[squid-users] SOLVED - Whitelist ONLY exception isn't working correctly

Martin Hanson greencoppermine at yandex.com
Mon May 14 01:31:07 UTC 2018 

>> It's like when the traffic is HTTP the whitelist is working, but when the traffic is HTTPS the whitelist isn't working.
> 
> Yes, that is exactly what is happening.
> 
> * When intercepting HTTP (port 80) traffic the protocol is HTTP. Squid
> is receiving messages generated by the client *naming* the server it
> wants to connect with, OR with just a raw-IP if client wants to do it
> that way.
> 
> * When handling explicit proxy (port 3128) traffic the protocol is HTTP.
> Squid is receiving CONNECT messages generated by the client again
> *naming* the server it wants to connect with, OR with just a raw-IP if
> client wants to do it that way.
> 
> * When intercepting HTTPS (port 443) traffic the protocol is initially
> just TCP. Squid is receiving TCP SYN packet and fakes/generates a
> CONNECT message to represent this opaque connection (ie. CONNECT to a
> raw-IP).
> 
> If (and only if) a CONNECT is itself allowed into the proxy does
> SSL-Bump begin for the TLS wrapped inside that message. That goes for
> both types of CONNECT message - Squid or client generated.
> 
> It should be obvious from the above why you see different behaviour for
> the two methods of using the proxy.
> 
>> But this is ONLY for the "windows_boxes", for everything else it's working as it should.
>>
>> I don't understand what's going on here.
> 
> If the fake CONNECT with raw-IP at SSL-Bump step1 is not allowed to go
> through the proxy then the TLS handshake cannot even start to happen. So
> there will never be a ssl::server_name for the whitelist ACL to match.
> 
> Now that you have altered localnet to exclude the *.201 and *.202 IPs
> the "allow localnet" is no longer permitting them to use the proxy.
> AND the whitelist ACL is still not matching the raw-IPs which occur in
> CONNECT messages. Which leaves Squid with "deny all".
> 
> Amos

Thank you very very much Alex and Amos for all the help!

For future references, if anyone needs this, this is the working config:

<SNIP>
acl step1 at_step SslBump1

acl localnet src 192.168.1.0/24

# These boxes may ONLY access the whitelist.
acl windows_boxes src 192.168.1.201 192.168.1.202

acl whitelist ssl::server_name .mojang.com .minecraft.net d2pi0bc9ewx28h.cloudfront.net mcupdate.tumblr.com minecraft-textures-1196058387.us-east-1.elb.amazonaws.com .steampowered.com .steamcommunity.com .steamgames.com .steamusercontent.com .steamcontent.com .steamstatic.com .akamaihd.net .launchpad.net .ubuntu.com

# We don't want these to be cached.
store_miss deny whitelist

# Don't let SquidGuard do anything with the whitelisted domains.
url_rewrite_access deny whitelist

# We only redirect HTTP and HTTPS.
acl SSL_ports port 443
acl Safe_ports port 80          # http
acl Safe_ports port 443         # https
acl CONNECT method CONNECT
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports

# We need this for the whitelist for the windows boxes because
# requests are blocked during SslBump step1 because there is not
# enough information in the fake CONNECT request for ssl::server_name
# to match domains in the whitelist.
http_access allow CONNECT step1

# Only allow cachemgr access from localhost
http_access allow localhost manager
http_access deny manager

# Windows boxes are only allowed access to the whitelist.
http_access allow windows_boxes whitelist
http_access deny windows_boxes

http_access allow localhost
http_access allow localnet

http_access deny all

http_port 127.0.0.1:3129 intercept
https_port 127.0.0.1:3130 intercept ssl-bump cert=/etc/squid/ssl_cert/myCA.pem generate-host-certificates=on dynamic_cert_mem_cache_size=4MB

sslcrtd_program /usr/local/libexec/squid/ssl_crtd -s /var/lib/ssl_db -M 4MB
sslproxy_cafile /usr/local/openssl/cabundle.file

# Become a TCP tunnel without decrypting proxied traffic for the whitelist.
ssl_bump splice whitelist
ssl_bump peek step1 all
ssl_bump bump all

# We want the query strings as well.
strip_query_terms off

# Leave coredumps in the first cache dir
coredump_dir /var/squid/cache

redirect_program /usr/local/bin/squidGuard -c /etc/squidguard/squidguard.conf
</SNIP>

Kind regards

More information about the squid-users mailing list