[squid-users] Blocking HTTPS On Transparent/Interception Proxy Configuration

Eliezer Croitoru eliezer at ngtech.co.il
Wed Sep 27 20:17:10 UTC 2017 

Hey,

Can you clarify what do you want to achieve eventually?
If you want to block youtube or facebook I can recommend you on other solutions then in the application level.
The next repository:
https://github.com/vel21ripn/nDPI

Implements some level of deep packet inspection without the existence of a full fledged proxy and does the filtering in the kernel level.
Depends on the OS you are using you would be able to either compile or acquire the module and libraries that will allow you to block youtube and\or facebook.
Take a peek at the wiki of the module at:
https://github.com/vel21ripn/nDPI/wiki

I have published a package for CentOS 7 named "kmod-xt_ndpi" at:
http://ngtech.co.il/repo/centos/7/x86_64/kmod-xt_ndpi-2.0.1-2.el7.centos.x86_64.rpm

And just notice that the 2.0.1 is the 1.7 stable nDPI module but the version number is for the package and not the module version.

Another solution would be to maintain an iptables+ipset setup that detects access to facebook or youtube and block these.

If you will give more details on the scenario we might be able to offer a more efficient solution.
Also to block facebook and youtube traffic using ssl-bump you don't need to bump and run full MITM for all traffic but just for youtube or facebook requests.

All The Bests,
Eliezer

* let me know if you need more help. 

----
Eliezer Croitoru
Linux System Administrator
Mobile: +972-5-28704261
Email: eliezer at ngtech.co.il



-----Original Message-----
From: squid-users [mailto:squid-users-bounces at lists.squid-cache.org] On Behalf Of ivanleoncz
Sent: Wednesday, September 27, 2017 23:02
To: squid-users at lists.squid-cache.org
Subject: [squid-users] Blocking HTTPS On Transparent/Interception Proxy Configuration

Hello, Squid Users.

I'm not an experienced user for advanced configurations on Squid, so I need
some advice or help, which will be much appreciated.

As I was watching some of the logs from my Proxy, I noticed that there are
requests that are made first via HTTP, and the remote Web Server responds
with a 302 redirect to a HTTPS site.

I can use Facebook as an example:

++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
1505162176.649    102 192.168.0.108 TCP_MISS/204 257 GET
http://b-www.facebook.com/mobile/status.php - ORIGINAL_DST/31.13.66.37
text/plain
1505233881.293    176 192.168.0.149 TCP_MISS/302 387 GET
http://www.facebook.com/ - ORIGINAL_DST/31.13.66.36 text/html
1505240198.118    162 192.168.0.149 TCP_MISS/302 387 GET
http://www.facebook.com/ - ORIGINAL_DST/31.13.66.36 text/html
1505241490.335    203 192.168.0.149 TCP_MISS/302 387 GET
http://www.facebook.com/ - ORIGINAL_DST/157.240.3.35 text/html
1505248976.884    173 192.168.0.54 TCP_MISS/302 562 GET
http://www.facebook.com/plugins/like.php? - ORIGINAL_DST/31.13.66.36
text/html
1505303537.048    144 192.168.0.152 TCP_MISS/302 382 GET
http://www.facebook.com/ - ORIGINAL_DST/31.13.66.36 text/html
1505331296.129    181 192.168.0.108 TCP_MISS/302 635 GET
http://www.facebook.com/plugins/like.php? - ORIGINAL_DST/31.13.66.36
text/html
1505389662.830    144 192.168.0.152 TCP_MISS/302 382 GET
http://www.facebook.com/ - ORIGINAL_DST/157.240.17.35 text/html
1505393796.724    187 192.168.0.165 TCP_MISS/302 387 GET
http://www.facebook.com/ - ORIGINAL_DST/31.13.66.36 text/html
1505481730.533    145 192.168.0.74 TCP_MISS/302 484 GET
http://www.facebook.com/plugins/fan.php? - ORIGINAL_DST/157.240.17.35
text/html
1505756711.632    221 192.168.0.76 TCP_MISS/302 671 GET
http://www.facebook.com/plugins/likebox.php? - ORIGINAL_DST/31.13.66.36
text/html
1505849677.484    190 192.168.0.56 TCP_MISS/302 532 GET
http://www.facebook.com/plugins/like.php? - ORIGINAL_DST/31.13.66.36
text/html
1505913883.386    166 192.168.0.152 TCP_MISS/302 382 GET
http://www.facebook.com/ - ORIGINAL_DST/157.240.17.35 text/html
1505926185.493    146 192.168.0.56 TCP_MISS/302 532 GET
http://www.facebook.com/plugins/like.php? - ORIGINAL_DST/31.13.66.36
text/html
1506089311.489    152 192.168.0.62 TCP_MISS/302 587 GET
http://www.facebook.com/plugins/likebox.php? - ORIGINAL_DST/157.240.17.35
text/html
1506102859.349    171 192.168.0.41 TCP_MISS/302 528 GET
http://www.facebook.com/plugins/follow.php? - ORIGINAL_DST/157.240.3.35
text/html
1506449027.644    126 192.168.0.72 TCP_MISS/302 567 GET
http://www.facebook.com/plugins/like.php? - ORIGINAL_DST/157.240.17.35
text/html
1506458858.890    244 192.168.0.54 TCP_MISS/302 562 GET
http://www.facebook.com/plugins/like.php? - ORIGINAL_DST/157.240.3.35
text/html
1506531664.419    137 192.168.0.152 TCP_MISS/302 382 GET
http://www.facebook.com/ - ORIGINAL_DST/31.13.66.36 text/html
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
  
