[squid-users] block user agent

Vieri rentorbuy at yahoo.com
Mon Nov 20 08:45:40 UTC 2017 

________________________________
From: Alex Rousskov <rousskov at measurement-factory.com>
>
> You may be conflating two very different goals:
>
>   A) Understanding why Squid does X.
>   B) Configuring Squid to do what you want.
>
> My response was focused on the former. Once you understand, you can
> probably accomplish the latter on your own.


You are absolutely right. I'd like to uderstand how Squid *access rules work.


To put it bluntly, http_access and http_reply_access rules are processed one after another as they appear in squid.conf. It "exits" the sequence (ie. stops going through each http_*access rule) as soon as it hits a match.


The http_*access rules take on ACLs which can be AND'ed if the conditions are in one line, or OR'ed if they are on seperate lines.
eg.
http_access allow goodAgents !baddomains (AND)
#--
http_access allow goodAgents
http_access deny baddomains (OR)

>> My goal is to deny all client traffic from browsers that DO NOT have
>> a specific user-agent string. So this is a negated statement.
>
> There is no need to use negation for that. If the goodAgents ACL matches
> requests with "specific user-agent string", then you can do this:
>
>   http_access allow goodAgents
>   http_access deny all
> 
> As you can see, there is no ACL negation or negative ACLs.


I understand your example, but unfortunately, I was looking for something else. It's my mistake because I started this thread with basic, stripped-down examples without giving details on what I need to achieve. I wasn't doing ACL negation just for kicks. It's because I need to integrate it into a broader setup.

Your example "works", but Squid will match "goodAgent" in your first line, and exit without going on. I require to apply other rules afterwards. In other words, my intention was to first filter based on the UA string, and block all except eg. MyAllowedUAstring. From then on, I need to apply the rest of my rules.

>> clientAccessCheckDone: The request CONNECT 89.16.167.134:443 is DENIED; last ACL checked: allowed_useragent
> 
> As you can see, your CONNECT request was denied (because it lacks the
> User-Agent header). The rest does not matter much (for now), but Squid
> bumps the connection to serve the error page in response to the first
> bumped HTTP request (regardless of what that first bumped HTTP request
> looks like).

So... What is the security implication of allowing all CONNECT messages to port 443?

The following acl + access rules I set up actually "work" as in my previous "example 2". I simply allowed the CONNECT messages. Here's most of my squid.conf file:


acl SSL_ports port 443
acl Safe_ports port 80 # http
acl Safe_ports port 443 # https
acl CONNECT method CONNECT
http_access deny !Safe_ports

http_access deny CONNECT !SSL_ports
http_access allow localhost manager
http_access deny manager

acl explicit myportname 3128
acl intercepted myportname 3129
acl interceptedssl myportname 3130
http_port 3128
http_port 3129 tproxy
https_port 3130 tproxy ssl-bump generate-host-certificates=on dynamic_cert_mem_cache_size=16MB cert=/etc/ssl/squid/proxyserver.pem sslflags=NO_DEFAULT_CA
sslcrtd_program /usr/libexec/squid/ssl_crtd -s /var/lib/squid/ssl_db -M 16MB
sslcrtd_children 40 startup=20 idle=10
cache_dir diskd /var/cache/squid 32 16 256

external_acl_type nt_group ttl=0 children-max=50 %LOGIN /usr/libexec/squid/ext_wbinfo_group_acl -K

auth_param negotiate program /usr/libexec/squid/negotiate_kerberos_auth -s HTTP/proxy-server1.mydomain.org at mydomain.org
auth_param negotiate children 60
auth_param negotiate keep_alive on

