[squid-users] deny squid to bump deny_info

Alex Rousskov rousskov at measurement-factory.com
Wed Dec 8 15:13:15 UTC 2021 

On 12/7/21 8:39 PM, André Bolinhas wrote:

> We use Squid v5 with ssl_bump to decrypt only google domains. With a
> special configuration we also need to deny important websites. Squid
> tries to bump returned error pages

Yes, when SslBump encounters an error, it tries to bump the client
connection to deliver the error response.

One way to prevent that error handling algorithm from kicking in is to
close the offending client connection using an "ssl_bump terminate" rule
(instead[1] of blocking client access using "http_access").


> We have tried using a TCP_RESET deny_info but this does not fix the bump
> operation

I suspect the TCP_RESET feature is checked at error delivery time, after
the client connection is bumped to prepare it for error delivery. This
suspect behavior should be considered a Squid bug/deficiency IMO --
Squid should not be bumping the TLS connection to deliver a TCP RST or
FIN packet.

HTH,

Alex.
[1] It may be a good idea to also/still block client access using
http_access rules, as an additional safety layer, but it has to be done
carefully so that "ssl_bump terminate" rule matches _before_ any of the
corresponding "http_access deny" rules may match.



> In this peace of log, you can see that squid is forcing bump for Access
> Denied website under https:
> 2021/12/08 05:05:53.774 kid2| 85,5| client_side_request.cc(769)
> clientAccessCheckDone: Access Denied: beacons2.gvt2.com:443
> 2021/12/08 05:05:53.774 kid2| 85,5| client_side_request.cc(770)
> clientAccessCheckDone: AclMatchedName = all
> 2021/12/08 05:05:53.774 kid2| 83,7| LogTags.cc(57) update: TAG_NONE to
> TCP_DENIED
> 2021/12/08 05:05:53.774 kid2| 28,4| FilledChecklist.cc(67)
> ~ACLFilledChecklist: ACLFilledChecklist destroyed 0x7ffc945c5b40
> 2021/12/08 05:05:53.774 kid2| 28,4| Checklist.cc(197) ~ACLChecklist:
> ACLChecklist::~ACLChecklist: destroyed 0x7ffc945c5b40
> 2021/12/08 05:05:53.774 kid2| 85,5| client_side_request.cc(1461)
> sslBumpAccessCheck: SslBump applies. Force bump action on error UNKNOWN
> 2021/12/08 05:05:53.774 kid2| 83,3| client_side_request.cc(1562)
> sslBumpNeed: sslBump required: bump
> 2021/12/08 05:05:53.774 kid2| 73,3| HttpRequest.cc(683) storeId: sent back
> effectiveRequestUrl: beacons2.gvt2.com:443
> 2021/12/08 05:05:53.774 kid2| 24,7| SBuf.cc(160) rawSpace: reserving 1 for
> SBuf77493929
> 2021/12/08 05:05:53.774 kid2| 24,7| SBuf.cc(866) reAlloc: SBuf77493929 new
> store capacity: 40
> 2021/12/08 05:05:53.774 kid2| 20,3| store.cc(769) storeCreatePureEntry:
> storeCreateEntry: 'beacons2.gvt2.com:443'
> 2021/12/08 05:05:53.774 kid2| 20,5| store.cc(349) StoreEntry: StoreEntry
> constructed, this=0x5561d9347e90
> 2021/12/08 05:05:53.774 kid2| 20,3| MemObject.cc(100) MemObject: MemObject
> constructed, this=0x5561d5e66f50
> 2021/12/08 05:05:53.774 kid2| 55,7| HttpHeader.cc(155) HttpHeader: init-ing