With these logs, I can understand that a first request is made via HTTP and
a redirect is going to be performed. Am I right?

Seems like the same applies for other sites like YouTube, for example:

++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
1506454619.784    129 192.168.0.68 TCP_MISS/302 908 GET
http://www.youtube.com/ - ORIGINAL_DST/172.217.7.46 text/html
1506454859.606    127 192.168.0.68 TCP_MISS/302 908 GET
http://www.youtube.com/ - ORIGINAL_DST/172.217.7.46 text/html
1506455555.686    189 192.168.0.68 TCP_MISS/302 908 GET
http://www.youtube.com/ - ORIGINAL_DST/172.217.5.174 text/html
1506455678.559    181 192.168.0.68 TCP_MISS/302 908 GET
http://www.youtube.com/ - ORIGINAL_DST/172.217.7.46 text/html
1506455887.214    158 192.168.0.68 TCP_MISS/302 908 GET
http://www.youtube.com/ - ORIGINAL_DST/216.58.193.14 text/html
1506456578.142    127 192.168.0.68 TCP_MISS/302 908 GET
http://www.youtube.com/ - ORIGINAL_DST/172.217.5.174 text/html
1506457019.837    123 192.168.0.68 TCP_MISS/302 908 GET
http://www.youtube.com/ - ORIGINAL_DST/172.217.7.46 text/html
1506457532.332    110 192.168.0.68 TCP_MISS/302 908 GET
http://www.youtube.com/ - ORIGINAL_DST/216.58.193.46 text/html
1506457735.088    108 192.168.0.68 TCP_MISS/302 908 GET
http://www.youtube.com/ - ORIGINAL_DST/216.58.193.46 text/html
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

Since that the first request is via HTTP, I was wondering:
 
    /- Why I cannot just deny the access for a site like "www.facebook.com",
"facebook.com", "youtube.com", etc.?/

If I cannot perform something like this, I'd like to know: 

    /- Is there any way or mechanism that can be used on Squid for blocking
HTTPS sites, that were originally accessed via 302 redirect?/

I know that there are tons of blogs, forums, etc., that they recommend
theusage of SSLBump, but I also know that MITM is not a good choice, since
that it's (or it could be) illegal, to eavesdrop a secure connection. So I
believe that SSL Bump is not an option.

Thank you all for the attention.

Best Regards,
@ivanleoncz




--
Sent from: http://squid-web-proxy-cache.1019090.n4.nabble.com/Squid-Users-f1019091.html
_______________________________________________
squid-users mailing list
squid-users at lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

More information about the squid-users mailing list