[squid-users] Whitelist ONLY exception isn't working correctly

Amos Jeffries squid3 at treenet.co.nz
Mon May 14 01:24:37 UTC 2018 

On 14/05/18 12:49, Martin Hanson wrote:
> I have enabled debugging and found something quite strange.
> 
> In order to better debug I have limited the whitelist to two domains, one HTTP and one with HTTPS:
> 
> acl whitelist ssl::server_name .ubuntu.com .sundkat.dk
> 
> When I go to http://www.sundkat.dk, which is a HTTP domain, I get the following:
> 
> 2018/05/14 02:42:49.859 kid1| 85,2| src/client_side_request.cc(745) clientAccessCheckDone: The request GET http://www.sundkat.dk/ is ALLOWED; last ACL checked: whitelist
> 
> But when I go to https://www.ubuntu.com, I get the following:
> 
> 2018/05/14 02:43:44.262 kid1| 85,2| src/client_side_request.cc(745) clientAccessCheckDone: The request CONNECT 91.189.89.103:443 is DENIED; last ACL checked: all
> 
> It's like when the traffic is HTTP the whitelist is working, but when the traffic is HTTPS the whitelist isn't working.

Yes, that is exactly what is happening.


* When intercepting HTTP (port 80) traffic the protocol is HTTP. Squid
is receiving messages generated by the client *naming* the server it
wants to connect with, OR with just a raw-IP if client wants to do it
that way.

* When handling explicit proxy (port 3128) traffic the protocol is HTTP.
Squid is receiving CONNECT messages generated by the client again
*naming* the server it wants to connect with, OR with just a raw-IP if
client wants to do it that way.

* When intercepting HTTPS (port 443) traffic the protocol is initially
just TCP. Squid is receiving TCP SYN packet and fakes/generates a
CONNECT message to represent this opaque connection (ie. CONNECT to a
raw-IP).

If (and only if) a CONNECT is itself allowed into the proxy does
SSL-Bump begin for the TLS wrapped inside that message. That goes for
both types of CONNECT message - Squid or client generated.

It should be obvious from the above why you see different behaviour for
the two methods of using the proxy.



> But this is ONLY for the "windows_boxes", for everything else it's working as it should.
> 
> I don't understand what's going on here.
> 

If the fake CONNECT with raw-IP at SSL-Bump step1 is not allowed to go
through the proxy then the TLS handshake cannot even start to happen. So
there will never be a ssl::server_name for the whitelist ACL to match.

Now that you have altered localnet to exclude the *.201 and *.202 IPs
the "allow localnet" is no longer permitting them to use the proxy.
  AND the whitelist ACL is still not matching the raw-IPs which occur in
CONNECT messages. Which leaves Squid with "deny all".

Amos

More information about the squid-users mailing list