[squid-users] allow update domain and block everything else

Miroslaw Malinowski mr.miroslaw.malinowski at gmail.com
Wed Apr 21 18:15:15 UTC 2021 

Sorry, I haven't seen the reply as it's been attached as an attachment and
posted a similar question about 302, but probably I know the answer already
as it's not stateful inspection any redirection to a new domain is a new
request that has to go over ACL again. I thought about using
http_reply_access but again it's creating a whole new ACL that every reply
would have to go over not just that one. Is there a way to use http_access
& http_reply_access together, like http_access allow whitelist & http_reply
allow whitelist?
Mirek

> There is a built-in ACL called "all" which does what you defined for the
regex "blacklist" to do.
> As for sessions. No Squid follows HTTP which is stateless. You can
configure it though. setup an ext_session_acl helper for active mode
sessions that start when a 302 response comes back. you should have some
other ACL to separately whitelist the sites normally blocked, but can open
with a session.
> Amos

On Thu, Apr 15, 2021 at 9:52 PM Miroslaw Malinowski <
mr.miroslaw.malinowski at gmail.com> wrote:

> I've found a resolution using a bit better regex:
>
> acl blackList url_regex ^https?:\/\/.*$
>
> looking at the debug it doing exactly what I wanted, however, I now have a
> different issue how to handle a 302 MOVED when the move is to a different
> domain, e.g. packages.gitlab.com are moved to
> d20rj4el6vkp4c.cloudfront.net. Is squid stateful in a way that it's able
> to remember those packets are coming from the same session? What would be
> the best way to resolve the issue other than just keep adding domain if a
> thing like this happens.
>
>
> Thanks
>
>
> On Thu, Apr 15, 2021 at 1:03 PM Miroslaw Malinowski <
> mr.miroslaw.malinowski at gmail.com> wrote:
>
>> Hi,
>>
>> I'm trying to use Opnsense built-in squid config to set up a transparent
>> proxy for server updates and block everything else.
>> In GUI they use url_regex for whitelist and blacklist, when I simple per
>> domain whitelist and blacklist it's working as expected, e.g.
>> # ACL - Whitelist - User defined (whiteList)
>> acl whiteList url_regex archive\.ubuntu\.com
>> # ACL - Blacklist - User defined (blackList)
>> acl blackList url_regex packages\.gitlab\.com
>> # ACL list (Allow) whitelist
>> http_access allow whiteList
>> # ACL list (Deny) blacklist
>> http_access deny blackList
>>
>> However, when I do wildcard in blacklist I also get all https domain
>> blocked even when I've tried to explicitly allow it with https://archive\.ubuntu\.com
>> , e.g.
>> # ACL - Whitelist - User defined (whiteList)
>> acl whiteList url_regex archive\.ubuntu\.com
>> # ACL - Blacklist - User defined (blackList)
>> acl blackList url_regex .*
>> # ACL list (Allow) whitelist
>> http_access allow whiteList
>> # ACL list (Deny) blacklist
>> http_access deny blackList
>>
>> I get:
>> Err:7 https://repos.influxdata.com/ubuntu focal InRelease
>>  403  Forbidden [IP: 52.84.95.46 443]
>>
>> What I'm trying to say is with blacklist as . is blocking all https
>> traffic even if whitelisted, is this an expected behaviour or I'm doing
>> something wrong or it can't be done with url_regex and I should do it at
>> backend manually.
>>
>> My config:
>> #
>> # Automatic generated configuration for Squid.
>> # Do not edit this file manually.
>> #
>>
>>
>> # Setup transparent mode listeners on loopback interfaces
>> http_port 127.0.0.1:3128 intercept ssl-bump cert=/var/squid/ssl/ca.pem
>> dynamic_cert_mem_cache_size=10MB generate-host-certificates=on
>> http_port [::1]:3128 intercept ssl-bump cert=/var/squid/ssl/ca.pem
