[squid-users] Non intrusive sslbump for whitelisting (asked many times but..)

A. Benz ash.benz at bk.ru
Tue Nov 7 23:18:13 UTC 2017


Hi all,


## Intro

I read many blogs and emails on this list related to what I'm trying to 
do, but most go into bumping or do things that are not as simple as I'm 
trying to achieve.

I have an extremely slow line, with very high latency in a remote 
location. About 14 people are sharing this line. Nowadays with all the 
mobile apps trying to sync and such, the line stalls to unusable all the 
time.

I tried doing filters with firewall or dns level, but those are not 
effective. In the end I figured squid might be my best option.

## End intro


I have squid 3.5.27 running under LEDE (OpenWrt fork), ie its 
cross-compiled for a MIPS based SoC (mediatek mt7621). I mention this 
because you will see some options in the config file that won't make 
sense otherwise.

It works great, here's what I'm trying to achieve: Allow access only to 
a pre-defined list of websites (whitelist). http is straightforward, but 
if the connection is https all I need to know is domain, if its allowed, 
let it pass, otherwise terminate.

this setup is working as intended with the config attached below, 
however the issue I'm facing is that some servers are "loadbalanced", 
this would give me the forgery error, eg:

"SECURITY ALERT: Host header forgery detected on...."

Here's a specific example, there's a corporate domain for webmail 
access, and some loadbalance config makes use of different IPs, I think 
this is what triggers the error. My question is, can I just ignore this 
error somehow and allow the connection? From what I gather this 
connection is cut by squid before it reaches the client..

Also if there's anything else obviously wrong with my setup please let 
me know.

Many thanks.


Here's my config:


### squid.conf begin

acl localnet src 10.0.0.0/8
acl localnet src 172.16.0.0/12
acl localnet src 192.168.0.0/16

acl ssl_ports port 443

acl safe_ports port 80
acl safe_ports port 443
acl connect method connect
acl http_whitelist dstdomain "/etc/squid/whitelist.txt"
acl https_whitelist ssl::server_name "/etc/squid/whitelist.txt"
acl ips_whitelist dst "/etc/squid/ips.txt"

http_port 3128 intercept
http_port 3129

http_access deny !safe_ports
http_access deny connect !ssl_ports
http_access allow ssl_ports
http_access allow http_whitelist
http_access allow ips_whitelist
http_access deny all

https_port 3130 intercept ssl-bump \
	cert=/etc/squid/myCA.pem \
	generate-host-certificates=off dynamic_cert_mem_cache_size=4MB

acl step1 at_step SslBump1
acl step2 at_step SslBump2
acl step3 at_step SslBump3

ssl_bump peek step1 all
ssl_bump splice https_whitelist
ssl_bump splice ips_whitelist
ssl_bump terminate all


refresh_pattern ^ftp: 1440 20% 10080
refresh_pattern ^gopher: 1440 0% 1440
refresh_pattern -i (/cgi-bin/|\?) 0 0% 0
refresh_pattern . 0 20% 4320

cache deny all
access_log none
cache_log /dev/null
cache_store_log stdio:/dev/null
logfile_rotate 0

logfile_daemon /dev/null
coredump_dir /tmp/squid
visible_hostname main_Firewall
pinger_enable off
mime_table /tmp/squid/mime.conf
sslcrtd_program /usr/lib/squid/ssl_crtd -s /tmp/squid/ssldb -M 4MB

## config file end.




## whitelist.txt begin

.nokia.com

## whitelist.txt end.
-- 

Regards,
A. Benz


More information about the squid-users mailing list