[squid-users] HTTPS sites specifics URL

Dante F. B. Colò dante01010 at gmail.com
Tue Feb 7 15:04:11 UTC 2017


Hi Leonardo,

Thanks for your reply,I tried SSL Bump under client-first and 
server-first modes both didn't work, Squid version is 3.4.14 running 
under OpenBSD 5.6 and 5.7 test boxes, i also increased verbosity log to 
9 of the URL Parsing debug section to see if shows something useful , i 
'll post here my squid.conf and debug output from cache.log, if you  
have some suggestion tell me please.

2016/12/06 19:32:39.446 kid1| src/cache_manager.cc(89) registerProfile: 
skipped duplicate profile: asndb
2016/12/06 19:32:39.446 kid1| src/cache_manager.cc(89) registerProfile: 
skipped duplicate profile: carp
2016/12/06 19:32:39.446 kid1| src/cache_manager.cc(89) registerProfile: 
skipped duplicate profile: userhash
2016/12/06 19:32:39.446 kid1| src/cache_manager.cc(89) registerProfile: 
skipped duplicate profile: sourcehash
2016/12/06 19:32:39.446 kid1| src/cache_manager.cc(89) registerProfile: 
skipped duplicate profile: server_list
2016/12/06 19:32:39.446 kid1| Finished loading MIME types and icons.
2016/12/06 19:32:39.469 kid1| src/base/AsyncCallQueue.cc(51) fireNext: 
entering clientListenerConnectionOpened(local=172.17.198.19:3128 
remote=[::] FD 18 flags=9, err=0, HTTP Socket port=0x8b3fb9ff418)
2016/12/06 19:32:39.470 kid1| src/base/AsyncCall.cc(30) make: make call 
clientListenerConnectionOpened [call27542]
2016/12/06 19:32:39.470 kid1| Accepting SSL bumped HTTP Socket 
connections at local=172.17.198.19:3128 remote=[::] FD 18 flags=9
2016/12/06 19:32:39.470 kid1| src/base/AsyncCallQueue.cc(53) fireNext: 
leaving clientListenerConnectionOpened(local=172.17.198.19:3128 
remote=[::] FD 18 flags=9, err=0, HTTP Socket port=0x8b3fb9ff418)
2016/12/06 19:33:05.727 kid1| src/comm/TcpAcceptor.cc(220) doAccept: New 
connection on FD 18
2016/12/06 19:33:05.727 kid1| src/comm/TcpAcceptor.cc(295) acceptNext: 
connection on local=172.17.198.19:3128 remote=[::] FD 18 flags=9
2016/12/06 19:33:05.727 kid1| src/client_side.cc(2407) parseHttpRequest: 
HTTP Client local=172.17.198.19:3128 remote=172.17.200.11:50974 FD 9 flags=1
2016/12/06 19:33:05.727 kid1| src/client_side.cc(2408) parseHttpRequest: 
HTTP Client REQUEST:
---------
CONNECT www.sans.org:443 HTTP/1.1
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.11; rv:45.0) 
Gecko/20100101 Firefox/45.0
Proxy-Connection: keep-alive
Connection: keep-alive
Host: www.sans.org:443
Proxy-Authorization: Basic amVjYS50YXR1OjEyMzQ=


----------
2016/12/06 19:33:05.727 kid1| src/url.cc(386) urlParse: urlParse: Split 
URL 'www.sans.org:443' into proto='', host='www.sans.org', port='443', 
path=''
2016/12/06 19:33:05.727 kid1| Starting new basicauthenticator helpers...
2016/12/06 19:33:05.727 kid1| helperOpenServers: Starting 1/8 
'basic_ncsa_auth' processes
2016/12/06 19:33:05.762 kid1| src/auth/User.cc(342) addIp: user 
'jeca.tatu' has been seen at a new IP address (172.17.200.11:50974)
2016/12/06 19:33:05.763 kid1| src/client_side_request.cc(759) 
clientAccessCheckDone: The request CONNECT www.sans.org:443 is DENIED; 
last ACL checked: all
2016/12/06 19:33:05.763 kid1| src/errorpage.cc(1278) BuildContent: No 
existing error page language negotiated for ERR_ACCESS_DENIED. Using 
default error file.
2016/12/06 19:33:05.764 kid1| src/store.cc(1011) checkCachable: 
StoreEntry::checkCachable: NO: not cachable
2016/12/06 19:33:05.764 kid1| src/client_side.cc(785) setAuth: Adding 
connection-auth to local=172.17.198.19:3128 remote=172.17.200.11:50974 
FD 9 flags=1 from SSL-bumped CONNECT
2016/12/06 19:33:05.767 kid1| src/client_side.cc(3562) 
clientNegotiateSSL: clientNegotiateSSL: Session 0x8b414f73400 reused on 
FD 9 (172.17.200.11:50974)
2016/12/06 19:33:05.768 kid1| src/client_side.cc(2407) parseHttpRequest: 
HTTP Client local=172.17.198.19:3128 remote=172.17.200.11:50974 FD 9 flags=1
2016/12/06 19:33:05.768 kid1| src/client_side.cc(2408) parseHttpRequest: 
HTTP Client REQUEST:
---------
GET /programs HTTP/1.1
Host: www.sans.org
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.11; rv:45.0) 
Gecko/20100101 Firefox/45.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Cookie: 
QSI_HistorySession=http%3A%2F%2Fwww.sans.org%2Fprograms~1486478958014
Connection: keep-alive


