[squid-users] Strange Squid SSL Interception Behavior

Mathew Brown mbrown8918 at outlook.com
Tue Aug 25 22:15:40 UTC 2020 

Thank you Alex for your patience and clarification. After reading your explanation and based on my limited understanding, I was able to get the following to work:

...
acl whitelist ssl::server_name .httpbin.org

...
http_access deny CONNECT !SSL_ports
http_access allow localnet CONNECT

acl step1 at_step SslBump1
ssl_bump peek step1
ssl_bump terminate !whitelist
ssl_bump splice all

The above allows access only to httpbin.org and no other domains

If I understand correctly, the original issue is that the CONNECT has to be allowed explicitly and it was not (I just had the typical DENY for non SSL ports) and because of this, it was not be able to proceed in the SSL bumping path. Is my understanding correct? Thanks


________________________________
From: Alex Rousskov <rousskov at measurement-factory.com>
Sent: Tuesday, August 25, 2020 11:24 PM
To: Mathew Brown <mbrown8918 at outlook.com>; squid-users at lists.squid-cache.org <squid-users at lists.squid-cache.org>
Subject: Re: [squid-users] Strange Squid SSL Interception Behavior

On 8/24/20 9:09 PM, Mathew Brown wrote:
> Thanks but even with the --no-check-certificate option and using a bump
> instead of splicing, it still fails as shown above unless I add the
> localnet rule. The question is: why does the same ACL line:

> http_access allow whitelist

> suddenly work when I add an unrelated ACL line after it?

You are misinterpreting the outcome of the test. That whitelist
http_access line did not work (well) for fake CONNECTs before and does
not start working (well) after another http_access rule is added. It is
the added rule that "starts working" instead!

Most ACL-driven directives, including http_access, cannot be correctly
interpreted at single-ACL, single-line, or single-rule scope. You must
consider _all_ rules for a given directive to correctly predict the
outcome of that directive evaluation. When you add a rule, the outcome
of the directive evaluation may change if the previous set of rules did
not match and the added rule does match. The latter is exactly what
happens in your "add an unrelated ACL" test case.

For completeness sake: When no http_access rules match, Squid applies
the action (allow or deny) that is the opposite of the last configured
http_access rule action. If no http_access rules were configured at all,
Squid denies.


There is similar (albeit a bit incomplete) information in the (arguably
misplaced) FAQ section at
https://wiki.squid-cache.org/SquidFaq/SquidAcl#Access_Lists


> From my understanding, Squid should perform the exact same steps in both
> cases BUT then allow the connection because of the localnet ACL line
> that it sees right before the deny all line, not because it suddenly was
> able to match httpbin.org using a domain compare as shown by the debug
> logs. What am I missing?

You may also be missing the fact that http_access directive is applied
several times for one wget execution, once at every SslBump step. The
information available to Squid at each SslBump step differs.
https://wiki.squid-cache.org/Features/SslPeekAndSplice

Domain-based ACL matches you see in the second test log probably do not
exist in the first test because Squid does not get far enough during the
first test -- Squid denies the fake CONNECT (and bumps the connection)
at step1, when no domain information is available yet.


HTH,

Alex.


