[squid-users] How to perform regex only after Squid knows the full url with SslBump

Alex Rousskov rousskov at measurement-factory.com
Mon Mar 23 19:09:19 UTC 2020 

On 3/23/20 11:20 AM, laviier wrote:

> I did think of allowing the domain name first during CONNECT phase, and
> then the full URL after connection established. However, other paths
> under the same site wont be blocked.

What will (or will not be) blocked is for you to decide.


> i.e. I can ask Squid to let example.com pass
> through during CONNECT, and then let example.com/abc/logcin
> pass through after connection established. 

Yes, you can.


> However, this will let other paths of example.com
> pass Squid too (such as example.com/not_to_pass

Only if your http_access rules allow them. Your rules can include
request methods and bump stages, among other things.


> because the it passes the ACL check during CONNECT phase.

You can make that first example.com check be specific to the "CONNECT
phase". That specific rule does not have to match after the connection
was bumped -- you control that. Squid ACLs are very flexible. Do not
think about one ACL (with several regexes). Think of a combination of
different ACLs. Think of multiple http_access lines. Think of any-of and
all-of ACLs. For example:

  acl ...
  ...
  acl allowedAtTcpLevel ...
  acl allowedAtSniLevel ...
  acl allowedPlainAndBumpedTraffic ...

  http_access allow step1 allowedAtTcpLevel
  http_access deny step1
  http_access allow step2 allowedAtSniLevel
  http_access deny step2
  http_access allow allowedPlainAndBumpedTraffic
  http_access deny all

There are many ways to express what you want. The above is just one
excessively generic sketch. Your best solution will be different. I am
just illustrating the concept.


HTH,

Alex.


> On Sun, Mar 22, 2020 at 11:19 AM Alex Rousskov wrote:
> 
>     On 3/20/20 5:48 PM, laviier wrote:
>     > Hi,
>     >
>     > I have a use case that I want to access a certain URL path of a
>     domain but
>     > not other. i.e. I want client to be able to access
>     example.com/abc/login <http://example.com/abc/login>,
>     > but not other paths.
>     >
>     > Hence, I created ACL rule to achieve that, see below:
>     >
>     > ```
>     > acl to_domain_whitelist url_regex "/squid-config/whitelist/allow.acl"
>     > acl http port 80
>     > acl https port 443
>     > acl connect method CONNECT
>     >
>     > http_access allow all to_domain_whitelist
>     > http_access deny all
>     >
>     > http_reply_access allow all
>     >
>     > acl step1 at_step SslBump1
>     > acl step2 at_step SslBump2
>     > acl step3 at_step SslBump3
>     >
>     > ssl_bump peek step3
>     > ssl_bump bump all
>     > ```
>     >
>     > However the above code does not work properly, the URL regex matching
>     > happens before Squid performs decryption so that it can only match
>     against
>     > the host name instead of full URL path. I wonder if there's a way
>     to perform
>     > the URL regex only after Squid knows the full url with SslBump?
>     Below is a
>     > briefing of the log. Thank you so much!!!!
>     > ```
>     > ---------
>     > CONNECT example.com:443 <http://example.com:443> HTTP/1.1
>     > Host: example.com:443 <http://example.com:443>
>     > User-Agent: curl/7.54.0
>     > Proxy-Connection: Keep-Alive
>     > X-Forwarded-For: xx.xxx.xx.xx
>     > ----------
>     > ...
>     > 2020/03/20 14:51:43.067| 28,3| Acl.cc(158) matches: checked:
>     > to_domain_whitelist = 0
>     > 2020/03/20 14:51:43.071| 85,2| client_side_request.cc(745)
>     > clientAccessCheckDone: The request CONNECT example.com:443
>     <http://example.com:443> is DENIED; last
>     > ACL checked: all
>     > ...
> 
>     If you want to make allow/deny decision based on individual request
>     URLs, your http_access rules must allow the CONNECT request. Once Squid
>     establishes (and bumps) the CONNECT tunnel, it will start processing
>     individual requests and apply http_access rules to each of them.
> 
>     To allow a CONNECT request, do not use regular URL syntax because
>     CONNECT requests use a different URI syntax. Sorry, I do not know
>     whether a url_regex ACL can be used for CONNECT URIs, but you can use
>     other ACLs if/as needed, of course.
> 
> 
>     HTH,
> 
>     Alex.
> 
> 
>     > ---------
>     > GET /abc/login HTTP/1.1
>     > Host: example.com <http://example.com>
>     > User-Agent: curl/7.54.0
>     > Accept: */*
>     > ----------
>     > ....
>     > ```
>     >
>     >
>     >
>     > --
>     > Sent from:
>     http://squid-web-proxy-cache.1019090.n4.nabble.com/Squid-Users-f1019091.html
>     > _______________________________________________
>     > squid-users mailing list
>     > squid-users at lists.squid-cache.org
>     <mailto:squid-users at lists.squid-cache.org>
>     > http://lists.squid-cache.org/listinfo/squid-users
>     >
>

More information about the squid-users mailing list