[squid-users] deny squid to bump deny_info

André Bolinhas andre.bolinhas at articatech.com
Fri Dec 10 16:01:37 UTC 2021 

Hi
I put this code at the beginning of squid.conf, just after listen_ports:

http_port 0.0.0.0:3128  name=MyPortNameID1 ssl-bump  generate-host-certificates=on dynamic_cert_mem_cache_size=4MB cert=/etc/squid3/ssl/861be42112afac3b82f6b992bcc464aa.dyn sslflags=VERIFY_CRL_ALL options=NO_SSLv3,No_Compression tls-dh=/etc/squid3/ssl/dhparam.pem

acl denybump dstdomain .xvideos.com
acl CONNECT1 method CONNECT
http_access deny CONNECT1 denybump
ssl_bump terminate denybump
http_access deny denybump

but still don't work, squid continues to bump the error page.

If I change the code to terminat all
acl denybump dstdomain .xvideos.com
acl CONNECT1 method CONNECT
http_access deny CONNECT1 denybump
ssl_bump terminate all
http_access deny denybump

Squid is able to terminate all connections except the xvideos, because xvideos is denied, squid continues to bump it to shot the error page.

You can see the result images here:
gmail bump terminated - https://ibb.co/3MsMt0C
Xvideos bump not terminated - https://ibb.co/b24hL44


-----Mensagem original-----
De: Alex Rousskov <rousskov at measurement-factory.com>
Enviada: 8 de dezembro de 2021 16:02
Para: André Bolinhas <andre.bolinhas at articatech.com>; 
squid-users at lists.squid-cache.org
Assunto: Re: [squid-users] deny squid to bump deny_info

On 12/8/21 10:40 AM, André Bolinhas wrote:
> where I need to add the ssl_bump terminate rule? Inside ssl.conf or 
> http_access.conf?
> I have tried in both both but continues to bump the error page.

Unfortunately, I cannot edit your configuration right now, but others on the 
mailing list may be able to help you. Please note that we do not know how 
those two files are included into your primary configuration file and 
whether that primary configuration file contains any relevant settings 
itself. The primary configuration file is what Squid parses first (e.g., it 
may be specified using "squid -f").


> Also tried ssl_bump terminate all in the top of both files and always
> bump ther error_page.

I am not sure, but AFAICT, Squid bugs notwithstanding, if "ssl_bump 
terminate all" is the very first ssl_bump rule in the entire Squid 
configuration, and Squid still bumps traffic, then you may be denying 
explicit CONNECT requests _before_ SslBump kicks in.

Alex.


