[squid-users] Using SSL bump and reverse proxy for DNS sinkhole

Antony Stone Antony.Stone at squid.open.source.it
Sat Sep 8 08:41:54 UTC 2018 

On Saturday 08 September 2018 at 10:25:44, thompsonm wrote:

> Hello, I have a question about squid SSL bump and reverse proxy. Basically
> for a final project I want to create a DNS sinkhole, where the client tries
> to query a domain that has a bad reputation or is known for drive-by
> downloads etc, and the DNS server returns false information, such as an
> internal IP. Then the client is redirected to this internal IP, where a web
> server is listening, and makes the HTTP request as normal.

Okat, that makes sense (technically, at least) so far...

> All the HTTP requests along with host, URL, client IP etc, are then logged.

Yep, the web server (which I presume is run by you) will do that for you.

> It's easy to make this work with HTTP. However, I want it to work also with
> HTTPS.

What's the difference?  A web server can serve HTTPS as easily as it can serve 
HTTP.

> So basically set up a MITM

In The Middle of what?

Client is one end, but what's at the "other end" of some connection you're in 
the "middle" of?

Surely the other end is your own web server - I mean, you're trying to prevent 
people from connecting to (certain) real sites by giving the clients fake DNS 
replies, yes?  So, they never end up on the real site, and there's no 
connection for you to intercept.

> SSL proxy, where the proxy generates its own certificate for the suspicious
> website the client is trying to connect to, and then HTTP requests are
> forwarded to a web server listening on the same host.

This is over-complicated.  You just need one of:

1. a web server which will generate an SSL certificate on the fly and then serve 
HTT{S content back to the client using that certificate

or

2. a pile of SSL certificates which you generate using your own CA at the same 
time you put the fake entries into DNS.  After all, you know what domains 
you're putting into your "DNS sinkhole", so just generate an SSL certificate 
for each one as you do it, load them onto your web server, and there you go.

Basically, if you don't need to use Squid in intercept mode for the HTTP 
solution, you don't need to use SSL Bump for the HTTPS solution.

> I'm not sure how to do this. Is there any way to do this with squid SSL
> bump and reverse proxy?

Not that I can see, no, because there is no connection to be in the middle of 
that you want to intercept.  You want the client to be at one end, and your 
own server at the other end, whether it's HTTP or HTTPS - in neither case do 
you want clients to connect to the real servers.

Or, have I misunderstood something about your objective?


Antony.

-- 
<flopsie> yes, but this is #lbw, we don't do normal

                                                   Please reply to the list;
                                                         please *don't* CC me.

More information about the squid-users mailing list