[squid-users] deny squid to bump deny_info

Alex Rousskov rousskov at measurement-factory.com
Wed Dec 8 16:01:31 UTC 2021 

On 12/8/21 10:40 AM, André Bolinhas wrote:
> where I need to add the ssl_bump terminate rule? Inside ssl.conf or http_access.conf?
> I have tried in both both but continues to bump the error page.

Unfortunately, I cannot edit your configuration right now, but others on
the mailing list may be able to help you. Please note that we do not
know how those two files are included into your primary configuration
file and whether that primary configuration file contains any relevant
settings itself. The primary configuration file is what Squid parses
first (e.g., it may be specified using "squid -f").


> Also tried ssl_bump terminate all in the top of both files and always
> bump ther error_page.

I am not sure, but AFAICT, Squid bugs notwithstanding, if "ssl_bump
terminate all" is the very first ssl_bump rule in the entire Squid
configuration, and Squid still bumps traffic, then you may be denying
explicit CONNECT requests _before_ SslBump kicks in.

Alex.


> This is my current files:
> http_access.conf
> #### tcp_outgoing_tos ####
> #### tcp_outgoing_tos 0 Rules ####
> # webfilters_sqacls HaClusterClient=0 2 rules [202] [class.squid.acls.groups.inc]
> # webfilters_sqacls #10 : aclport=0 (  ) [212] [class.squid.acls.groups.inc]
> # [L.268]: rule id: 10 access_allow Port Direction=0 ()
> # [L.303]: class.squid.acls.groups.inc buildacls_bytype_items(10,..)
> http_access allow Group17
> # webfilters_sqacls #5 : aclport=0 (  ) [212] [class.squid.acls.groups.inc]
> # [L.268]: rule id: 5 access_deny Port Direction=0 ()
> # [L.303]: class.squid.acls.groups.inc buildacls_bytype_items(5,..)
> # Template Enabled for this ACL.
> # Final acl is all, Template ID=1
> deny_info TEMPLATE_5 all
> http_access deny all
> #
> #
> # ------------------ HTTP ACCESS --------------------
> # 0 rule(s) from engine (Line 2170)
> 
> 
> # SquidStandardLDAPAuth = 0
> # EnableOpenLDAP = 0
> # SquidRadiusAuth = 0
> # LDAP_AUTH = 0 caused by EnableOpenLDAP
> acl MyBlockedIPs src "/etc/squid3/acls/DenyIPSrc"
> http_access allow WindowsUpdates
> 
> # LDAP Auth = 0
> http_access deny HTTP !Safe_ports all
> http_access deny CONNECT !SSL_ports all
> http_access deny MyBlockedIPs
> http_access deny blockedsites
> http_access deny DomainsBlackLists
> http_access deny NetworksBlackLists
> include /etc/squid3/http_access_final.conf
> # END http_access (defaults)
> 
> # Allow all networks to finally pass trough proxy.
> http_access allow all
> 
> ssl.conf
> # SSL used for port ID 1, :3128 on
> # Patch 2020 - 08 - 03 SquidMikrotikEnabled = 0
> # SSL Proxy options  Proxy version:5.2 [134]
> sslcrtd_program /lib/squid3/security_file_certgen -s /var/lib/squid/session/ssl/ssl_db -M 32MB
> sslcrtd_children 32 startup=5 idle=1 queue-size=64
> #The AppStore application in IOS (iPhone, iPad, MacOS) uses SSL Certificate Pinning,
> #it means the application knows what certificate to expect when accessing AppStore.
> #When you enable SSL Bump of HTTPS connections Squid replaces the default certificate with a  ^`^xmimicked ^`^y one;
> #the application detects that and refuses to function.
> #
> acl FakeCert ssl::server_name .apple.com
> acl FakeCert ssl::server_name .icloud.com
> acl FakeCert ssl::server_name .mzstatic.com
> acl FakeCert ssl::server_name .dropbox.com
> acl FakeCert ssl::server_name .bnpparisbas
> acl ssl_step1 at_step SslBump1
