[squid-users] Cannot access https site

Vieri rentorbuy at yahoo.com
Tue May 16 07:54:07 UTC 2017 

________________________________
> From: Alex Rousskov <rousskov at measurement-factory.com>
>> My goal is to set up Squid so it can act as a transparent proxy for
>> local clients browsing the web. It should "deny all" except traffic
>> to the destination domains included in an ACL file.
>>
>> http_access deny intercepted !localnet
>> http_access deny interceptedssl !localnet
>> http_access deny !allowed_domains
>> http_access allow localnet
> ...
>> ssl_bump stare all
>> ssl_bump bump all
>
> You are denying fake CONNECT requests during SslBump step1. During that

> step, intercepted SSL connections are represented by fake CONNECT> requests with IP addresses (not domain names). Such requests will often

> match your "http_access deny !allowed_domains" rule. See "Step 1"> description at http://wiki.squid-cache.org/Features/SslPeekAndSplice
> 
> What you probably want is to allow all reasonable fake CONNECT requests

> during that step. There are several ways to do that

Hi,

Thanks for the explanation. I'm posting the whole squid.conf below as I wrongly left out some information in my first post. Sorry.
I didn't think I would have issues with CONNECT to 443 ports because I already had the default "http_access deny CONNECT !SSL_ports".
However, the ACL parsing doesn't stop there and goes on until it reaches "http_access deny !allowed_domains".
So I added the following explicit "allow" right before "deny":
http_access allow CONNECT SSL_ports
http_access deny !allowed_domains

So here's the full config:

# grep -v "^#" squid.conf | grep -v "^$"
acl SSL_ports port 443
acl Safe_ports port 80          # http
acl Safe_ports port 21          # ftp
acl Safe_ports port 443         # https
acl Safe_ports port 70          # gopher
acl Safe_ports port 210         # wais
acl Safe_ports port 1025-65535  # unregistered ports
acl Safe_ports port 280         # http-mgmt
acl Safe_ports port 488         # gss-http
acl Safe_ports port 591         # filemaker
acl Safe_ports port 777         # multiling http
acl Safe_ports port 901         # SWAT
acl CONNECT method CONNECT
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
http_access allow localhost manager
http_access deny manager
include /etc/squid/squid.custom.rules
http_access allow localhost
http_access deny all
coredump_dir /var/cache/squid
refresh_pattern ^ftp:           1440    20%     10080
refresh_pattern ^gopher:        1440    0%      1440
refresh_pattern -i (/cgi-bin/|\?) 0     0%      0
refresh_pattern .               0       20%     4320

# grep -v "^#" squid.custom.rules | grep -v "^$"
http_port 3128
http_port 3129 tproxy
https_port 3130 tproxy ssl-bump generate-host-certificates=on dynamic_cert_mem_cache_size=16MB cert=/etc/ssl/squid/proxyserver.pem
external_acl_type nt_group ttl=0 children-max=10 %LOGIN /usr/libexec/squid/ext_wbinfo_group_acl -K
auth_param negotiate program /usr/libexec/squid/negotiate_kerberos_auth -s HTTP/proxy.mydomain.org at MYDOMAIN.ORG
auth_param negotiate children 60
auth_param negotiate keep_alive on
auth_param basic realm ORG proxy
acl localnet src 10.0.0.0/8     # RFC1918 possible internal network
acl localnet src 192.168.0.0/16 # RFC1918 possible internal network
acl localnet src fc00::/7       # RFC 4193 local private network range
acl ORG_all proxy_auth REQUIRED
acl explicit myportname 3128
acl intercepted myportname 3129
acl interceptedssl myportname 3130
acl interceptednormal myportname 3131
acl interceptedsslnormal myportname 3132
acl allowed_ips src "/usr/local/share/proxy-settings/allowed.ips"
acl allowed_groups external nt_group "/usr/local/share/proxy-settings/allowed.groups"
acl denied_domains dstdomain "/usr/local/share/proxy-settings/denied.domains"
acl allowed_domains dstdomain "/usr/local/share/proxy-settings/allowed.domains"
acl denied_ads url_regex "/usr/local/share/proxy-settings/denied.ads"
acl denied_filetypes urlpath_regex -i "/usr/local/share/proxy-settings/denied.filetypes"
acl restricted_ips src "/usr/local/share/proxy-settings/restricted.ips"
acl restricted_groups external nt_group "/usr/local/share/proxy-settings/restricted.groups"
acl restricted_domains dstdomain "/usr/local/share/proxy-settings/restricted.domains"
http_access deny restricted_ips !restricted_domains
http_access deny restricted_groups !restricted_domains
http_access deny denied_domains !allowed_groups !allowed_ips
http_access deny CONNECT denied_domains !allowed_groups !allowed_ips
http_access deny denied_ads !allowed_groups !allowed_ips
http_access deny denied_filetypes !allowed_groups !allowed_ips
http_access deny explicit !ORG_all
http_access deny intercepted !localnet
http_access deny interceptedssl !localnet
http_access deny interceptedsslnormal !localnet
http_access deny interceptednormal !localnet
http_access allow CONNECT SSL_ports
http_access deny !allowed_domains
cache_mgr it at mydomain.org
email_err_data on
error_directory /usr/share/squid/errors/ORG
append_domain .mydomain.org
http_access allow localnet
sslcrtd_program /usr/libexec/squid/ssl_crtd -s /var/lib/squid/ssl_db -M 16MB
sslcrtd_children 10
ssl_bump stare all
ssl_bump bump all
sslproxy_cert_error allow all
always_direct allow all
icap_enable on
icap_send_client_ip on
icap_send_client_username on
icap_client_username_encode off
icap_client_username_header X-Authenticated-User
icap_preview_enable on
icap_preview_size 1024
icap_service squidclamav respmod_precache bypass=0 icap://127.0.0.1:1344/clamav
adaptation_access squidclamav allow all
include /etc/squid/squid.custom.common
include /etc/squid/squid.custom.hide
cache_dir diskd /var/cache/squid 100 16 256

