[squid-users] Filering HTTPS URLs - A complete configuration
Amos Jeffries
squid3 at treenet.co.nz
Thu Feb 7 00:46:23 UTC 2019
On 7/02/19 3:52 am, Paul Doignon wrote:
> Thanks, I appreciate your detailed answer.
>
> > > I'm struggling a lot to configure Squid. To improve the security of my app in my AWS private subnet,
> >
> > If it is indeed *your* app; then please alter it not to require the
> > interception we see below. Ability to connect to a TLS explicit proxy or
> > just sending regular proxy CONNECT tunnel is a leap up in security.
>
> I wish I could too ! Unfortunately, we use some third party libraries that do not support proxies (or not well). What a shame : (
>
> > > # Hide some reavealing or useless headers
> > > forwarded_for delete
> > > httpd_suppress_version_string off
> > > reply_header_access X-Cache deny all
> > > reply_header_access X-Cache-Lookup deny all
> > > via off
> > >
> > > # Tuning
> > > max_filedesc 10000
> > >
> > > # Disable access to manager
> > > http_access deny manager
> >
> > 2) you are missing the security protections from the default squid.conf...
>
> I have not hardened Squid yet, but you mean default `acl localnet src [...]` rules ? I'm not sure about this.
>
The defaults that come with a new build or installation:
"
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
http_access allow localhost manager
http_access deny manager
... your rules go here ...
http_access deny all
"
> > Please see <https://wiki.squid-cache.org/Features/SslPeekAndSplice> for
> > details on the TLS handshake process and what SSL-Bump does during that.
>
> Another read was indeed interesting, I think I corrected ssl_bump directives. However I still can't make it work.
> Just for the record, I would like to block everything but some HTTPS websites for particular URLs. The ssl::server_name acl is not enough for me, I would like to use url_regex or similar.
> Ant that's where it gets wrong, I can't make Squid make the link between `ssl_bump bump` and url_regex.
That is because ssl_bump is the access control governing the TLS
handshake process. TLS message/frames do not contain URLs. Even when a
client CONNECT request is being processed it only has an authority-URI
(not a full URL).
The http_access rules are the first point you get access to URL. The
https:// URLs start *after* the ssl_bump finishes with a successful
'bump' action.
The closest you are going to get to the above is with:
* bump everything[1], and
* use http_access to check the https:// URLs for your policy
* use "deny_info TCP_RESET" [2] on the blocked requests.
[1] some things literally cannot be bumped. So a decision needs to be
made about what to do then.
[2] a regular deny error page will work fine. This TCP_RESET is just
closest to the "ssl_bump terminate" behaviour.
Amos
More information about the squid-users
mailing list