> acl ssl_step2 at_step SslBump2
> acl ssl_step3 at_step SslBump3
> ssl_bump peek ssl_step1
> ssl_bump splice GlobalWhitelistDSTNet
> ssl_bump splice GlobalWhitelistDomainsRx
> ssl_bump splice GlobalWhitelistDomains
> ssl_bump splice FakeCert
> 
> # SNI Group google_sni/ssl_sni
> # id:16 Type: ssl_sni
> acl SNIGroup16 ssl::server_name_regex -i accounts\.google\.com
> 
> # 0 Splice rules...
> acl KeepSSL ssl::server_name "/etc/squid3/acls_whitelist.dstdomain.conf"
> ssl_bump splice KeepSSL
> ssl_bump splice GlobalWhitelistDSTNet
> 
> # Rules (spliced) added by admins....
> 
> # 1 BUMP rules...
> #ssl_bump stare all
> ssl_bump bump ssl_step2 SNIGroup16
> ssl_bump splice all
> 
> tls_outgoing_options options=NO_SSLv3,NO_TICKET cipher=ALL:!SSLv2:!SSLv3:!ADH:!DSS:!MD5:!EXP:!DES:!PSK:!SRP:!RC4:!IDEA:!SEED:!aNULL:!eNULL flags=DONT_VERIFY_PEER
> sslproxy_cert_error allow all
> on_unsupported_protocol tunnel all
> 
> 
> -----Mensagem original-----
> De: Alex Rousskov <rousskov at measurement-factory.com> 
> Enviada: 8 de dezembro de 2021 15:13
> Para: André Bolinhas <andre.bolinhas at articatech.com>; squid-users at lists.squid-cache.org
> Assunto: Re: [squid-users] deny squid to bump deny_info
> 
> On 12/7/21 8:39 PM, André Bolinhas wrote:
> 
>> We use Squid v5 with ssl_bump to decrypt only google domains. With a 
>> special configuration we also need to deny important websites. Squid 
>> tries to bump returned error pages
> 
> Yes, when SslBump encounters an error, it tries to bump the client connection to deliver the error response.
> 
> One way to prevent that error handling algorithm from kicking in is to close the offending client connection using an "ssl_bump terminate" rule (instead[1] of blocking client access using "http_access").
> 
> 
>> We have tried using a TCP_RESET deny_info but this does not fix the 
>> bump operation
> 
> I suspect the TCP_RESET feature is checked at error delivery time, after the client connection is bumped to prepare it for error delivery. This suspect behavior should be considered a Squid bug/deficiency IMO -- Squid should not be bumping the TLS connection to deliver a TCP RST or FIN packet.
> 
> HTH,
> 
> Alex.
> [1] It may be a good idea to also/still block client access using http_access rules, as an additional safety layer, but it has to be done carefully so that "ssl_bump terminate" rule matches _before_ any of the corresponding "http_access deny" rules may match.
> 
> 
> 
>> In this peace of log, you can see that squid is forcing bump for 
>> Access Denied website under https:
>> 2021/12/08 05:05:53.774 kid2| 85,5| client_side_request.cc(769)
>> clientAccessCheckDone: Access Denied: beacons2.gvt2.com:443
>> 2021/12/08 05:05:53.774 kid2| 85,5| client_side_request.cc(770)
>> clientAccessCheckDone: AclMatchedName = all
>> 2021/12/08 05:05:53.774 kid2| 83,7| LogTags.cc(57) update: TAG_NONE to 
>> TCP_DENIED
>> 2021/12/08 05:05:53.774 kid2| 28,4| FilledChecklist.cc(67)
>> ~ACLFilledChecklist: ACLFilledChecklist destroyed 0x7ffc945c5b40
>> 2021/12/08 05:05:53.774 kid2| 28,4| Checklist.cc(197) ~ACLChecklist:
>> ACLChecklist::~ACLChecklist: destroyed 0x7ffc945c5b40
>> 2021/12/08 05:05:53.774 kid2| 85,5| client_side_request.cc(1461)
>> sslBumpAccessCheck: SslBump applies. Force bump action on error 
>> UNKNOWN
>> 2021/12/08 05:05:53.774 kid2| 83,3| client_side_request.cc(1562)
>> sslBumpNeed: sslBump required: bump
>> 2021/12/08 05:05:53.774 kid2| 73,3| HttpRequest.cc(683) storeId: sent 