> This is my current files:
> http_access.conf
> #### tcp_outgoing_tos ####
> #### tcp_outgoing_tos 0 Rules ####
> # webfilters_sqacls HaClusterClient=0 2 rules [202]
> [class.squid.acls.groups.inc] # webfilters_sqacls #10 : aclport=0 (  )
> [212] [class.squid.acls.groups.inc] # [L.268]: rule id: 10
> access_allow Port Direction=0 () # [L.303]:
> class.squid.acls.groups.inc buildacls_bytype_items(10,..) http_access
> allow Group17 # webfilters_sqacls #5 : aclport=0 (  ) [212]
> [class.squid.acls.groups.inc] # [L.268]: rule id: 5 access_deny Port
> Direction=0 () # [L.303]: class.squid.acls.groups.inc
> buildacls_bytype_items(5,..) # Template Enabled for this ACL.
> # Final acl is all, Template ID=1
> deny_info TEMPLATE_5 all
> http_access deny all
> #
> #
> # ------------------ HTTP ACCESS -------------------- # 0 rule(s) from
> engine (Line 2170)
>
>
> # SquidStandardLDAPAuth = 0
> # EnableOpenLDAP = 0
> # SquidRadiusAuth = 0
> # LDAP_AUTH = 0 caused by EnableOpenLDAP acl MyBlockedIPs src
> "/etc/squid3/acls/DenyIPSrc"
> http_access allow WindowsUpdates
>
> # LDAP Auth = 0
> http_access deny HTTP !Safe_ports all
> http_access deny CONNECT !SSL_ports all http_access deny MyBlockedIPs
> http_access deny blockedsites http_access deny DomainsBlackLists
> http_access deny NetworksBlackLists include
> /etc/squid3/http_access_final.conf
> # END http_access (defaults)
>
> # Allow all networks to finally pass trough proxy.
> http_access allow all
>
> ssl.conf
> # SSL used for port ID 1, :3128 on
> # Patch 2020 - 08 - 03 SquidMikrotikEnabled = 0 # SSL Proxy options
> Proxy version:5.2 [134] sslcrtd_program
> /lib/squid3/security_file_certgen -s /var/lib/squid/session/ssl/ssl_db
> -M 32MB sslcrtd_children 32 startup=5 idle=1 queue-size=64 #The
> AppStore application in IOS (iPhone, iPad, MacOS) uses SSL Certificate
> Pinning, #it means the application knows what certificate to expect when 
> accessing AppStore.
> #When you enable SSL Bump of HTTPS connections Squid replaces the
> default certificate with a  ^`^xmimicked ^`^y one; #the application 
> detects that and refuses to function.
> #
> acl FakeCert ssl::server_name .apple.com acl FakeCert ssl::server_name
> .icloud.com acl FakeCert ssl::server_name .mzstatic.com acl FakeCert
> ssl::server_name .dropbox.com acl FakeCert ssl::server_name
> .bnpparisbas acl ssl_step1 at_step SslBump1 acl ssl_step2 at_step
> SslBump2 acl ssl_step3 at_step SslBump3 ssl_bump peek ssl_step1
> ssl_bump splice GlobalWhitelistDSTNet ssl_bump splice
> GlobalWhitelistDomainsRx ssl_bump splice GlobalWhitelistDomains
> ssl_bump splice FakeCert
>
> # SNI Group google_sni/ssl_sni
> # id:16 Type: ssl_sni
> acl SNIGroup16 ssl::server_name_regex -i accounts\.google\.com
>
> # 0 Splice rules...
> acl KeepSSL ssl::server_name "/etc/squid3/acls_whitelist.dstdomain.conf"
> ssl_bump splice KeepSSL
> ssl_bump splice GlobalWhitelistDSTNet
>
> # Rules (spliced) added by admins....
>
> # 1 BUMP rules...
> #ssl_bump stare all
> ssl_bump bump ssl_step2 SNIGroup16
> ssl_bump splice all
>
> tls_outgoing_options options=NO_SSLv3,NO_TICKET
> cipher=ALL:!SSLv2:!SSLv3:!ADH:!DSS:!MD5:!EXP:!DES:!PSK:!SRP:!RC4:!IDEA