acl localnet src 10.0.0.0/8
acl localnet src 192.168.0.0/16

acl ORG_all proxy_auth REQUIRED

external_acl_type bllookup ttl=86400 negative_ttl=86400 children-max=80 children-startup=10 children-idle=3 concurrency=8 %PROTO %DST %PORT %PATH /opt/custom/scripts/run/scripts/firewall/ext_sql_blwl_acl.pl --table=shallalist_bl --categories=adv,aggressive,alcohol,anonvpn,automobile_bikes,automobile_boats,automobile_cars,automobile_planes,chat,costtraps,dating,drugs,dynamic,finance_insurance,finance_moneylending,finance_other,finance_realestate,finance_trading,fortunetelling,forum,gamble,hacking,hobby_cooking,hobby_games-misc,hobby_games-online,hobby_gardening,hobby_pets,homestyle,imagehosting,isp,jobsearch,military,models,movies,music,podcasts,politics,porn,radiotv,recreation_humor,recreation_martialarts,recreation_restaurants,recreation_sports,recreation_travel,recreation_wellness,redirector,religion,remotecontrol,ringtones,science_astronomy,science_chemistry,sex_education,sex_lingerie,shopping,socialnet,spyware,tracker,updatesites,urlshortener,violence,warez,weapons,webphone,webradio,webtv
acl allowed_ips src "/opt/custom/proxy-settings/allowed.ips"
acl allowed_extra1_ips src "/opt/custom/proxy-settings/allowed.extra1.ips"
acl allowed_groups external nt_group "/opt/custom/proxy-settings/allowed.groups"
acl allowed_domains dstdomain "/opt/custom/proxy-settings/allowed.domains"
acl allowed_domains_filetypes dstdomain "/opt/custom/proxy-settings/allowed.domains.filetypes"
acl allowed_domains_mimetypes dstdomain "/opt/custom/proxy-settings/allowed.domains.mimetypes"
acl denied_domains dstdomain -i "/opt/custom/proxy-settings/denied.domains"
acl denied_extra1_domains dstdomain -i "/opt/custom/proxy-settings/denied.extra1.domains"
acl denied_ads url_regex "/opt/custom/proxy-settings/denied.ads"
acl denied_filetypes urlpath_regex -i "/opt/custom/proxy-settings/denied.filetypes"
acl denied_mimetypes_req req_mime_type -i "/opt/custom/proxy-settings/denied.mimetypes"
acl denied_extra1_mimetypes_req req_mime_type -i "/opt/custom/proxy-settings/denied.extra1.mimetypes"
acl denied_mimetypes_rep rep_mime_type -i "/opt/custom/proxy-settings/denied.mimetypes"
acl denied_extra1_mimetypes_rep rep_mime_type -i "/opt/custom/proxy-settings/denied.extra1.mimetypes"
acl denied_restricted1_mimetypes_req req_mime_type -i "/opt/custom/proxy-settings/denied.restricted1.mimetypes"
acl denied_restricted1_mimetypes_rep rep_mime_type -i "/opt/custom/proxy-settings/denied.restricted1.mimetypes"
acl allowed_restricted1_domains dstdomain -i "/opt/custom/proxy-settings/allowed.restricted1.domains"
acl allowed_restricted1_ips dst "/opt/custom/proxy-settings/allowed.restricted1.ips"
acl restricted_ips src "/opt/custom/proxy-settings/restricted.ips"
acl restricted_groups external nt_group "/opt/custom/proxy-settings/restricted.groups"
acl restricted_domains dstdomain "/opt/custom/proxy-settings/restricted.domains"
acl bl_lookup external bllookup
acl denied_urlshorteners dstdomain -i "/etc/squidGuard/db/HMANshallalist/urlshortener/domains"

acl allowed_useragent browser MyAllowedUAstring

http_access deny explicit !ORG_all
http_access deny explicit SSL_ports
http_access deny intercepted !localnet
http_access deny interceptedssl !localnet

http_access allow CONNECT SSL_ports
http_access deny !allowed_useragent
deny_info http://proxy-server1/proxy-error/?a=%a&B=%B&e=%e&E=%E&H=%H&i=%i&M=%M&o=%o&R=%R&T=%T&U=%U&u=%u&w=%w&x=%x&acl=denied_useragent allowed_useragent

http_access allow localnet !restricted_ips allowed_domains
http_access allow localnet !restricted_ips allowed_ips
http_reply_access allow localnet !restricted_ips allowed_ips
http_reply_access allow localnet !restricted_ips allowed_domains
http_access allow restricted_ips restricted_domains
http_access deny restricted_ips