>> dynamic_cert_mem_cache_size=10MB generate-host-certificates=on
>> https_port 127.0.0.1:3129 intercept ssl-bump cert=/var/squid/ssl/ca.pem
>> dynamic_cert_mem_cache_size=10MB generate-host-certificates=on
>> https_port [::1]:3129 intercept ssl-bump cert=/var/squid/ssl/ca.pem
>> dynamic_cert_mem_cache_size=10MB generate-host-certificates=on
>>
>> # Setup regular listeners configuration
>> http_port 172.16.230.252:3128  ssl-bump cert=/var/squid/ssl/ca.pem
>> dynamic_cert_mem_cache_size=10MB generate-host-certificates=on
>> http_port 172.16.230.254:3128  ssl-bump cert=/var/squid/ssl/ca.pem
>> dynamic_cert_mem_cache_size=10MB generate-host-certificates=on
>>
>> # setup ssl re-cert
>> sslcrtd_program /usr/local/libexec/squid/security_file_certgen -s
>> /var/squid/ssl_crtd -M 10MB
>> sslcrtd_children 5
>>
>> tls_outgoing_options options=NO_TLSv1
>> cipher=HIGH:MEDIUM:!RC4:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!SRP:!DSS
>>
>> # setup ssl bump acl's
>> acl bump_step1 at_step SslBump1
>> acl bump_step2 at_step SslBump2
>> acl bump_step3 at_step SslBump3
>> acl bump_nobumpsites ssl::server_name
>> "/usr/local/etc/squid/nobumpsites.acl"
>>
>> # configure bump
>> ssl_bump peek bump_step1 all
>> ssl_bump peek bump_step2 bump_nobumpsites
>> ssl_bump splice bump_step3 bump_nobumpsites
>> ssl_bump stare bump_step2
>> ssl_bump bump bump_step3
>>
>> sslproxy_cert_error deny all
>>
>> acl ftp proto FTP
>> http_access allow ftp
>>
>>
>> # Setup ftp proxy
>>
>> # Rules allowing access from your local networks.
>> # Generated list of (internal) IP networks from where browsing
>> # should be allowed. (Allow interface subnets).
>> acl localnet src <net>/24 # Possible internal network (interfaces v4)
>> # Default allow for local-link and private networks
>> acl localnet src fc00::/7       # RFC 4193 local private network range
>> acl localnet src fe80::/10      # RFC 4291 link-local (directly plugged)
>> machines
>>
>> # ACL - Allow localhost for PURGE cache if enabled
>> acl PURGE method PURGE
>> http_access allow localhost PURGE
>> http_access deny PURGE
>>
>> # ACL lists
>> # ACL - Whitelist - User defined (whiteList)
>> acl whiteList url_regex packages\.wazuh\.com
>> acl whiteList url_regex archive\.ubuntu\.com
>> acl whiteList url_regex security\.ubuntu\.com
>> acl whiteList url_regex repos\.influxdata\.com
>>
>> # ACL - Blacklist - User defined (blackList)
>> acl blackList url_regex .*
>>
>> # ACL - Remote fetched Blacklist (remoteblacklist)
>>
>> # ACL - Block browser/user-agent - User defined (browser)
>>
>> # ACL - SSL ports, default are configured in config.xml
>> # Configured SSL ports (if defaults are not listed, then they have been
>> removed from the configuration!):
>> acl SSL_ports port 443 # https
>>
>> # Default Safe ports are now defined in config.xml
>> # Configured Safe ports (if defaults are not listed, then they have been
>> removed from the configuration!):
>> # ACL - Safe_ports
>> acl Safe_ports port 80 # http
>> acl Safe_ports port 21 # ftp
>> acl Safe_ports port 443 # https
>> acl Safe_ports port 70 # gopher
>> acl Safe_ports port 210 # wais
>> acl Safe_ports port 1025-65535 # unregistered ports
>> acl Safe_ports port 280 # http-mgmt
>> acl Safe_ports port 488 # gss-http
>> acl Safe_ports port 591 # filemaker
>> acl Safe_ports port 777 # multiling http
>> acl CONNECT method CONNECT
>>
>> # ICAP SETTINGS
>> # disable icap
>> icap_enable off
>>
>> # Pre-auth plugins
>> include /usr/local/etc/squid/pre-auth/*.conf
>>
>> # Authentication Settings
>>
>> # ACL list (Allow) whitelist
>> http_access allow whiteList
>>
>> #
>> # ACL list (Deny) blacklist
>> http_access deny blackList
>>
>> # Google Suite Filter
>>
>> # YouTube Filter
>>
>> # Deny requests to certain unsafe ports
