[squid-users] filtering http(s) sites, transparently

Yuri Voinov yvoinov at gmail.com
Wed Oct 26 18:45:19 UTC 2016 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
 
Jok,

it can be DNS leak. Does you tested it? 8.8.8.8 can be poisoned
(probably) or intercepted by ISP.


27.10.2016 0:01, Jok Thuau пишет:
> After being side-tracked with a few different project, I ended up with the config below. It appears to
do the right things, though the ACL organization could use some cleanup...
> (Browsing to authorized sites works, browsing to something else, i get
a denied page from squid)
>
> However, even though msdn.microsoft.com <http://msdn.microsoft.com> is
on my whitelist, it appears to "timeout". Looking at the logs, I see
entries like this:
>
> 2016/09/20 15:10:19.640 kid1| SECURITY ALERT: Host header forgery
detected on local=65.54.226.150:443 <http://65.54.226.150:443>
remote=10.11.12.13:51984 <http://10.0.32.177:51984> FD 18 flags=33
(local IP does not match any domain IP)
> 2016/09/20 15:10:19.640 kid1| SECURITY ALERT: By user agent:
> 2016/09/20 15:10:19.640 kid1| SECURITY ALERT: on URL:
msdn.microsoft.com:443 <http://msdn.microsoft.com:443>
> 2016/09/20 15:10:19.640 kid1| 4,2| errorpage.cc(1262) BuildContent: No
existing error page language negotiated for ERR_CONFLICT_HOST. Using
default error file.
> 2016/09/20 15:10:19.641 kid1| 20,2| store.cc(954) checkCachable:
StoreEntry::checkCachable: NO: not cachable
> 2016/09/20 15:10:19.641 kid1| 20,2| store.cc(954) checkCachable:
StoreEntry::checkCachable: NO: not cachable
> 2016/09/20 15:10:19.641 kid1| 88,2| client_side_reply.cc(2001)
processReplyAccessResult: The reply for CONNECT msdn.microsoft.com:443
<http://msdn.microsoft.com:443> is ALLOWED, because it matched SniBypass
> 2016/09/20 15:10:19.641 kid1| 33,2| client_side.cc(925)
deferRecipientForLater: clientSocketRecipient: Deferring request
msdn.microsoft.com:443 <http://msdn.microsoft.com:443>
>
> What is interesting is that we changed from using 8.8.8.8 as our DNS
server to a locally installed bind instance, and we no longer see any
issues.
> that is NOT what I expected... I can't explain why the client browser
was hanging. Any suggestions?
>
> It's all happy now, with the following config, with a firewall doing
policy based routing, a local iptables rule to redirect from port 443 to
8443, and from 80 to 3129, as well as the certificate deployed as
trusted on each endpoint:
>
> squid.conf:
> # setup standard ports
> acl SSL_ports port 443
> acl Safe_ports port 80
> acl Safe_ports port 21
> acl Safe_ports port 443
> acl Safe_ports port 70
> acl Safe_ports port 210
> acl Safe_ports port 1025-65535
> acl Safe_ports port 280
> acl Safe_ports port 488
> acl Safe_ports port 591
> acl Safe_ports port 777
> acl CONNECT method CONNECT
> # for security
> http_access deny !Safe_ports
> http_access deny CONNECT !SSL_ports
>
> # not actually used and blocked by local firewall on host, but squid
complains if it's not there...
> http_port 3128
>
> # http intercept, and ACL that matches that inbound port
> http_port 3129 intercept
> acl http_proxy myportname 3129
>
> # same for https
> https_port 8443 intercept ssl-bump \
>     generate-host-certificates=on \
>     dynamic_cert_mem_cache_size=64MB \
>     cert=/etc/squid/ssl/proxy.pem \
>     key=/etc/squid/ssl/proxy.key \
>     cafile=/etc/squid/ssl/proxy.pe <http://proxy.pe>m
> acl https_proxy myportname 8443
>
> always_direct allow all
>
> # define the steps needed for bumping...
> acl step1 at_step SslBump1
> acl step2 at_step SslBump2
> acl step3 at_step SslBump3
>
> # and the list of domains that are allowed
> acl SniBypass ssl::server_name_regex -i "/etc/squid/snibypass.acl"
> acl http_bypass dstdom_regex -n -i "/etc/squid/snibypass.acl"
>
> # ensure we have target SSL port when checking data
> acl https_ok all-of SniBypass SSL_ports
> # and the destination domain when not SSL...
> acl http_ok all-of http_bypass Safe_ports
>
> # splice when we know the target matches
> ssl_bump splice SniBypass
> # peek and bump otherwise
> ssl_bump peek step1
> ssl_bump stare step2
> ssl_bump bump all
>
> # some options for the certificate generation..
> sslproxy_options NO_SSLv2,NO_SSLv3,SINGLE_ECDH_USE
> sslproxy_cert_sign_hash sha256
> sslcrtd_program /usr/lib/squid/ssl_crtd -s /var/lib/ssl_db -M 64MB
> sslcrtd_children 8 startup=1 idle=1
>
> # for http, let's block if we're not on the whitelist
> http_access         deny !http_ok        http_proxy
> # for https, let's wait until step3 of the bumping, so we can replace
the SSL content post-bumping)
> http_access         deny !https_ok step3 https_proxy
>
> # never cache anything
> cache deny all
>
> #for windows updates
> quick_abort_min -1
> range_offset_limit 0 all
>
> shutdown_lifetime 2 seconds
> connect_timeout 20 seconds
> #debug_options ALL,2
>
>
>
> _______________________________________________
> squid-users mailing list
> squid-users at lists.squid-cache.org
> http://lists.squid-cache.org/listinfo/squid-users

- -- 
Cats - delicious. You just do not know how to cook them.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2
 
iQEcBAEBCAAGBQJYEPm+AAoJENNXIZxhPexGnewH/0e2rK5ZU87NSgskaJsZ5orA
3E7kwxXa9pt8M1LJLlcSD73HM3ASfO3xKqY+ajhKp0hvcApH+SwJFUVyuQktAoVS
P96WCIwobasSH7rGuBvvsuny0pwDrJfjvdkJjD7e2l/qFkHE9Fv1HBwMD1Kidp51
mJ8hqhh/xghUDOQgcGN1+Ae519+jOBwE/R8/fgtQ/i5TJeljEVgEaLFcw7eZ2/E1
qk/H1kV3YCrVeslUWIxqxAPPhcS6WQLSaqKxlxYgVk1n0Ya2SC7u75MtK2n/68z2
ejQwEguAn+uMx/IuX1nxVx47jK7DGsAyMeASLqIjofMst1ct0WuhQxyeAh7O4MA=
=H5/c
-----END PGP SIGNATURE-----

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.squid-cache.org/pipermail/squid-users/attachments/20161027/7973af63/attachment-0001.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: 0x613DEC46.asc
Type: application/pgp-keys
Size: 2437 bytes
Desc: not available
URL: <http://lists.squid-cache.org/pipermail/squid-users/attachments/20161027/7973af63/attachment-0001.key>

More information about the squid-users mailing list