[squid-users] allow update domain and block everything else

Miroslaw Malinowski mr.miroslaw.malinowski at gmail.com
Thu Apr 15 20:52:03 UTC 2021 

I've found a resolution using a bit better regex:

acl blackList url_regex ^https?:\/\/.*$

looking at the debug it doing exactly what I wanted, however, I now have a
different issue how to handle a 302 MOVED when the move is to a different
domain, e.g. packages.gitlab.com are moved to d20rj4el6vkp4c.cloudfront.net.
Is squid stateful in a way that it's able to remember those packets are
coming from the same session? What would be the best way to resolve the
issue other than just keep adding domain if a thing like this happens.


Thanks


On Thu, Apr 15, 2021 at 1:03 PM Miroslaw Malinowski <
mr.miroslaw.malinowski at gmail.com> wrote:

> Hi,
>
> I'm trying to use Opnsense built-in squid config to set up a transparent
> proxy for server updates and block everything else.
> In GUI they use url_regex for whitelist and blacklist, when I simple per
> domain whitelist and blacklist it's working as expected, e.g.
> # ACL - Whitelist - User defined (whiteList)
> acl whiteList url_regex archive\.ubuntu\.com
> # ACL - Blacklist - User defined (blackList)
> acl blackList url_regex packages\.gitlab\.com
> # ACL list (Allow) whitelist
> http_access allow whiteList
> # ACL list (Deny) blacklist
> http_access deny blackList
>
> However, when I do wildcard in blacklist I also get all https domain
> blocked even when I've tried to explicitly allow it with https://archive\.ubuntu\.com
> , e.g.
> # ACL - Whitelist - User defined (whiteList)
> acl whiteList url_regex archive\.ubuntu\.com
> # ACL - Blacklist - User defined (blackList)
> acl blackList url_regex .*
> # ACL list (Allow) whitelist
> http_access allow whiteList
> # ACL list (Deny) blacklist
> http_access deny blackList
>
> I get:
> Err:7 https://repos.influxdata.com/ubuntu focal InRelease
>  403  Forbidden [IP: 52.84.95.46 443]
>
> What I'm trying to say is with blacklist as . is blocking all https
> traffic even if whitelisted, is this an expected behaviour or I'm doing
> something wrong or it can't be done with url_regex and I should do it at
> backend manually.
>
> My config:
> #
> # Automatic generated configuration for Squid.
> # Do not edit this file manually.
> #
>
>
> # Setup transparent mode listeners on loopback interfaces
> http_port 127.0.0.1:3128 intercept ssl-bump cert=/var/squid/ssl/ca.pem
> dynamic_cert_mem_cache_size=10MB generate-host-certificates=on
> http_port [::1]:3128 intercept ssl-bump cert=/var/squid/ssl/ca.pem
> dynamic_cert_mem_cache_size=10MB generate-host-certificates=on
> https_port 127.0.0.1:3129 intercept ssl-bump cert=/var/squid/ssl/ca.pem
> dynamic_cert_mem_cache_size=10MB generate-host-certificates=on
> https_port [::1]:3129 intercept ssl-bump cert=/var/squid/ssl/ca.pem
> dynamic_cert_mem_cache_size=10MB generate-host-certificates=on
>
> # Setup regular listeners configuration
> http_port 172.16.230.252:3128  ssl-bump cert=/var/squid/ssl/ca.pem
> dynamic_cert_mem_cache_size=10MB generate-host-certificates=on
> http_port 172.16.230.254:3128  ssl-bump cert=/var/squid/ssl/ca.pem
> dynamic_cert_mem_cache_size=10MB generate-host-certificates=on
>
> # setup ssl re-cert
> sslcrtd_program /usr/local/libexec/squid/security_file_certgen -s
> /var/squid/ssl_crtd -M 10MB
> sslcrtd_children 5
>
> tls_outgoing_options options=NO_TLSv1
> cipher=HIGH:MEDIUM:!RC4:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!SRP:!DSS
>
> # setup ssl bump acl's
> acl bump_step1 at_step SslBump1
> acl bump_step2 at_step SslBump2
> acl bump_step3 at_step SslBump3
> acl bump_nobumpsites ssl::server_name
> "/usr/local/etc/squid/nobumpsites.acl"
>
> # configure bump
> ssl_bump peek bump_step1 all
> ssl_bump peek bump_step2 bump_nobumpsites
> ssl_bump splice bump_step3 bump_nobumpsites
> ssl_bump stare bump_step2
> ssl_bump bump bump_step3
>
> sslproxy_cert_error deny all
>
> acl ftp proto FTP
> http_access allow ftp
>
>
> # Setup ftp proxy
>
> # Rules allowing access from your local networks.
> # Generated list of (internal) IP networks from where browsing
> # should be allowed. (Allow interface subnets).
> acl localnet src <net>/24 # Possible internal network (interfaces v4)
> # Default allow for local-link and private networks
> acl localnet src fc00::/7       # RFC 4193 local private network range
> acl localnet src fe80::/10      # RFC 4291 link-local (directly plugged)
> machines
>
> # ACL - Allow localhost for PURGE cache if enabled
> acl PURGE method PURGE
> http_access allow localhost PURGE
> http_access deny PURGE
>
> # ACL lists
> # ACL - Whitelist - User defined (whiteList)
> acl whiteList url_regex packages\.wazuh\.com
> acl whiteList url_regex archive\.ubuntu\.com
> acl whiteList url_regex security\.ubuntu\.com
> acl whiteList url_regex repos\.influxdata\.com
>
> # ACL - Blacklist - User defined (blackList)