# grep -v "^#" squid.custom.hide | grep -v "^$"
httpd_suppress_version_string on
dns_v4_first on
via off
forwarded_for off
request_header_access Allow allow all
request_header_access Authorization allow all
request_header_access WWW-Authenticate allow all
request_header_access Proxy-Authorization allow all
request_header_access Proxy-Authenticate allow all
request_header_access Cache-Control allow all
request_header_access Content-Encoding allow all
request_header_access Content-Length allow all
request_header_access Content-Type allow all
request_header_access Date allow all
request_header_access Expires allow all
request_header_access Host allow all
request_header_access If-Modified-Since allow all
request_header_access Last-Modified allow all
request_header_access Location allow all
request_header_access Pragma allow all
request_header_access Accept allow all
request_header_access Accept-Charset allow all
request_header_access Accept-Encoding allow all
request_header_access Accept-Language allow all
request_header_access Content-Language allow all
request_header_access Mime-Version allow all
request_header_access Retry-After allow all
request_header_access Title allow all
request_header_access Connection allow all
request_header_access Proxy-Connection allow all
request_header_access User-Agent allow all
request_header_access Cookie allow all
request_header_access All deny all

So this setup is a mixed explicit/transparent proxy. Right now, I'm just trying to focus on the transparent part only.
The goal is to allow http/https traffic to allowed_domains only and to force content analysis via ICAP (clamav) of both http and https content.

The above config now seems to work and I can access sites listed in allowed_domains only. I just hope I got it all cleared out.

BTW I've seen the example at http://wiki.squid-cache.org/ConfigExamples/Intercept/SslBumpExplicit where it suggests to use:

acl step1 at_step SslBump1
ssl_bump peek step1

Should I be using that instead of "ssl_bump stare all"?

Which "other configuration aspects are wrong", as you say?

Are you referring to "sslproxy_cert_error allow all" or are there more?

# squid -version
Squid Cache: Version 3.5.14
Service Name: squid
configure options:  '--prefix=/usr' '--build=i686-pc-linux-gnu' '--host=i686-pc-linux-gnu' '--mandir=/usr/share/man' '--infodir=/usr/share/info' '--datadir=/usr/share' '--sysconfdir=/etc' '--localstatedir=/var/lib' '--disable-dependency-tracking' '--disable-silent-rules' '--libdir=/usr/lib' '--sysconfdir=/etc/squid' '--libexecdir=/usr/libexec/squid' '--localstatedir=/var' '--with-pidfile=/run/squid.pid' '--datadir=/usr/share/squid' '--with-logdir=/var/log/squid' '--with-default-user=squid' '--enable-removal-policies=lru,heap' '--enable-storeio=aufs,diskd,rock,ufs' '--enable-disk-io' '--enable-auth-basic=MSNT-multi-domain,NCSA,POP3,getpwnam,SMB,LDAP,PAM,RADIUS' '--enable-auth-digest=file,LDAP,eDirectory' '--enable-auth-ntlm=smb_lm' '--enable-auth-negotiate=kerberos,wrapper' '--enable-external-acl-helpers=file_userip,session,unix_group,wbinfo_group,LDAP_group,eDirectory_userip,kerberos_ldap_group' '--enable-log-daemon-helpers' '--enable-url-rewrite-helpers' '--enable-cache-digests' '--enable-delay-pools' '--enable-eui' '--enable-icmp' '--enable-follow-x-forwarded-for' '--with-large-files' '--disable-strict-error-checking' '--disable-arch-native' '--with-ltdl-includedir=/usr/include' '--with-ltdl-libdir=/usr/lib' '--with-libcap' '--enable-ipv6' '--disable-snmp' '--with-openssl' '--with-nettle' '--with-gnutls' '--enable-ssl-crtd' '--disable-ecap' '--disable-esi' '--enable-htcp' '--enable-wccp' '--enable-wccpv2' '--enable-linux-netfilter' '--with-mit-krb5' '--without-heimdal-krb5' 'build_alias=i686-pc-linux-gnu' 'host_alias=i686-pc-linux-gnu' 'CC=i686-pc-linux-gnu-gcc' 'CFLAGS=-O2 -march=i686 -pipe' 'LDFLAGS=-Wl,-O1 -Wl,--as-needed' 'CXXFLAGS=-O2 -march=i686 -pipe' 'PKG_CONFIG_PATH=/usr/lib/pkgconfig'

Thanks,

Vieri

More information about the squid-users mailing list