[squid-users] transparent http and https filter with white-list only

Wed Feb 1 14:46:44 UTC 2017

On 28/01/2017 12:36 a.m., Sergey Klusov wrote:
> Hello. I'm trying to get working transparent setup allowing only certain
> domains and have problem that in order to allow https "ssl_bump splice
> allowed_domains" i have to "http_access allow all", thus allowing all
> other http traffic through. Otherwise https traffic is not allowed at all.
> 
> Here is my config:
> 

Some comments inline to improve it.

Also, what version of Squid are you using?
 I will assume that you are following the best practice advice and using
at least 3.5.19.  If not, please try to upgrade.

> =======config=======
> http_port 10.96.243.1:3128 intercept options=NO_SSLv3:NO_SSLv2
> http_port 10.96.243.1:3130 options=NO_SSLv3:NO_SSLv2

Setting SSL-related options on http_port's is not useful when they are
not doing SSL-Bump.

> https_port 10.96.243.1:3129 intercept ssl-bump
> options=ALL:NO_SSLv3:NO_SSLv2 connection-auth=off
> cert=/etc/squid/squidCA.pem
> acl localnet src 10.0.0.0/8     # RFC1918 possible internal network
> 
> acl SSL_ports port 443
> acl Safe_ports port 80          # http
> acl Safe_ports port 443         # https
> acl CONNECT method CONNECT
> 
> acl http_allow dstdomain "/etc/squid/http_allow_domains.txt"
> acl https_allow ssl::server_name "/etc/squid/https_allow_domains.txt"
> 
> sslproxy_cert_error allow all
> sslproxy_flags DONT_VERIFY_PEER

Not good. Remember this is a security protocol you are playing around with.

Both of the above lines hide critical details you need to figure out
what is going wrong. They can be useful as a spot-check (only!) to
figure out if the problem is related to cert verification or something
else. But DO NOT use them for regular traffic, not even testing traffic.

You may find that there are certain _specific_ errors that you need to
let through. Add the appropriate flags, SSL options, ACLs checks
sslproxy_cert_error lines for those as needed, dont just ignore all
possible errors like above does.

> 
> acl step1 at_step SslBump1
> ssl_bump peek step1
> ssl_bump splice https_allow
> ssl_bump terminate all
> 

Looks okay. Just to be clear you understand that:
 The above means that the TLS/SSL is spliced only if the client SNI
contains a domain in your whitelist.
 All other traffic will be terminated ... maybe with an HTTP error page.

> cache deny all
> 
> http_access deny !Safe_ports
> http_access deny CONNECT !SSL_ports
> http_access allow localhost manager
> http_access deny manager
> 
> http_access allow all http_allow
> http_access allow all https_allow

The ssl::server_name ACL will not work outside of the ssl_bump
directive. Delete the above line.

Also, I am not seeing is any line which permits the raw-IP CONNECT
message which your Squid processes first to decide whether ssl_bump will
be applied to the intercepted TCP connections.

 That is why the "allow all" makes things "work". It lets those CONNECT
request through.

You can read the details about how bumping happens at
<http://wiki.squid-cache.org/Features/SslPeekAndSplice#Processing_steps>
 The CONNECT request mentioned in step 1.ii is your problem.

To fix it in a very targeted way add these lines (mind the wrap sorry):

 acl rawIP dstdom_regex
^(([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)|(\[([0-9a-f]+)?:([0-9a-f:]+)?:([0-9a-f]+|0-9\.]+)?\])):443$

 acl bumpPort myportname 10.96.243.1:3129

 http_access allow CONNECT bumpPort rawIP

> http_access deny all
> 
> always_direct allow all
> 

That always_direct line is not useful. Remove it.

HTH
Amos