> hdr: 0x5561d80af128 owner: 3
> 2021/12/08 05:05:53.774 kid2| 88,3| MemObject.cc(83) setUris: 0x5561d5e66f50
> storeId: beacons2.gvt2.com:443
> 2021/12/08 05:05:53.774 kid2| 24,7| SBuf.cc(85) assign: assigning
> SBuf77493930 from SBuf77493860
> 2021/12/08 05:05:53.774 kid2| 20,3| store.cc(443) lock: storeCreateEntry
> locked key [null_store_key] e:=V/0x5561d9347e90*1
> 2021/12/08 05:05:53.774 kid2| 20,3| store.cc(569) setPrivateKey: 01
> e:=V/0x5561d9347e90*1
> 2021/12/08 05:05:53.774 kid2| 20,3| store.cc(421) hashInsert:
> StoreEntry::hashInsert: Inserting Entry e:=XIV/0x5561d9347e90*1 key
> '71570400000000002412000002000000'
> 2021/12/08 05:05:53.774 kid2| 83,3| client_side_request.cc(1562)
> sslBumpNeed: sslBump required: client-first
> 2021/12/08 05:05:53.774 kid2| 33,4| ServerBump.cc(28) ServerBump: will peek
> at beacons2.gvt2.com:443
> 2021/12/08 05:05:53.774 kid2| 20,3| store.cc(443) lock: Ssl::ServerBump
> locked key 71570400000000002412000002000000 e:=XIV/0x5561d9347e90*2
> 2021/12/08 05:05:53.774 kid2| 4,4| errorpage.cc(720) errorAppendEntry:
> storing TEMPLATE_5 in e:=XIV/0x5561d9347e90*2
> 2021/12/08 05:05:53.774 kid2| 55,7| HttpHeader.cc(155) HttpHeader: init-ing
> hdr: 0x5561d66a8078 owner: 3
> 2021/12/08 05:05:53.774 kid2| 4,2| errorpage.cc(1389) buildBody: No existing
> error page language negotiated for TEMPLATE_5. Using default error file.
> 
> Ssl.conf
> # SSL used for port ID 1, :3128 on
> # Patch 2020 - 08 - 03 SquidMikrotikEnabled = 0 # SSL Proxy options  Proxy
> version:5.2 [134] sslcrtd_program /lib/squid3/security_file_certgen
> sslcrtd_children 32 startup=5 idle=1 queue-size=64 #The AppStore application
> in IOS (iPhone, iPad, MacOS) uses SSL Certificate Pinning, #it means the
> application knows what certificate to expect when accessing AppStore.
> #When you enable SSL Bump of HTTPS connections Squid replaces the default
> certificate with a  ^`^xmimicked ^`^y one;
> 
> #the application detects that and refuses to function.
> #
> acl FakeCert ssl::server_name .apple.com acl FakeCert ssl::server_name
> .icloud.com acl FakeCert ssl::server_name .mzstatic.com acl FakeCert
> ssl::server_name .dropbox.com acl FakeCert ssl::server_name .bnpparisbas acl
> notbump ssl::server_name .redtube.com acl ssl_step1 at_step SslBump1 acl
> ssl_step2 at_step SslBump2 acl ssl_step3 at_step SslBump3
> 
> acl Me dst 127.0.0.1 192.168.58.11
> acl GlobalWhitelistDSTNet dst "/etc/squid3/acls_whitelist.dst.conf"
> 
> ssl_bump splice notbump all
> ssl_bump splice GlobalWhitelistDSTNet
> 
> ssl_bump splice ssl_step1 Me
> ssl_bump splice ByPassRBL
> ssl_bump splice FakeCert
> 
> # SNI Group sni_domains/ssl_sni
> # id:7 Type: ssl_sni
> acl SNIGroup7 ssl::server_name_regex -i account\.google\.com acl SNIGroup7
> ssl::server_name_regex -i accounts\.google\.com ssl_bump peek ssl_step1 all
> # 0 Splice rules...
> ssl_bump splice ByPassRBL
> ssl_bump splice GlobalWhitelistDSTNet
> 
> # Rules (spliced) added by admins....
> 
> # 1 BUMP rules...
> ssl_bump bump ssl_step2 SNIGroup7