http_access deny !allowed_ips denied_urlshorteners
deny_info http://proxy-server1/proxy-error/?a=%a&B=%B&e=%e&E=%E&H=%H&i=%i&M=%M&o=%o&R=%R&T=%T&U=%U&u=%u&w=%w&x=%x&acl=denied_urlshorteners denied_urlshorteners

http_access allow denied_restricted1_mimetypes_req allowed_restricted1_domains
http_access allow denied_restricted1_mimetypes_req allowed_restricted1_ips
http_reply_access allow denied_restricted1_mimetypes_rep allowed_restricted1_domains
http_reply_access allow denied_restricted1_mimetypes_rep allowed_restricted1_ips

http_access allow denied_extra1_mimetypes_req allowed_extra1_ips denied_extra1_domains
http_reply_access allow denied_extra1_mimetypes_rep allowed_extra1_ips denied_extra1_domains

http_access deny denied_restricted1_mimetypes_req
http_reply_access deny denied_restricted1_mimetypes_rep
deny_info http://proxy-server1/proxy-error/?a=%a&B=%B&e=%e&E=%E&H=%H&i=%i&M=%M&o=%o&R=%R&T=%T&U=%U&u=%u&w=%w&x=%x&acl=denied_mimetypes denied_restricted1_mimetypes_rep
deny_info http://proxy-server1/proxy-error/?a=%a&B=%B&e=%e&E=%E&H=%H&i=%i&M=%M&o=%o&R=%R&T=%T&U=%U&u=%u&w=%w&x=%x&acl=denied_mimetypes denied_restricted1_mimetypes_req

http_access deny denied_extra1_mimetypes_req
http_reply_access deny denied_extra1_mimetypes_rep
deny_info http://proxy-server1/proxy-error/?a=%a&B=%B&e=%e&E=%E&H=%H&i=%i&M=%M&o=%o&R=%R&T=%T&U=%U&u=%u&w=%w&x=%x&acl=denied_mimetypes denied_extra1_mimetypes_req
deny_info http://proxy-server1/proxy-error/?a=%a&B=%B&e=%e&E=%E&H=%H&i=%i&M=%M&o=%o&R=%R&T=%T&U=%U&u=%u&w=%w&x=%x&acl=denied_mimetypes denied_extra1_mimetypes_rep

http_access deny !allowed_ips denied_domains
deny_info http://proxy-server1/proxy-error/?a=%a&B=%B&e=%e&E=%E&H=%H&i=%i&M=%M&o=%o&R=%R&T=%T&U=%U&u=%u&w=%w&x=%x&acl=denied_domains denied_domains

http_access allow allowed_extra1_ips denied_extra1_domains
http_access deny denied_extra1_domains
deny_info http://proxy-server1/proxy-error/?a=%a&B=%B&e=%e&E=%E&H=%H&i=%i&M=%M&o=%o&R=%R&T=%T&U=%U&u=%u&w=%w&x=%x&acl=denied_extra1_domains denied_extra1_domains

http_access deny denied_filetypes !allowed_domains_filetypes
http_reply_access deny denied_filetypes !allowed_domains_filetypes
deny_info http://proxy-server1/proxy-error/?a=%a&B=%B&e=%e&E=%E&H=%H&i=%i&M=%M&o=%o&R=%R&T=%T&U=%U&u=%u&w=%w&x=%x&acl=denied_filetypes denied_filetypes

http_access deny denied_mimetypes_req !allowed_domains_mimetypes
http_reply_access deny denied_mimetypes_rep !allowed_domains_mimetypes
deny_info http://proxy-server1/proxy-error/?a=%a&B=%B&e=%e&E=%E&H=%H&i=%i&M=%M&o=%o&R=%R&T=%T&U=%U&u=%u&w=%w&x=%x&acl=denied_mimetypes denied_mimetypes_req
deny_info http://proxy-server1/proxy-error/?a=%a&B=%B&e=%e&E=%E&H=%H&i=%i&M=%M&o=%o&R=%R&T=%T&U=%U&u=%u&w=%w&x=%x&acl=denied_mimetypes denied_mimetypes_rep

http_access allow localnet bl_lookup
http_access allow localhost

http_access deny all

I'd greatly appreciate your input on this.

Hoping to understand Squid logic someday.

Thanks,

Vieri

More information about the squid-users mailing list