> :!SEED:!aNULL:!eNULL flags=DONT_VERIFY_PEER sslproxy_cert_error allow
> all on_unsupported_protocol tunnel all
>
>
> -----Mensagem original-----
> De: Alex Rousskov <rousskov at measurement-factory.com>
> Enviada: 8 de dezembro de 2021 15:13
> Para: André Bolinhas <andre.bolinhas at articatech.com>;
> squid-users at lists.squid-cache.org
> Assunto: Re: [squid-users] deny squid to bump deny_info
>
> On 12/7/21 8:39 PM, André Bolinhas wrote:
>
>> We use Squid v5 with ssl_bump to decrypt only google domains. With a
>> special configuration we also need to deny important websites. Squid
>> tries to bump returned error pages
>
> Yes, when SslBump encounters an error, it tries to bump the client 
> connection to deliver the error response.
>
> One way to prevent that error handling algorithm from kicking in is to 
> close the offending client connection using an "ssl_bump terminate" rule 
> (instead[1] of blocking client access using "http_access").
>
>
>> We have tried using a TCP_RESET deny_info but this does not fix the
>> bump operation
>
> I suspect the TCP_RESET feature is checked at error delivery time, after 
> the client connection is bumped to prepare it for error delivery. This 
> suspect behavior should be considered a Squid bug/deficiency IMO -- Squid 
> should not be bumping the TLS connection to deliver a TCP RST or FIN 
> packet.
>
> HTH,
>
> Alex.
> [1] It may be a good idea to also/still block client access using 
> http_access rules, as an additional safety layer, but it has to be done 
> carefully so that "ssl_bump terminate" rule matches _before_ any of the 
> corresponding "http_access deny" rules may match.
>
>
>
>> In this peace of log, you can see that squid is forcing bump for
>> Access Denied website under https:
>> 2021/12/08 05:05:53.774 kid2| 85,5| client_side_request.cc(769)
>> clientAccessCheckDone: Access Denied: beacons2.gvt2.com:443
>> 2021/12/08 05:05:53.774 kid2| 85,5| client_side_request.cc(770)
>> clientAccessCheckDone: AclMatchedName = all
>> 2021/12/08 05:05:53.774 kid2| 83,7| LogTags.cc(57) update: TAG_NONE
>> to TCP_DENIED
>> 2021/12/08 05:05:53.774 kid2| 28,4| FilledChecklist.cc(67)
>> ~ACLFilledChecklist: ACLFilledChecklist destroyed 0x7ffc945c5b40
>> 2021/12/08 05:05:53.774 kid2| 28,4| Checklist.cc(197) ~ACLChecklist:
>> ACLChecklist::~ACLChecklist: destroyed 0x7ffc945c5b40
>> 2021/12/08 05:05:53.774 kid2| 85,5| client_side_request.cc(1461)
>> sslBumpAccessCheck: SslBump applies. Force bump action on error
>> UNKNOWN
>> 2021/12/08 05:05:53.774 kid2| 83,3| client_side_request.cc(1562)
>> sslBumpNeed: sslBump required: bump
>> 2021/12/08 05:05:53.774 kid2| 73,3| HttpRequest.cc(683) storeId: sent
>> back
>> effectiveRequestUrl: beacons2.gvt2.com:443
>> 2021/12/08 05:05:53.774 kid2| 24,7| SBuf.cc(160) rawSpace: reserving
>> 1 for
>> SBuf77493929
>> 2021/12/08 05:05:53.774 kid2| 24,7| SBuf.cc(866) reAlloc:
>> SBuf77493929 new store capacity: 40
>> 2021/12/08 05:05:53.774 kid2| 20,3| store.cc(769) storeCreatePureEntry:
>> storeCreateEntry: 'beacons2.gvt2.com:443'
>> 2021/12/08 05:05:53.774 kid2| 20,5| store.cc(349) StoreEntry:
>> StoreEntry constructed, this=0x5561d9347e90