> ssl_bump splice all
> 
> tls_outgoing_options options=NO_SSLv3,NO_TICKET
> cipher=ALL:!SSLv2:!SSLv3:!ADH:!DSS:!MD5:!EXP:!DES:!PSK:!SRP:!RC4:!IDEA:!SEED
> :!aNULL:!eNULL flags=DONT_VERIFY_PEER sslproxy_cert_error allow all
> 
> http_access.conf
> #### tcp_outgoing_tos ####
> #### tcp_outgoing_tos 0 Rules ####
> # SquidUrgency = 0 exec.squid.global.access.php[2233]
> #       HaClusterClient=0 class.squid.acls.groups.inc/buildacls_order
> #       mysql_for_port='' aclgpid=0 [L.174]
> #       [3] rules [220]
> 
> 
> # webfilters_sqacls #2 : aclport=0 (  ) [239] [class.squid.acls.groups.inc]
> # [L.292]: rule id: 2 access_allow Port Direction=0 () # [L.320]:
> class.squid.acls.groups.inc buildacls_bytype_items(2,..) acl AnnotateRule2
> annotate_transaction accessrule=Rule2 http_access allow Group2 AnnotateRule2
> # webfilters_sqacls #4 : aclport=0 (  ) [239] [class.squid.acls.groups.inc]
> # [L.292]: rule id: 4 access_allow Port Direction=0 () # [L.320]:
> class.squid.acls.groups.inc buildacls_bytype_items(4,..) acl AnnotateRule4
> annotate_transaction accessrule=Rule4 http_access allow Group8 AnnotateRule4
> # webfilters_sqacls #3 : aclport=0 (  ) [239] [class.squid.acls.groups.inc]
> # [L.292]: rule id: 3 access_deny Port Direction=0 () # [L.320]:
> class.squid.acls.groups.inc buildacls_bytype_items(3,..) # Template Enabled
> for this ACL.
> # Final acl is all, Template ID=1
> acl AnnotateRule3 annotate_transaction accessrule=Rule3 http_access deny
> CONNECT  AnnotateRule3 deny_info TCP_RESET AnnotateRule3
> 
> acl MyAll dst 0.0.0.0/0
> http_access deny Myall
> deny_info 302:http://artica/me Myall
> #
> #
> # ------------------ HTTP ACCESS -------------------- # 0 rule(s) from
> engine (Line 2240)
> 
> 
> #
> # SquidStandardLDAPAuth = 0
> # EnableOpenLDAP = 0
> # SquidRadiusAuth = 0
> # LDAP_AUTH = 0 caused by EnableOpenLDAP acl MyBlockedIPs src
> "/etc/squid3/acls/DenyIPSrc"
> acl AnnotateWindowsUpdates annotate_transaction
> accessrule=AllowWindowsUpdates http_access allow WindowsUpdates
> AnnotateWindowsUpdates # # -------------------- AUTH Schemes Squid
> v5.2-----------------------
> 
> # ----------------------------------------------------------
> 
> # LDAP Auth = 0
> acl AnnotateSafePorts annotate_transaction accessrule=deny_remote_ports
> http_access deny HTTP !Safe_ports all  AnnotateSafePorts http_access deny
> CONNECT !SSL_ports all  AnnotateSafePorts deny_info TCP_RESET all
> 
> acl AnnotateBLK annotate_transaction accessrule=global_blacklist http_access
> deny MyBlockedIPs AnnotateBLK http_access deny blockedsites AnnotateBLK
> http_access deny DomainsBlackLists AnnotateBLK http_access deny
> NetworksBlackLists AnnotateBLK include /etc/squid3/http_access_final.conf
> # END http_access (defaults)
> 
> _______________________________________________
> squid-users mailing list
> squid-users at lists.squid-cache.org
> http://lists.squid-cache.org/listinfo/squid-users
>

More information about the squid-users mailing list