>> back
>> effectiveRequestUrl: beacons2.gvt2.com:443
>> 2021/12/08 05:05:53.774 kid2| 24,7| SBuf.cc(160) rawSpace: reserving 1 
>> for
>> SBuf77493929
>> 2021/12/08 05:05:53.774 kid2| 24,7| SBuf.cc(866) reAlloc: SBuf77493929 
>> new store capacity: 40
>> 2021/12/08 05:05:53.774 kid2| 20,3| store.cc(769) storeCreatePureEntry:
>> storeCreateEntry: 'beacons2.gvt2.com:443'
>> 2021/12/08 05:05:53.774 kid2| 20,5| store.cc(349) StoreEntry: 
>> StoreEntry constructed, this=0x5561d9347e90
>> 2021/12/08 05:05:53.774 kid2| 20,3| MemObject.cc(100) MemObject: 
>> MemObject constructed, this=0x5561d5e66f50
>> 2021/12/08 05:05:53.774 kid2| 55,7| HttpHeader.cc(155) HttpHeader: 
>> init-ing
>> hdr: 0x5561d80af128 owner: 3
>> 2021/12/08 05:05:53.774 kid2| 88,3| MemObject.cc(83) setUris: 
>> 0x5561d5e66f50
>> storeId: beacons2.gvt2.com:443
>> 2021/12/08 05:05:53.774 kid2| 24,7| SBuf.cc(85) assign: assigning
>> SBuf77493930 from SBuf77493860
>> 2021/12/08 05:05:53.774 kid2| 20,3| store.cc(443) lock: 
>> storeCreateEntry locked key [null_store_key] e:=V/0x5561d9347e90*1
>> 2021/12/08 05:05:53.774 kid2| 20,3| store.cc(569) setPrivateKey: 01
>> e:=V/0x5561d9347e90*1
>> 2021/12/08 05:05:53.774 kid2| 20,3| store.cc(421) hashInsert:
>> StoreEntry::hashInsert: Inserting Entry e:=XIV/0x5561d9347e90*1 key 
>> '71570400000000002412000002000000'
>> 2021/12/08 05:05:53.774 kid2| 83,3| client_side_request.cc(1562)
>> sslBumpNeed: sslBump required: client-first
>> 2021/12/08 05:05:53.774 kid2| 33,4| ServerBump.cc(28) ServerBump: will 
>> peek at beacons2.gvt2.com:443
>> 2021/12/08 05:05:53.774 kid2| 20,3| store.cc(443) lock: 
>> Ssl::ServerBump locked key 71570400000000002412000002000000 
>> e:=XIV/0x5561d9347e90*2
>> 2021/12/08 05:05:53.774 kid2| 4,4| errorpage.cc(720) errorAppendEntry:
>> storing TEMPLATE_5 in e:=XIV/0x5561d9347e90*2
>> 2021/12/08 05:05:53.774 kid2| 55,7| HttpHeader.cc(155) HttpHeader: 
>> init-ing
>> hdr: 0x5561d66a8078 owner: 3
>> 2021/12/08 05:05:53.774 kid2| 4,2| errorpage.cc(1389) buildBody: No 
>> existing error page language negotiated for TEMPLATE_5. Using default error file.
>>
>> Ssl.conf
>> # SSL used for port ID 1, :3128 on
>> # Patch 2020 - 08 - 03 SquidMikrotikEnabled = 0 # SSL Proxy options  
>> Proxy
>> version:5.2 [134] sslcrtd_program /lib/squid3/security_file_certgen 
>> sslcrtd_children 32 startup=5 idle=1 queue-size=64 #The AppStore 
>> application in IOS (iPhone, iPad, MacOS) uses SSL Certificate Pinning, 
>> #it means the application knows what certificate to expect when accessing AppStore.
>> #When you enable SSL Bump of HTTPS connections Squid replaces the 
>> default certificate with a  ^`^xmimicked ^`^y one;
>>
>> #the application detects that and refuses to function.
>> #
>> acl FakeCert ssl::server_name .apple.com acl FakeCert ssl::server_name 
>> .icloud.com acl FakeCert ssl::server_name .mzstatic.com acl FakeCert 
>> ssl::server_name .dropbox.com acl FakeCert ssl::server_name 
>> .bnpparisbas acl notbump ssl::server_name .redtube.com acl ssl_step1 
>> at_step SslBump1 acl
>> ssl_step2 at_step SslBump2 acl ssl_step3 at_step SslBump3
>>
>> acl Me dst 127.0.0.1 192.168.58.11
>> acl GlobalWhitelistDSTNet dst "/etc/squid3/acls_whitelist.dst.conf"
>>
>> ssl_bump splice notbump all
>> ssl_bump splice GlobalWhitelistDSTNet
>>
>> ssl_bump splice ssl_step1 Me
>> ssl_bump splice ByPassRBL
>> ssl_bump splice FakeCert
>>
>> # SNI Group sni_domains/ssl_sni
