect method CONNECT
> 
> # Define protocols used for redirects
> acl HTTP proto HTTP
> acl HTTPS proto HTTPS
> acl allowed_subnets src 192.168.10.0/24 5.5.5.0/24

So "allowed_subnets" is identical to localnet.

Replace all 0 uses of "allowed_subnets" with "localnet" and remove the
above line.

Current recommendations are to move all these manager and purge:

> http_access allow manager localhost
> http_access deny manager
> http_access allow purge localhost
> http_access deny purge

... from here ...

> http_access deny !safeports
> http_access deny CONNECT !sslports

... down to here after the quicker port checks have blocked attacks.

Also, your Squid does not appear to be doing anything that would make
you need PURGE functionality. You can remove the purge stuff and your
Squid will work a bit faster and with less memory.

> 
> request_body_max_size 0 KB
> delay_pools 1
> delay_class 1 2
> delay_parameters 1 -1/-1 -1/-1
> delay_initial_bucket_level 100
> delay_access 1 allow allsrc

The delay pool feature is doing nothing for your Squid except wasting
CPU time and memory. Erase all the above delay pool lines.

> 
> always_direct allow all

Unnecessary old hack for Squid-3.1 SSL-Bump. Remove the above line.

If you are still using Squid-3.1 upgrade *urgently*.

> 
> # Determina IPs para todopermitido
> acl todopermitido src "/usr/local/etc/squid/reglas/todopermitido.ips"
> 
> # Determina IPs para parcialpermitido
> acl parcialpermitido src "/usr/local/etc/squid/reglas/parcialpermitido.ips"
> 
> # Determina IPs para dhcp_lanwifi
> acl dhcp_lanwifi src "/usr/local/etc/squid/reglas/dhcp_lanwifi.ips"
> 

parcialpermitido and dhcp_lanwifi are of the same type and the rules
applied to both are identical.

You can simplify quite a bit by loading them into the same ACL check.
Liks this:


 # Determina IPs para parcialpermitido
 acl parcialpermitido src "./parcialpermitido.ips"

 # Determina IPs para dhcp_lanwifi
 acl parcialpermitido src "./dhcp_lanwifi.ips"

... then removing all other lines mentioning "dhcp_lanwifi".


> # Reglas para permitidos
> acl permitidos dstdomain "/usr/local/etc/squid/reglas/permitidos.acl"
> 
> # Reglas para no permitidos
> acl nopermitidos dstdomain "/usr/local/etc/squid/reglas/nopermitidos.acl"
> 
> # Determina archivos no permitidos para descargar
> acl extNO urlpath_regex -i "/usr/local/etc/squid/reglas/extNO.acl"
> 
> # Accesos
> 
> # Permisos para IPs "todopermitido"
> # http_reply_access allow todopermitido skype
> # http_reply_access allow todopermitido skypeIP
> http_access deny todopermitido sxl
> http_access deny todopermitido adsNO


"sxl" is not defined.

"adsNO" is also not defined.

Are you sure this is actually the config being run by your Squid?

> http_reply_access allow todopermitido all

Use of "all" is pointless here. Replace with:
 http_reply_access allow todopermitido

> 
> # Permisos para IPs "parcialpermitido"
> http_access deny parcialpermitido adsNO
> http_access deny parcialpermitido extNO
> http_reply_access allow parcialpermitido permitidos
> http_reply_access deny parcialpermitido nopermitidos
> 
> # Permisos para IPs "dhcp_lanwifi"
> http_access deny dhcp_lanwifi adsNO
> http_access deny dhcp_lanwifi extNO
> http_reply_access allow dhcp_lanwifi permitidos
> http_reply_access deny dhcp_lanwifi nopermitidos
> 

Since the next thing done is "deny all" you can remove all the liens
involving "nopermitidos". It is a waste of CPU cycles checking.


> # Sitios no SSL interceptados
> acl step1 at_step SslBump1
> acl excludeSSL ssl::server_name_regex
> "/usr/local/etc/squid/reglas/nossl.acl"
> ssl_bump peek step1
> ssl_bump splice todopermitido excludeSSL
> ssl_bump splice parcialpermitido excludeSSL
> ssl_bump splice dhcp_lanwifi excludeSSL
> ssl_bump bump all
> 
> # Deniega todo por defecto
> http_reply_access deny all
> 


Your http_access rules look very bad. You have just the default rule of
"what is not denied explicitly is allowed".

So any visitor who is _not_ part of your todopermitido,
parcialpermitido, and dhcp_lanwifi files *is* allowed access to do
whatever the like with your proxy.

Also, any of the clients listed there is allowed to do anything they
like that is not explicitly forbidden.

Also, denying dstdomain, src, urlpath_* things at reply time is far too
late. All the badness they may be doing has already completed by the
time a reply starts coming back to Squid from the server.


So I advise re-writing your access rules as:

 http_access deny !safeports
 http_access deny CONNECT !sslports
 http_access allow localhost
 http_access deny manager
 http_access deny !localnet

 http_access deny todopermitido sxl
 http_access deny todopermitido adsNO
 http_access allow todopermitido

 http_access deny parcialpermitido adsNO
 http_access deny parcialpermitido extNO
 http_access allow parcialpermitido permitidos

 http_access deny all

NP: You may find there are things that have been happening that are not
allowed anymore with that. If you want them to keep happening add rules
to allow them.

As you your infobae problem. It might be a sie effect of that weird
permissions setup. But I think it is more likely to be certificate
pinning done by your browser, or the restricted set of ciphers you are
using.

Amos

More information about the squid-users mailing list