> acl blackList url_regex .*
>
> # ACL - Remote fetched Blacklist (remoteblacklist)
>
> # ACL - Block browser/user-agent - User defined (browser)
>
> # ACL - SSL ports, default are configured in config.xml
> # Configured SSL ports (if defaults are not listed, then they have been
> removed from the configuration!):
> acl SSL_ports port 443 # https
>
> # Default Safe ports are now defined in config.xml
> # Configured Safe ports (if defaults are not listed, then they have been
> removed from the configuration!):
> # ACL - Safe_ports
> acl Safe_ports port 80 # http
> acl Safe_ports port 21 # ftp
> acl Safe_ports port 443 # https
> acl Safe_ports port 70 # gopher
> acl Safe_ports port 210 # wais
> acl Safe_ports port 1025-65535 # unregistered ports
> acl Safe_ports port 280 # http-mgmt
> acl Safe_ports port 488 # gss-http
> acl Safe_ports port 591 # filemaker
> acl Safe_ports port 777 # multiling http
> acl CONNECT method CONNECT
>
> # ICAP SETTINGS
> # disable icap
> icap_enable off
>
> # Pre-auth plugins
> include /usr/local/etc/squid/pre-auth/*.conf
>
> # Authentication Settings
>
> # ACL list (Allow) whitelist
> http_access allow whiteList
>
> #
> # ACL list (Deny) blacklist
> http_access deny blackList
>
> # Google Suite Filter
>
> # YouTube Filter
>
> # Deny requests to certain unsafe ports
>
> http_access deny !Safe_ports
> # Deny CONNECT to other than secure SSL ports
>
> http_access deny CONNECT !SSL_ports
>
> # Only allow cachemgr access from localhost
> http_access allow localhost manager
> http_access deny manager
>
> # We strongly recommend the following be uncommented to protect innocent
> # web applications running on the proxy server who think the only
> # one who can access services on "localhost" is a local user
> http_access deny to_localhost
>
> # Auth plugins
> include /usr/local/etc/squid/auth/*.conf
>
> #
> # Access Permission configuration:
> #
> # Deny request from unauthorized clients
>
> #
> # ACL - localnet - default these include ranges from selected interfaces
> (Allow local subnets)
> http_access allow localnet
>
> # ACL - localhost
> http_access allow localhost
>
> # Deny all other access to this proxy
> http_access deny all
> # Post-auth plugins
> include /usr/local/etc/squid/post-auth/*.conf
>
> # Caching settings
> cache_mem 1000 MB
> maximum_object_size 200 MB
> cache_replacement_policy heap LFUDA
> cache_dir ufs /var/squid/cache 100000 16 256
>
> # Leave coredumps in the first cache dir
> coredump_dir /var/squid/cache
>
> #
> # Add any of your own refresh_pattern entries above these.
> #
>
> # Linux package cache:
> refresh_pattern pkg\.tar\.xz$   0       20%     4320 refresh-ims
> refresh_pattern d?rpm$          0       20%     4320 refresh-ims
> refresh_pattern deb$            0       20%     4320 refresh-ims
> refresh_pattern udeb$           0       20%     4320 refresh-ims
> refresh_pattern Packages\.bz2$  0       20%     4320 refresh-ims
> refresh_pattern Sources\.bz2$   0       20%     4320 refresh-ims
> refresh_pattern Release\.gpg$   0       20%     4320 refresh-ims
> refresh_pattern Release$        0       20%     4320 refresh-ims
> # http://wiki.squid-cache.org/SquidFaq/WindowsUpdate
> refresh_pattern -i
> microsoft.com/.*\.(cab|exe|ms[i|u|f]|[ap]sf|wm[v|a]|dat|zip|esd)
> <http://microsoft.com/.*%5C.(cab%7Cexe%7Cms%5Bi%7Cu%7Cf%5D%7C%5Bap%5Dsf%7Cwm%5Bv%7Ca%5D%7Cdat%7Czip%7Cesd)>
>     4320 80% 129600 reload-into-ims
> refresh_pattern -i
> windowsupdate.com/.*\.(cab|exe|ms[i|u|f]|[ap]sf|wm[v|a]|dat|zip|esd)
> <http://windowsupdate.com/.*%5C.(cab%7Cexe%7Cms%5Bi%7Cu%7Cf%5D%7C%5Bap%5Dsf%7Cwm%5Bv%7Ca%5D%7Cdat%7Czip%7Cesd)>
> 4320 80% 129600 reload-into-ims
> refresh_pattern -i
> windows.com/.*\.(cab|exe|ms[i|u|f]|[ap]sf|wm[v|a]|dat|zip|esd)
> <http://windows.com/.*%5C.(cab%7Cexe%7Cms%5Bi%7Cu%7Cf%5D%7C%5Bap%5Dsf%7Cwm%5Bv%7Ca%5D%7Cdat%7Czip%7Cesd)>
>       4320 80% 129600 reload-into-ims
>
> refresh_pattern ^ftp:           1440    20%     10080
> refresh_pattern ^gopher:        1440    0%      1440
> refresh_pattern -i (/cgi-bin/|\?) 0     0%      0
> refresh_pattern .               0       20%     4320
>
> # Squid Options
> # dns_v4_first reverses the order of preference to make Squid contact
> dual-stack websites over IPv4 first
> dns_v4_first on
> pinger_enable off
> access_log stdio:/var/log/squid/access.log squid
> cache_store_log stdio:/var/log/squid/store.log
> # URI hanlding with Whitespaces (default=strip)
> uri_whitespace strip
> # X-Forwarded header handling (default=on)
> forwarded_for on
> # Disable squid logfile rotate to use system defaults
> logfile_rotate 0
> # Define visible email
> cache_mgr admin at localhost.local
> error_directory /usr/local/etc/squid/errors/local
>
> Thanks
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.squid-cache.org/pipermail/squid-users/attachments/20210415/de47b848/attachment-0001.htm>

More information about the squid-users mailing list