[squid-users] deny squid to bump deny_info

André Bolinhas andre.bolinhas at articatech.com
Wed Dec 8 01:39:43 UTC 2021 

Hi
We use Squid v5 with ssl_bump to decrypt only google domains.
With a special configuration we also need to deny important websites. 
So far so good, but for performance reasons we don't want Squid to return
the error pages.
Since we have a lot of denied sites, it seems that Squid tries to bump
returned error pages, which increases the resource consumption of the
external plugin security_file_cert_gen considerably.
We have tried using a TCP_RESET deny_info but this does not fix the bump
operation

In this peace of log, you can see that squid is forcing bump for Access
Denied website under https:
2021/12/08 05:05:53.774 kid2| 85,5| client_side_request.cc(769)
clientAccessCheckDone: Access Denied: beacons2.gvt2.com:443
2021/12/08 05:05:53.774 kid2| 85,5| client_side_request.cc(770)
clientAccessCheckDone: AclMatchedName = all
2021/12/08 05:05:53.774 kid2| 83,7| LogTags.cc(57) update: TAG_NONE to
TCP_DENIED
2021/12/08 05:05:53.774 kid2| 28,4| FilledChecklist.cc(67)
~ACLFilledChecklist: ACLFilledChecklist destroyed 0x7ffc945c5b40
2021/12/08 05:05:53.774 kid2| 28,4| Checklist.cc(197) ~ACLChecklist:
ACLChecklist::~ACLChecklist: destroyed 0x7ffc945c5b40
2021/12/08 05:05:53.774 kid2| 85,5| client_side_request.cc(1461)
sslBumpAccessCheck: SslBump applies. Force bump action on error UNKNOWN
2021/12/08 05:05:53.774 kid2| 83,3| client_side_request.cc(1562)
sslBumpNeed: sslBump required: bump
2021/12/08 05:05:53.774 kid2| 73,3| HttpRequest.cc(683) storeId: sent back
effectiveRequestUrl: beacons2.gvt2.com:443
2021/12/08 05:05:53.774 kid2| 24,7| SBuf.cc(160) rawSpace: reserving 1 for
SBuf77493929
2021/12/08 05:05:53.774 kid2| 24,7| SBuf.cc(866) reAlloc: SBuf77493929 new
store capacity: 40
2021/12/08 05:05:53.774 kid2| 20,3| store.cc(769) storeCreatePureEntry:
storeCreateEntry: 'beacons2.gvt2.com:443'
2021/12/08 05:05:53.774 kid2| 20,5| store.cc(349) StoreEntry: StoreEntry
constructed, this=0x5561d9347e90
2021/12/08 05:05:53.774 kid2| 20,3| MemObject.cc(100) MemObject: MemObject
constructed, this=0x5561d5e66f50
2021/12/08 05:05:53.774 kid2| 55,7| HttpHeader.cc(155) HttpHeader: init-ing
hdr: 0x5561d80af128 owner: 3
2021/12/08 05:05:53.774 kid2| 88,3| MemObject.cc(83) setUris: 0x5561d5e66f50
storeId: beacons2.gvt2.com:443
2021/12/08 05:05:53.774 kid2| 24,7| SBuf.cc(85) assign: assigning
SBuf77493930 from SBuf77493860
2021/12/08 05:05:53.774 kid2| 20,3| store.cc(443) lock: storeCreateEntry
locked key [null_store_key] e:=V/0x5561d9347e90*1
2021/12/08 05:05:53.774 kid2| 20,3| store.cc(569) setPrivateKey: 01
e:=V/0x5561d9347e90*1
2021/12/08 05:05:53.774 kid2| 20,3| store.cc(421) hashInsert:
StoreEntry::hashInsert: Inserting Entry e:=XIV/0x5561d9347e90*1 key
'71570400000000002412000002000000'
2021/12/08 05:05:53.774 kid2| 83,3| client_side_request.cc(1562)
sslBumpNeed: sslBump required: client-first
2021/12/08 05:05:53.774 kid2| 33,4| ServerBump.cc(28) ServerBump: will peek
at beacons2.gvt2.com:443
2021/12/08 05:05:53.774 kid2| 20,3| store.cc(443) lock: Ssl::ServerBump
locked key 71570400000000002412000002000000 e:=XIV/0x5561d9347e90*2
2021/12/08 05:05:53.774 kid2| 4,4| errorpage.cc(720) errorAppendEntry:
storing TEMPLATE_5 in e:=XIV/0x5561d9347e90*2
2021/12/08 05:05:53.774 kid2| 55,7| HttpHeader.cc(155) HttpHeader: init-ing
hdr: 0x5561d66a8078 owner: 3
2021/12/08 05:05:53.774 kid2| 4,2| errorpage.cc(1389) buildBody: No existing
error page language negotiated for TEMPLATE_5. Using default error file.

