[squid-users] squid-users Digest, Vol 30, Issue 3
snklusov at gmail.com
Thu Feb 2 12:22:34 UTC 2017
> Date: Thu, 2 Feb 2017 03:46:44 +1300
> From: Amos Jeffries <squid3 at treenet.co.nz>
> To: squid-users at lists.squid-cache.org
> Subject: Re: [squid-users] transparent http and https filter with
> white-list only
> Message-ID: <1d01efe0-83f8-2a91-c0ac-fd8ef769276f at treenet.co.nz>
> Content-Type: text/plain; charset=utf-8
> On 28/01/2017 12:36 a.m., Sergey Klusov wrote:
>> Hello. I'm trying to get working transparent setup allowing only certain
>> domains and have problem that in order to allow https "ssl_bump splice
>> allowed_domains" i have to "http_access allow all", thus allowing all
>> other http traffic through. Otherwise https traffic is not allowed at all.
>> Here is my config:
> Some comments inline to improve it.
> Also, what version of Squid are you using?
> I will assume that you are following the best practice advice and using
> at least 3.5.19. If not, please try to upgrade.
just installed from centos7 repo, using yum
Squid Cache: Version 3.5.20
>> http_port 10.96.243.1:3128 intercept options=NO_SSLv3:NO_SSLv2
>> http_port 10.96.243.1:3130 options=NO_SSLv3:NO_SSLv2
> Setting SSL-related options on http_port's is not useful when they are
> not doing SSL-Bump.
ok. just copy-pasted from some internet site about ssl_bump
>> https_port 10.96.243.1:3129 intercept ssl-bump
>> options=ALL:NO_SSLv3:NO_SSLv2 connection-auth=off
>> acl localnet src 10.0.0.0/8 # RFC1918 possible internal network
>> acl SSL_ports port 443
>> acl Safe_ports port 80 # http
>> acl Safe_ports port 443 # https
>> acl CONNECT method CONNECT
>> acl http_allow dstdomain "/etc/squid/http_allow_domains.txt"
>> acl https_allow ssl::server_name "/etc/squid/https_allow_domains.txt"
>> sslproxy_cert_error allow all
>> sslproxy_flags DONT_VERIFY_PEER
> Not good. Remember this is a security protocol you are playing around with.
> Both of the above lines hide critical details you need to figure out
> what is going wrong. They can be useful as a spot-check (only!) to
> figure out if the problem is related to cert verification or something
> else. But DO NOT use them for regular traffic, not even testing traffic.
> You may find that there are certain _specific_ errors that you need to
> let through. Add the appropriate flags, SSL options, ACLs checks
> sslproxy_cert_error lines for those as needed, dont just ignore all
> possible errors like above does.
this setup only purpose is to just allow clients to connect only to
small set of certain sites
i suppose client's browser will do all checks?
>> acl step1 at_step SslBump1
>> ssl_bump peek step1
>> ssl_bump splice https_allow
>> ssl_bump terminate all
> Looks okay. Just to be clear you understand that:
> The above means that the TLS/SSL is spliced only if the client SNI
> contains a domain in your whitelist.
> All other traffic will be terminated ... maybe with an HTTP error page.
That's all i need. In fact i would prefer to not use squid at all for
that purpose, but can't find any good free DPI solution.
>> cache deny all
>> http_access deny !Safe_ports
>> http_access deny CONNECT !SSL_ports
>> http_access allow localhost manager
>> http_access deny manager
>> http_access allow all http_allow
>> http_access allow all https_allow
> The ssl::server_name ACL will not work outside of the ssl_bump
> directive. Delete the above line.
> Also, I am not seeing is any line which permits the raw-IP CONNECT
> message which your Squid processes first to decide whether ssl_bump will
> be applied to the intercepted TCP connections.
> That is why the "allow all" makes things "work". It lets those CONNECT
> request through.
> You can read the details about how bumping happens at
> The CONNECT request mentioned in step 1.ii is your problem.
> To fix it in a very targeted way add these lines (mind the wrap sorry):
> acl rawIP dstdom_regex
> acl bumpPort myportname 10.96.243.1:3129
> http_access allow CONNECT bumpPort rawIP
i've worked around like this:
acl http_proto proto http
http_access allow !http
but will try your variant too
>> http_access deny all
>> always_direct allow all
> That always_direct line is not useful. Remove it.
More information about the squid-users