>>
>> http_access deny !Safe_ports
>> # Deny CONNECT to other than secure SSL ports
>>
>> http_access deny CONNECT !SSL_ports
>>
>> # Only allow cachemgr access from localhost
>> http_access allow localhost manager
>> http_access deny manager
>>
>> # We strongly recommend the following be uncommented to protect innocent
>> # web applications running on the proxy server who think the only
>> # one who can access services on "localhost" is a local user
>> http_access deny to_localhost
>>
>> # Auth plugins
>> include /usr/local/etc/squid/auth/*.conf
>>
>> #
>> # Access Permission configuration:
>> #
>> # Deny request from unauthorized clients
>>
>> #
>> # ACL - localnet - default these include ranges from selected interfaces
>> (Allow local subnets)
>> http_access allow localnet
>>
>> # ACL - localhost
>> http_access allow localhost
>>
>> # Deny all other access to this proxy
>> http_access deny all
>> # Post-auth plugins
>> include /usr/local/etc/squid/post-auth/*.conf
>>
>> # Caching settings
>> cache_mem 1000 MB
>> maximum_object_size 200 MB
>> cache_replacement_policy heap LFUDA
>> cache_dir ufs /var/squid/cache 100000 16 256
>>
>> # Leave coredumps in the first cache dir
>> coredump_dir /var/squid/cache
>>
>> #
>> # Add any of your own refresh_pattern entries above these.
>> #
>>
>> # Linux package cache:
>> refresh_pattern pkg\.tar\.xz$   0       20%     4320 refresh-ims
>> refresh_pattern d?rpm$          0       20%     4320 refresh-ims
>> refresh_pattern deb$            0       20%     4320 refresh-ims
>> refresh_pattern udeb$           0       20%     4320 refresh-ims
>> refresh_pattern Packages\.bz2$  0       20%     4320 refresh-ims
>> refresh_pattern Sources\.bz2$   0       20%     4320 refresh-ims
>> refresh_pattern Release\.gpg$   0       20%     4320 refresh-ims
>> refresh_pattern Release$        0       20%     4320 refresh-ims
>> # http://wiki.squid-cache.org/SquidFaq/WindowsUpdate
>> refresh_pattern -i
>> microsoft.com/.*\.(cab|exe|ms[i|u|f]|[ap]sf|wm[v|a]|dat|zip|esd)
>> <http://microsoft.com/.*%5C.(cab%7Cexe%7Cms%5Bi%7Cu%7Cf%5D%7C%5Bap%5Dsf%7Cwm%5Bv%7Ca%5D%7Cdat%7Czip%7Cesd)>
>>     4320 80% 129600 reload-into-ims
>> refresh_pattern -i
>> windowsupdate.com/.*\.(cab|exe|ms[i|u|f]|[ap]sf|wm[v|a]|dat|zip|esd)
>> <http://windowsupdate.com/.*%5C.(cab%7Cexe%7Cms%5Bi%7Cu%7Cf%5D%7C%5Bap%5Dsf%7Cwm%5Bv%7Ca%5D%7Cdat%7Czip%7Cesd)>
>> 4320 80% 129600 reload-into-ims
>> refresh_pattern -i
>> windows.com/.*\.(cab|exe|ms[i|u|f]|[ap]sf|wm[v|a]|dat|zip|esd)
>> <http://windows.com/.*%5C.(cab%7Cexe%7Cms%5Bi%7Cu%7Cf%5D%7C%5Bap%5Dsf%7Cwm%5Bv%7Ca%5D%7Cdat%7Czip%7Cesd)>
>>       4320 80% 129600 reload-into-ims
>>
>> refresh_pattern ^ftp:           1440    20%     10080
>> refresh_pattern ^gopher:        1440    0%      1440
>> refresh_pattern -i (/cgi-bin/|\?) 0     0%      0
>> refresh_pattern .               0       20%     4320
>>
>> # Squid Options
>> # dns_v4_first reverses the order of preference to make Squid contact
>> dual-stack websites over IPv4 first
>> dns_v4_first on
>> pinger_enable off
>> access_log stdio:/var/log/squid/access.log squid
>> cache_store_log stdio:/var/log/squid/store.log
>> # URI hanlding with Whitespaces (default=strip)
>> uri_whitespace strip
>> # X-Forwarded header handling (default=on)
>> forwarded_for on
>> # Disable squid logfile rotate to use system defaults
>> logfile_rotate 0
>> # Define visible email
>> cache_mgr admin at localhost.local
>> error_directory /usr/local/etc/squid/errors/local
>>
>> Thanks
>>
>>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.squid-cache.org/pipermail/squid-users/attachments/20210421/932a095e/attachment-0001.htm>

More information about the squid-users mailing list