>> 2021/12/08 05:05:53.774 kid2| 20,3| MemObject.cc(100) MemObject:
>> MemObject constructed, this=0x5561d5e66f50
>> 2021/12/08 05:05:53.774 kid2| 55,7| HttpHeader.cc(155) HttpHeader:
>> init-ing
>> hdr: 0x5561d80af128 owner: 3
>> 2021/12/08 05:05:53.774 kid2| 88,3| MemObject.cc(83) setUris:
>> 0x5561d5e66f50
>> storeId: beacons2.gvt2.com:443
>> 2021/12/08 05:05:53.774 kid2| 24,7| SBuf.cc(85) assign: assigning
>> SBuf77493930 from SBuf77493860
>> 2021/12/08 05:05:53.774 kid2| 20,3| store.cc(443) lock:
>> storeCreateEntry locked key [null_store_key] e:=V/0x5561d9347e90*1
>> 2021/12/08 05:05:53.774 kid2| 20,3| store.cc(569) setPrivateKey: 01
>> e:=V/0x5561d9347e90*1
>> 2021/12/08 05:05:53.774 kid2| 20,3| store.cc(421) hashInsert:
>> StoreEntry::hashInsert: Inserting Entry e:=XIV/0x5561d9347e90*1 key
>> '71570400000000002412000002000000'
>> 2021/12/08 05:05:53.774 kid2| 83,3| client_side_request.cc(1562)
>> sslBumpNeed: sslBump required: client-first
>> 2021/12/08 05:05:53.774 kid2| 33,4| ServerBump.cc(28) ServerBump:
>> will peek at beacons2.gvt2.com:443
>> 2021/12/08 05:05:53.774 kid2| 20,3| store.cc(443) lock:
>> Ssl::ServerBump locked key 71570400000000002412000002000000
>> e:=XIV/0x5561d9347e90*2
>> 2021/12/08 05:05:53.774 kid2| 4,4| errorpage.cc(720) errorAppendEntry:
>> storing TEMPLATE_5 in e:=XIV/0x5561d9347e90*2
>> 2021/12/08 05:05:53.774 kid2| 55,7| HttpHeader.cc(155) HttpHeader:
>> init-ing
>> hdr: 0x5561d66a8078 owner: 3
>> 2021/12/08 05:05:53.774 kid2| 4,2| errorpage.cc(1389) buildBody: No
>> existing error page language negotiated for TEMPLATE_5. Using default 
>> error file.
>>
>> Ssl.conf
>> # SSL used for port ID 1, :3128 on
>> # Patch 2020 - 08 - 03 SquidMikrotikEnabled = 0 # SSL Proxy options
>> Proxy
>> version:5.2 [134] sslcrtd_program /lib/squid3/security_file_certgen
>> sslcrtd_children 32 startup=5 idle=1 queue-size=64 #The AppStore
>> application in IOS (iPhone, iPad, MacOS) uses SSL Certificate
>> Pinning, #it means the application knows what certificate to expect when 
>> accessing AppStore.
>> #When you enable SSL Bump of HTTPS connections Squid replaces the
>> default certificate with a  ^`^xmimicked ^`^y one;
>>
>> #the application detects that and refuses to function.
>> #
>> acl FakeCert ssl::server_name .apple.com acl FakeCert
>> ssl::server_name .icloud.com acl FakeCert ssl::server_name
>> .mzstatic.com acl FakeCert ssl::server_name .dropbox.com acl FakeCert
>> ssl::server_name .bnpparisbas acl notbump ssl::server_name
>> .redtube.com acl ssl_step1 at_step SslBump1 acl
>> ssl_step2 at_step SslBump2 acl ssl_step3 at_step SslBump3
>>
>> acl Me dst 127.0.0.1 192.168.58.11
>> acl GlobalWhitelistDSTNet dst "/etc/squid3/acls_whitelist.dst.conf"
>>
>> ssl_bump splice notbump all
>> ssl_bump splice GlobalWhitelistDSTNet
>>
>> ssl_bump splice ssl_step1 Me
>> ssl_bump splice ByPassRBL
>> ssl_bump splice FakeCert
>>
>> # SNI Group sni_domains/ssl_sni
>> # id:7 Type: ssl_sni
>> acl SNIGroup7 ssl::server_name_regex -i account\.google\.com acl
>> SNIGroup7 ssl::server_name_regex -i accounts\.google\.com ssl_bump
>> peek ssl_step1 all # 0 Splice rules...
>> ssl_bump splice ByPassRBL
>> ssl_bump splice GlobalWhitelistDSTNet