----------
2016/12/06 19:33:05.768 kid1| src/url.cc(386) urlParse: urlParse: Split 
URL 'https://www.sans.org/programs' into proto='https', 
host='www.sans.org', port='443', path='/programs'
2016/12/06 19:33:05.768 kid1| src/client_side_reply.cc(1969) 
processReplyAccessResult: The reply for GET 
https://www.sans.org/programs is ALLOWED, because it matched 
'(access_log daemon:/var/squid/logs/access.log line)'
2016/12/06 19:33:05.769 kid1| src/client_side.cc(1459) 
sendStartOfMessage: HTTP Client local=172.17.198.19:3128 
remote=172.17.200.11:50974 FD 9 flags=1
2016/12/06 19:33:05.769 kid1| src/client_side.cc(1460) 
sendStartOfMessage: HTTP Client REPLY:
---------
HTTP/1.1 403 Forbidden
Server: squid/3.4.12
Mime-Version: 1.0
Date: Tue, 06 Dec 2016 21:33:05 GMT
Content-Type: text/html
Content-Length: 3342
X-Squid-Error: ERR_ACCESS_DENIED 0
Vary: Accept-Language
Content-Language: en
X-Cache: MISS from openbsd57vm01
Via: 1.1 openbsd57vm01 (squid/3.4.12)
Connection: close

#################################################################

my squid.conf

cache_dir ufs /var/squid/cache 2048 16 256
cache_log /var/squid/logs/cache.log
cache_store_log daemon:/var/squid/logs/store.log
cache_mem 256 mb
max_filedescriptors 32768
acl eu src 172.17.200.11
acl SSL_ports port 443
acl CONNECT method CONNECT
debug_options ALL,2 23,9
http_access deny !Safe_ports

http_access deny CONNECT !SSL_ports

http_access allow localhost manager
http_access deny manager
auth_param basic program /usr/local/libexec/squid/basic_ncsa_auth 
/etc/squid/squid-passwd
auth_param basic children 8
auth_param basic realm Squid proxy-caching web server
auth_param basic credentialsttl 2 hours
acl password proxy_auth REQUIRED
acl jeca.tatu proxy_auth jeca.tatu
acl restrito url_regex -i  "/etc/squid/acl/restrito"
http_access allow password jeca.tatu restrito
http_access deny all

http_port 172.17.198.19:3128 ssl-bump generate-host-certificates=on 
dynamic_cert_mem_cache_size=8MB key=/etc/squid/pki/test.private 
cert=/etc/squid/pki/test.cert
acl BadSite ssl_error SQUID_X509_V_ERR_DOMAIN_MISMATCH
always_direct allow all
ssl_bump client-first all
sslproxy_cert_error allow all
sslproxy_cert_error allow BadSite
sslproxy_flags DONT_VERIFY_PEER
sslcrtd_program /usr/local/libexec/squid/ssl_crtd -s /var/squid/ssl_db 
-M 8MB
sslcrtd_children 7 startup=1 idle=1

coredump_dir /var/squid/cache


refresh_pattern ^ftp:           1440    20%     10080
refresh_pattern ^gopher:        1440    0%      1440
refresh_pattern -i (/cgi-bin/|\?) 0     0%      0
refresh_pattern .               0       20%     4320




On 2/6/17 2:28 PM, Leonardo Rodrigues wrote:
>
>     That's correct, when not using SSL-Bump feature (that's the one 
> you're looking for), squid will only see the domain part. All the rest 
> of the URL is crypted and visible only to the client (browser) and the 
> server on the other side, the only two parts involved on that crypto 
> session.
>
>     To enable squid to see the whole URL and be able to do full 
> filtering on HTTPS requests, you're looking for SSL-Bump feature. 
> Google for it, there's a LOT of tutorials and mailing list messages on 
> that.
>
>
> Em 06/02/17 12:40, Dante F. B. Colò escreveu:
>> Hello Everyone
>>
>> I have a question , probably a noob one , i 'm trying to allow some 
>> https sites with specific URL's  (i mean 
>> https://domain.tld/blablabla) but https sites are working  only with 
>> the domain part , what i have to do to make this work ?
>>
>



More information about the squid-users mailing list