[squid-users] squid-users Digest, Vol 30, Issue 3

Amos Jeffries squid3 at treenet.co.nz
Thu Feb 2 13:08:40 UTC 2017 

On 3/02/2017 1:22 a.m., Sergey Klusov wrote:
> 
>> Date: Thu, 2 Feb 2017 03:46:44 +1300
>> From: Amos Jeffries
>>
>> On 28/01/2017 12:36 a.m., Sergey Klusov wrote:
>>> Hello. I'm trying to get working transparent setup allowing only certain
>>> domains and have problem that in order to allow https "ssl_bump splice
>>> allowed_domains" i have to "http_access allow all", thus allowing all
>>> other http traffic through. Otherwise https traffic is not allowed at
>>> all.
>>>

...
>>>
>>> sslproxy_cert_error allow all
>>> sslproxy_flags DONT_VERIFY_PEER
>> Not good. Remember this is a security protocol you are playing around
>> with.
>>
>> Both of the above lines hide critical details you need to figure out
>> what is going wrong. They can be useful as a spot-check (only!) to
>> figure out if the problem is related to cert verification or something
>> else. But DO NOT use them for regular traffic, not even testing traffic.
>>
>> You may find that there are certain _specific_ errors that you need to
>> let through. Add the appropriate flags, SSL options, ACLs checks
>> sslproxy_cert_error lines for those as needed, dont just ignore all
>> possible errors like above does.
> 
> this setup only purpose is to just allow clients to connect only to
> small set of certain sites
> i suppose client's browser will do all checks?

What the browser sees is the stuff inside the spliced connections. Which
does not go near these sslproxy_* directives.

sslproxy_* are for Squid<->Internet connections. Errors here will never
get seen by any browser and in your setup will probably be from wrongly
bump'ed traffic, so you better be aware of those problems.

...
>>
>> To fix it in a very targeted way add these lines (mind the wrap sorry):
>>
>>   acl rawIP dstdom_regex
>> ^(([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)|(\[([0-9a-f]+)?:([0-9a-f:]+)?:([0-9a-f]+|0-9\.]+)?\])):443$
>>
>>
>>   acl bumpPort myportname 10.96.243.1:3129
>>
>>   http_access allow CONNECT bumpPort rawIP
> 
> i've worked around like this:
> 
> acl http_proto proto http
> http_access allow !http
> 
> but will try your variant too
> thanks.

FYI: my ACLs were being very strict. Ensuring only allow for CONNECT
requests which are coming from the port with ssl-bump, and also going to
port 443 (HTTPS).

Just allowing all non-http:// URLs through the proxy is not much better
than 'allow all'.

Amos

More information about the squid-users mailing list