Ssl.conf
# SSL used for port ID 1, :3128 on
# Patch 2020 - 08 - 03 SquidMikrotikEnabled = 0 # SSL Proxy options  Proxy
version:5.2 [134] sslcrtd_program /lib/squid3/security_file_certgen
sslcrtd_children 32 startup=5 idle=1 queue-size=64 #The AppStore application
in IOS (iPhone, iPad, MacOS) uses SSL Certificate Pinning, #it means the
application knows what certificate to expect when accessing AppStore.
#When you enable SSL Bump of HTTPS connections Squid replaces the default
certificate with a  ^`^xmimicked ^`^y one;

#the application detects that and refuses to function.
#
acl FakeCert ssl::server_name .apple.com acl FakeCert ssl::server_name
.icloud.com acl FakeCert ssl::server_name .mzstatic.com acl FakeCert
ssl::server_name .dropbox.com acl FakeCert ssl::server_name .bnpparisbas acl
notbump ssl::server_name .redtube.com acl ssl_step1 at_step SslBump1 acl
ssl_step2 at_step SslBump2 acl ssl_step3 at_step SslBump3

acl Me dst 127.0.0.1 192.168.58.11
acl GlobalWhitelistDSTNet dst "/etc/squid3/acls_whitelist.dst.conf"

ssl_bump splice notbump all
ssl_bump splice GlobalWhitelistDSTNet

ssl_bump splice ssl_step1 Me
ssl_bump splice ByPassRBL
ssl_bump splice FakeCert

# SNI Group sni_domains/ssl_sni
# id:7 Type: ssl_sni
acl SNIGroup7 ssl::server_name_regex -i account\.google\.com acl SNIGroup7
ssl::server_name_regex -i accounts\.google\.com ssl_bump peek ssl_step1 all
# 0 Splice rules...
ssl_bump splice ByPassRBL
ssl_bump splice GlobalWhitelistDSTNet

# Rules (spliced) added by admins....

# 1 BUMP rules...
ssl_bump bump ssl_step2 SNIGroup7
ssl_bump splice all

tls_outgoing_options options=NO_SSLv3,NO_TICKET
cipher=ALL:!SSLv2:!SSLv3:!ADH:!DSS:!MD5:!EXP:!DES:!PSK:!SRP:!RC4:!IDEA:!SEED
:!aNULL:!eNULL flags=DONT_VERIFY_PEER sslproxy_cert_error allow all

http_access.conf
#### tcp_outgoing_tos ####
#### tcp_outgoing_tos 0 Rules ####
# SquidUrgency = 0 exec.squid.global.access.php[2233]
#       HaClusterClient=0 class.squid.acls.groups.inc/buildacls_order
#       mysql_for_port='' aclgpid=0 [L.174]
#       [3] rules [220]


# webfilters_sqacls #2 : aclport=0 (  ) [239] [class.squid.acls.groups.inc]
# [L.292]: rule id: 2 access_allow Port Direction=0 () # [L.320]:
class.squid.acls.groups.inc buildacls_bytype_items(2,..) acl AnnotateRule2
annotate_transaction accessrule=Rule2 http_access allow Group2 AnnotateRule2
# webfilters_sqacls #4 : aclport=0 (  ) [239] [class.squid.acls.groups.inc]
# [L.292]: rule id: 4 access_allow Port Direction=0 () # [L.320]:
class.squid.acls.groups.inc buildacls_bytype_items(4,..) acl AnnotateRule4
annotate_transaction accessrule=Rule4 http_access allow Group8 AnnotateRule4
# webfilters_sqacls #3 : aclport=0 (  ) [239] [class.squid.acls.groups.inc]
# [L.292]: rule id: 3 access_deny Port Direction=0 () # [L.320]:
class.squid.acls.groups.inc buildacls_bytype_items(3,..) # Template Enabled
for this ACL.
# Final acl is all, Template ID=1
acl AnnotateRule3 annotate_transaction accessrule=Rule3 http_access deny
CONNECT  AnnotateRule3 deny_info TCP_RESET AnnotateRule3

acl MyAll dst 0.0.0.0/0
http_access deny Myall
deny_info 302:http://artica/me Myall
#
#
# ------------------ HTTP ACCESS -------------------- # 0 rule(s) from
engine (Line 2240)


#
# SquidStandardLDAPAuth = 0
# EnableOpenLDAP = 0
# SquidRadiusAuth = 0
# LDAP_AUTH = 0 caused by EnableOpenLDAP acl MyBlockedIPs src
"/etc/squid3/acls/DenyIPSrc"
acl AnnotateWindowsUpdates annotate_transaction
accessrule=AllowWindowsUpdates http_access allow WindowsUpdates
AnnotateWindowsUpdates # # -------------------- AUTH Schemes Squid
v5.2-----------------------

# ----------------------------------------------------------

# LDAP Auth = 0
acl AnnotateSafePorts annotate_transaction accessrule=deny_remote_ports
http_access deny HTTP !Safe_ports all  AnnotateSafePorts http_access deny
CONNECT !SSL_ports all  AnnotateSafePorts deny_info TCP_RESET all

acl AnnotateBLK annotate_transaction accessrule=global_blacklist http_access
deny MyBlockedIPs AnnotateBLK http_access deny blockedsites AnnotateBLK
http_access deny DomainsBlackLists AnnotateBLK http_access deny
NetworksBlackLists AnnotateBLK include /etc/squid3/http_access_final.conf
# END http_access (defaults)

More information about the squid-users mailing list