>> # id:7 Type: ssl_sni
>> acl SNIGroup7 ssl::server_name_regex -i account\.google\.com acl 
>> SNIGroup7 ssl::server_name_regex -i accounts\.google\.com ssl_bump 
>> peek ssl_step1 all # 0 Splice rules...
>> ssl_bump splice ByPassRBL
>> ssl_bump splice GlobalWhitelistDSTNet
>>
>> # Rules (spliced) added by admins....
>>
>> # 1 BUMP rules...
>> ssl_bump bump ssl_step2 SNIGroup7
>> ssl_bump splice all
>>
>> tls_outgoing_options options=NO_SSLv3,NO_TICKET 
>> cipher=ALL:!SSLv2:!SSLv3:!ADH:!DSS:!MD5:!EXP:!DES:!PSK:!SRP:!RC4:!IDEA
>> :!SEED :!aNULL:!eNULL flags=DONT_VERIFY_PEER sslproxy_cert_error allow 
>> all
>>
>> http_access.conf
>> #### tcp_outgoing_tos ####
>> #### tcp_outgoing_tos 0 Rules ####
>> # SquidUrgency = 0 exec.squid.global.access.php[2233]
>> #       HaClusterClient=0 class.squid.acls.groups.inc/buildacls_order
>> #       mysql_for_port='' aclgpid=0 [L.174]
>> #       [3] rules [220]
>>
>>
>> # webfilters_sqacls #2 : aclport=0 (  ) [239] 
>> [class.squid.acls.groups.inc] # [L.292]: rule id: 2 access_allow Port Direction=0 () # [L.320]:
>> class.squid.acls.groups.inc buildacls_bytype_items(2,..) acl 
>> AnnotateRule2 annotate_transaction accessrule=Rule2 http_access allow 
>> Group2 AnnotateRule2 # webfilters_sqacls #4 : aclport=0 (  ) [239] 
>> [class.squid.acls.groups.inc] # [L.292]: rule id: 4 access_allow Port Direction=0 () # [L.320]:
>> class.squid.acls.groups.inc buildacls_bytype_items(4,..) acl 
>> AnnotateRule4 annotate_transaction accessrule=Rule4 http_access allow 
>> Group8 AnnotateRule4 # webfilters_sqacls #3 : aclport=0 (  ) [239] 
>> [class.squid.acls.groups.inc] # [L.292]: rule id: 3 access_deny Port Direction=0 () # [L.320]:
>> class.squid.acls.groups.inc buildacls_bytype_items(3,..) # Template 
>> Enabled for this ACL.
>> # Final acl is all, Template ID=1
>> acl AnnotateRule3 annotate_transaction accessrule=Rule3 http_access 
>> deny CONNECT  AnnotateRule3 deny_info TCP_RESET AnnotateRule3
>>
>> acl MyAll dst 0.0.0.0/0
>> http_access deny Myall
>> deny_info 302:http://artica/me Myall
>> #
>> #
>> # ------------------ HTTP ACCESS -------------------- # 0 rule(s) from 
>> engine (Line 2240)
>>
>>
>> #
>> # SquidStandardLDAPAuth = 0
>> # EnableOpenLDAP = 0
>> # SquidRadiusAuth = 0
>> # LDAP_AUTH = 0 caused by EnableOpenLDAP acl MyBlockedIPs src 
>> "/etc/squid3/acls/DenyIPSrc"
>> acl AnnotateWindowsUpdates annotate_transaction 
>> accessrule=AllowWindowsUpdates http_access allow WindowsUpdates 
>> AnnotateWindowsUpdates # # -------------------- AUTH Schemes Squid
>> v5.2-----------------------
>>
>> # ----------------------------------------------------------
>>
>> # LDAP Auth = 0
>> acl AnnotateSafePorts annotate_transaction 
>> accessrule=deny_remote_ports http_access deny HTTP !Safe_ports all  
>> AnnotateSafePorts http_access deny CONNECT !SSL_ports all  
>> AnnotateSafePorts deny_info TCP_RESET all
>>
>> acl AnnotateBLK annotate_transaction accessrule=global_blacklist 
>> http_access deny MyBlockedIPs AnnotateBLK http_access deny 
>> blockedsites AnnotateBLK http_access deny DomainsBlackLists 
>> AnnotateBLK http_access deny NetworksBlackLists AnnotateBLK include 
>> /etc/squid3/http_access_final.conf
>> # END http_access (defaults)
>>
>> _______________________________________________
>> squid-users mailing list
>> squid-users at lists.squid-cache.org
>> http://lists.squid-cache.org/listinfo/squid-users
>>
>

More information about the squid-users mailing list