>>
>> # Rules (spliced) added by admins....
>>
>> # 1 BUMP rules...
>> ssl_bump bump ssl_step2 SNIGroup7
>> ssl_bump splice all
>>
>> tls_outgoing_options options=NO_SSLv3,NO_TICKET
>> cipher=ALL:!SSLv2:!SSLv3:!ADH:!DSS:!MD5:!EXP:!DES:!PSK:!SRP:!RC4:!IDE
>> A :!SEED :!aNULL:!eNULL flags=DONT_VERIFY_PEER sslproxy_cert_error
>> allow all
>>
>> http_access.conf
>> #### tcp_outgoing_tos ####
>> #### tcp_outgoing_tos 0 Rules ####
>> # SquidUrgency = 0 exec.squid.global.access.php[2233]
>> #       HaClusterClient=0 class.squid.acls.groups.inc/buildacls_order
>> #       mysql_for_port='' aclgpid=0 [L.174]
>> #       [3] rules [220]
>>
>>
>> # webfilters_sqacls #2 : aclport=0 (  ) [239]
>> [class.squid.acls.groups.inc] # [L.292]: rule id: 2 access_allow Port 
>> Direction=0 () # [L.320]:
>> class.squid.acls.groups.inc buildacls_bytype_items(2,..) acl
>> AnnotateRule2 annotate_transaction accessrule=Rule2 http_access allow
>> Group2 AnnotateRule2 # webfilters_sqacls #4 : aclport=0 (  ) [239]
>> [class.squid.acls.groups.inc] # [L.292]: rule id: 4 access_allow Port 
>> Direction=0 () # [L.320]:
>> class.squid.acls.groups.inc buildacls_bytype_items(4,..) acl
>> AnnotateRule4 annotate_transaction accessrule=Rule4 http_access allow
>> Group8 AnnotateRule4 # webfilters_sqacls #3 : aclport=0 (  ) [239]
>> [class.squid.acls.groups.inc] # [L.292]: rule id: 3 access_deny Port 
>> Direction=0 () # [L.320]:
>> class.squid.acls.groups.inc buildacls_bytype_items(3,..) # Template
>> Enabled for this ACL.
>> # Final acl is all, Template ID=1
>> acl AnnotateRule3 annotate_transaction accessrule=Rule3 http_access
>> deny CONNECT  AnnotateRule3 deny_info TCP_RESET AnnotateRule3
>>
>> acl MyAll dst 0.0.0.0/0
>> http_access deny Myall
>> deny_info 302:http://artica/me Myall
>> #
>> #
>> # ------------------ HTTP ACCESS -------------------- # 0 rule(s)
>> from engine (Line 2240)
>>
>>
>> #
>> # SquidStandardLDAPAuth = 0
>> # EnableOpenLDAP = 0
>> # SquidRadiusAuth = 0
>> # LDAP_AUTH = 0 caused by EnableOpenLDAP acl MyBlockedIPs src
>> "/etc/squid3/acls/DenyIPSrc"
>> acl AnnotateWindowsUpdates annotate_transaction
>> accessrule=AllowWindowsUpdates http_access allow WindowsUpdates
>> AnnotateWindowsUpdates # # -------------------- AUTH Schemes Squid
>> v5.2-----------------------
>>
>> # ----------------------------------------------------------
>>
>> # LDAP Auth = 0
>> acl AnnotateSafePorts annotate_transaction
>> accessrule=deny_remote_ports http_access deny HTTP !Safe_ports all
>> AnnotateSafePorts http_access deny CONNECT !SSL_ports all
>> AnnotateSafePorts deny_info TCP_RESET all
>>
>> acl AnnotateBLK annotate_transaction accessrule=global_blacklist
>> http_access deny MyBlockedIPs AnnotateBLK http_access deny
>> blockedsites AnnotateBLK http_access deny DomainsBlackLists
>> AnnotateBLK http_access deny NetworksBlackLists AnnotateBLK include
>> /etc/squid3/http_access_final.conf
>> # END http_access (defaults)
>>
>> _______________________________________________
>> squid-users mailing list
>> squid-users at lists.squid-cache.org
>> http://lists.squid-cache.org/listinfo/squid-users
>>
>

More information about the squid-users mailing list