> ------------------------------------------------------------------------
> *From:* Alex Rousskov <rousskov at measurement-factory.com>
> *Sent:* Tuesday, August 25, 2020 8:41 AM
> *To:* Mathew Brown <mbrown8918 at outlook.com>;
> squid-users at lists.squid-cache.org <squid-users at lists.squid-cache.org>
> *Subject:* Re: [squid-users] Strange Squid SSL Interception Behavior
>
> On 8/24/20 6:21 PM, Mathew Brown wrote:
>
>> acl whitelist ssl::server_name .httpbin.org
>> acl whitelist_http ssl::server_name .httpbin.org
>
>> ssl_bump peek step1
>> ssl_bump splice all
>
>> http_access allow whitelist
>> http_access allow whitelist_http
>> http_access deny all
>
> The rules above only allow CONNECT requests to .httpbin.org domains.
>
> During step1, when Squid intercepts a TLS connection to an IP address of
> an .httpbin.org domain, Squid http_access rules are applied to a (fake)
> CONNECT request to the destination IP address. There are no domain names
> at that TCP-level bumping stage. Thus, you place your Squid at the mercy
> of reverse DSN lookups.
>
> In my environment, reverse DNS does not work for httpbin.org the way you
> may expect:
>
>> $ host 54.236.246.173
>> 173.246.236.54.in-addr.arpa domain name pointer ec2-54-236-246-173.compute-1.amazonaws.com.
>
> The above AWS domain name does not match your whitelist ACLs, of course,
> and, hence, the fake CONNECT request is denied. Denied requests are
> bumped to deliver the error message. Bumped requests require
> --no-check-certificate or other means of trusting Squid's CA certificate.
>
> If you cannot explicitly allow CONNECT requests to httpbin.org IP
> addresses (e.g., because they change too often), then consider allowing
> CONNECT to safe ports at any address at step1. If you only intercept
> connections to httpbin.org IPs, then you can probably relax your step1
> http_access rules to allow all CONNECTs (to safe addresses).
>
> There are many similar questions about allowing CONNECT to IP addresses
> on this mailing list. You may be able to find more detailed advice or
> instructions by searching for those mailing list threads.
>
>
> HTH,
>
> Alex.
>
>
>> $ wget https://httpbin.org
>> --2020-08-24 17:48:34--  https://httpbin.org/
>> Resolving httpbin.org (httpbin.org)... 54.236.246.173, 3.220.112.94
>> Connecting to httpbin.org (httpbin.org)|54.236.246.173|:443... connected.
>> ERROR: cannot verify httpbin.org's certificate, issued by ‘O=Internet
>> Widgits Pty Ltd,ST=Some-State,C=AU’:
>>   Self-signed certificate encountered.
>> To connect to httpbin.org insecurely, use `--no-check-certificate'.
>>
>> $ wget https://httpbin.org --no-check-certificate
>> --2020-08-24 17:48:40--  https://httpbin.org/
>> Resolving httpbin.org (httpbin.org)... 3.220.112.94, 54.236.246.173
>> Connecting to httpbin.org (httpbin.org)|3.220.112.94|:443... connected.
>> WARNING: cannot verify httpbin.org's certificate, issued by ‘O=Internet
>> Widgits Pty Ltd,ST=Some-State,C=AU’:
>>   Self-signed certificate encountered.
>> HTTP request sent, awaiting response... 403 Forbidden
>> 2020-08-24 17:48:40 ERROR 403: Forbidden.
>>
>> looking at access.log shows:
>>
>> 1598305800.974      2 192.168.123.214 TCP_DENIED/200 0 CONNECT
>> 54.236.246.173:443 - HIER_NONE/- -
>>
>> for the first request (without the --no-check-certificate) and the
>> following for the 2nd request (with the --no-check-certificate):
>>
>> 1598305812.292      3 192.168.123.214 TCP_DENIED/200 0 CONNECT
>> 54.236.246.173:443 - HIER_NONE/- -
>> 1598305812.300      2 192.168.123.214 NONE/403 3795 GET
>> https://httpbin.org/ - HIER_NONE/- text/html
>>
>> looking at cache.log shows:
>>
>> # cat /var/log/squid/cache.log  | grep -i "28" | grep -i httpbin
>> 2020/08/24 17:50:00.972 kid1| 28,7| ServerName.cc(32)
>> aclHostDomainCompare: Match:54.236.246.173 <>  .httpbin.org
>> 2020/08/24 17:50:00.972 kid1| 28,7| ServerName.cc(32)
>> aclHostDomainCompare: Match:54.236.246.173 <>  .httpbin.org
>> 2020/08/24 17:50:12.290 kid1| 28,7| ServerName.cc(32)
>> aclHostDomainCompare: Match:54.236.246.173 <>  .httpbin.org
>> 2020/08/24 17:50:12.290 kid1| 28,7| ServerName.cc(32)
>> aclHostDomainCompare: Match:54.236.246.173 <>  .httpbin.org
>>
>> so it never matches on the httpbin.org
>>
>> now, if I add the following line to my configuration:
>>
>> http_access allow localnet
>>
>> right before the:
>>
>> http_access deny all
>>
>> line it works and I see the following in access.log:
>>
>> 1598305979.004      4 192.168.123.214 NONE/200 0 CONNECT
>> 54.236.246.173:443 - HIER_NONE/- -
>> 1598305980.016   1012 192.168.123.214 TCP_TUNNEL/200 15370 CONNECT
>> httpbin.org:443 - ORIGINAL_DST/54.236.246.173 -
>>
>> and I see the following in cache.log:
>>
>> # cat /var/log/squid/cache.log  | grep -i "28" | grep -i httpbin
>> 2020/08/24 17:52:59.000 kid1| 28,7| ServerName.cc(32)
>> aclHostDomainCompare: Match:54.236.246.173 <>  .httpbin.org
>> 2020/08/24 17:52:59.000 kid1| 28,7| ServerName.cc(32)
>> aclHostDomainCompare: Match:54.236.246.173 <>  .httpbin.org
>> 2020/08/24 17:52:59.005 kid1| 28,3| RegexData.cc(43) match: checking
>> 'httpbin.org:443'
>> 2020/08/24 17:52:59.005 kid1| 28,3| ServerName.cc(42) match: checking
>> 'httpbin.org'
>> 2020/08/24 17:52:59.005 kid1| 28,7| ServerName.cc(32)
>> aclHostDomainCompare: Match:httpbin.org <>  .httpbin.org
>> 2020/08/24 17:52:59.005 kid1| 28,3| ServerName.cc(47) match:
>> 'httpbin.org' found
>>
>> What's puzzling is why adding the 'allow localnet' line changes the ACL
>> logic for .httpbin.org and why the original configuration does not work.
>> Any ideas? Thanks
>>
>> PS. I reproduced the exact same scenario on Ubuntu 20.04 with Squid 4.12
>>
>>
>>
>> _______________________________________________
>> squid-users mailing list
>> squid-users at lists.squid-cache.org
>> http://lists.squid-cache.org/listinfo/squid-users
>>
>

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.squid-cache.org/pipermail/squid-users/attachments/20200825/84853709/attachment-0001.htm>

More information about the squid-users mailing list