[squid-users] squid-users Digest, Vol 30, Issue 3

Sergey Klusov snklusov at gmail.com
Thu Feb 2 12:22:34 UTC 2017

> Date: Thu, 2 Feb 2017 03:46:44 +1300
> From: Amos Jeffries <squid3 at treenet.co.nz>
> To: squid-users at lists.squid-cache.org
> Subject: Re: [squid-users] transparent http and https filter with
> 	white-list only
> Message-ID: <1d01efe0-83f8-2a91-c0ac-fd8ef769276f at treenet.co.nz>
> Content-Type: text/plain; charset=utf-8
> On 28/01/2017 12:36 a.m., Sergey Klusov wrote:
>> Hello. I'm trying to get working transparent setup allowing only certain
>> domains and have problem that in order to allow https "ssl_bump splice
>> allowed_domains" i have to "http_access allow all", thus allowing all
>> other http traffic through. Otherwise https traffic is not allowed at all.
>> Here is my config:
> Some comments inline to improve it.
> Also, what version of Squid are you using?
>   I will assume that you are following the best practice advice and using
> at least 3.5.19.  If not, please try to upgrade.
just installed from centos7 repo, using yum
Squid Cache: Version 3.5.20

>> =======config=======
>> http_port intercept options=NO_SSLv3:NO_SSLv2
>> http_port options=NO_SSLv3:NO_SSLv2
> Setting SSL-related options on http_port's is not useful when they are
> not doing SSL-Bump.

ok. just copy-pasted from some internet site about ssl_bump

>> https_port intercept ssl-bump
>> options=ALL:NO_SSLv3:NO_SSLv2 connection-auth=off
>> cert=/etc/squid/squidCA.pem
>> acl localnet src     # RFC1918 possible internal network
>> acl SSL_ports port 443
>> acl Safe_ports port 80          # http
>> acl Safe_ports port 443         # https
>> acl CONNECT method CONNECT
>> acl http_allow dstdomain "/etc/squid/http_allow_domains.txt"
>> acl https_allow ssl::server_name "/etc/squid/https_allow_domains.txt"
>> sslproxy_cert_error allow all
>> sslproxy_flags DONT_VERIFY_PEER
> Not good. Remember this is a security protocol you are playing around with.
> Both of the above lines hide critical details you need to figure out
> what is going wrong. They can be useful as a spot-check (only!) to
> figure out if the problem is related to cert verification or something
> else. But DO NOT use them for regular traffic, not even testing traffic.
> You may find that there are certain _specific_ errors that you need to
> let through. Add the appropriate flags, SSL options, ACLs checks
> sslproxy_cert_error lines for those as needed, dont just ignore all
> possible errors like above does.

this setup only purpose is to just allow clients to connect only to 
small set of certain sites
i suppose client's browser will do all checks?

>> acl step1 at_step SslBump1
>> ssl_bump peek step1
>> ssl_bump splice https_allow
>> ssl_bump terminate all
> Looks okay. Just to be clear you understand that:
>   The above means that the TLS/SSL is spliced only if the client SNI
> contains a domain in your whitelist.
>   All other traffic will be terminated ... maybe with an HTTP error page.
That's all i need. In fact i would prefer to not use squid at all for 
that purpose, but can't find any good free DPI solution.

>> cache deny all
>> http_access deny !Safe_ports
>> http_access deny CONNECT !SSL_ports
>> http_access allow localhost manager
>> http_access deny manager
>> http_access allow all http_allow
>> http_access allow all https_allow
> The ssl::server_name ACL will not work outside of the ssl_bump
> directive. Delete the above line.

> Also, I am not seeing is any line which permits the raw-IP CONNECT
> message which your Squid processes first to decide whether ssl_bump will
> be applied to the intercepted TCP connections.
>   That is why the "allow all" makes things "work". It lets those CONNECT
> request through.
> You can read the details about how bumping happens at
> <http://wiki.squid-cache.org/Features/SslPeekAndSplice#Processing_steps>
>   The CONNECT request mentioned in step 1.ii is your problem.
> To fix it in a very targeted way add these lines (mind the wrap sorry):
>   acl rawIP dstdom_regex
> ^(([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)|(\[([0-9a-f]+)?:([0-9a-f:]+)?:([0-9a-f]+|0-9\.]+)?\])):443$
>   acl bumpPort myportname
>   http_access allow CONNECT bumpPort rawIP

i've worked around like this:

acl http_proto proto http
http_access allow !http

but will try your variant too

>> http_access deny all
>> always_direct allow all
> That always_direct line is not useful. Remove it.

More information about the squid-users mailing list