[squid-users] [EXTERNAL] Re: Ubuntu 18 with Squid 4.11 SSL_BUMP
Anthony Mead
ANTHONY_MEAD at progressive.com
Wed Apr 29 21:11:25 UTC 2020
Hmm, if there were more logs I'd share them! Any reason why I'd only see a access.log line?
I promise if I curl https://google.com this is the only line I see:
1588193897.852 20 10.0.1.180 TCP_TUNNEL_ABORTED/200 5103 CONNECT 172.217.15.78:443 - ORIGINAL_DST/172.217.15.78 -
Or curl https://youtube.com :
1588194262.880 32 10.0.1.180 TCP_TUNNEL/200 4824 CONNECT 172.217.13.78:443 - ORIGINAL_DST/172.217.13.78 -
Or curl https://github.com/:
1588194657.291 45 10.0.1.180 TCP_TUNNEL/200 107344 CONNECT 140.82.113.4:443 - ORIGINAL_DST/140.82.113.4 -
To avoid an X/Y problem the rest of my setup mimics a few blog posts - An EC2 in a private subnet that has all traffic being forwarded to the squid instance, which has iptables forwarding http/https to 3129/3130. All approved traffic is then forwarded onto a NAT Gateway. Maybe another piece of the "puzzle" is capturing the logs.
Also I really appreciate your help so far!
On 4/29/20, 4:35 PM, "squid-users on behalf of Amos Jeffries" <squid-users-bounces at lists.squid-cache.org on behalf of squid3 at treenet.co.nz> wrote:
On 30/04/20 8:15 am, Anthony Mead wrote:
> Thanks! I've re-compiled without the unnecessary flag, and restarted the service with a new whitelist, unfortunately i'm getting such a varying of /var/log/squid/access.log messages that I'm not sure what to google anymore.
>
> I want to deny all access to external sites except http/https github.com but some sites seem to connect, while others don't:
>
There are a lot of details missing from your quoted log lines. Details
such as which server was contacted are important when there are more
than one TCP connection involved.
Since this is SSL-Bump _each_ curl request should result in _3_
access.log lines - with varying client, server and URI values.
You are only showing us one log line at a time. With only the client and
URI parts.
Bellow is a *guess* about what is going on, based on what the status
says. This is only to demonstrate that for each line you show there is
at least one situation where your squid.conf file tells Squid to do an
action which would result in that line. Whether these guesses are right
requires all the information you are omitting.
> ~$ # this is correct
> ~$ curl http://github.com/
> 10.0.1.180 TCP_MISS/301 200 GET http://github.com/
>
acl allowed_http_sites dstdomain "/etc/squid/whitelist.txt"
http_access allow allowed_http_sites
> ~$ # this is correct
> ~$ curl https://github.com/
> 10.0.1.180 TCP_TUNNEL/200 107323 CONNECT 140.82.114.4:443
>
acl SSL_port port 443
http_access allow SSL_port
ssl_bump peek all
> ~$ # this should deny
> ~$ curl https://youtube.com/
> 10.0.1.180 TCP_TUNNEL/200 4844 CONNECT 172.217.15.110:443
>
acl SSL_port port 443
http_access allow SSL_port
ssl_bump peek all
> ~$ # this should deny
> ~$ curl https://google.com/
> 10.0.1.180 TCP_TUNNEL_ABORTED/200 5103 CONNECT 172.217.2.110:443
>
acl SSL_port port 443
http_access allow SSL_port
ssl_bump peek all
> ~$ # this is denying - but not from squid, but openssl?
> ~$ curl https://news.ycombinator.com/
> curl: (35) OpenSSL SSL_connect: SSL_ERROR_SYSCALL in connection to news.ycombinator.com:443
> 10.0.1.180 NONE_ABORTED/200 0 CONNECT 209.216.230.240:443
>
acl SSL_port port 443
http_access allow SSL_port
ssl_bump terminate all
Amos
_______________________________________________
squid-users mailing list
squid-users at lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users
More information about the squid-users
mailing list