[squid-users] deny squid to bump deny_info
Alex Rousskov
rousskov at measurement-factory.com
Sat Dec 11 14:59:20 UTC 2021
On 12/10/21 6:03 PM, André Bolinhas wrote:
> Actually if I remove http_access deny I works
There are many ways to misconfigure Squid. Removing all "http_access
deny" rules (that apply to CONNECT requests) is one of them.
I recommend learning how Squid applies http_access and ssl_bump rules
based on available documentation and this mailing list help. Please ask
questions as needed. Once you understand how Squid works, you should be
able to configure Squid correctly and/or file bug reports.
If you just want to follow specific configuration instructions instead,
then you will probably have to wait for somebody to detail what I have
suggested earlier. Please note that I did not recommend removal of all
"http_access deny" rules. I recommended making sure that CONNECT
requests that match "ssl_bump terminate" rule are allowed. Everything
else should be allowed/denied as usual.
HTH,
Alex.
> -----Mensagem original-----
> De: Alex Rousskov <rousskov at measurement-factory.com>
> Enviada: 10 de dezembro de 2021 16:42
> Para: André Bolinhas <andre.bolinhas at articatech.com>; squid-users at lists.squid-cache.org
> Assunto: Re: [squid-users] deny squid to bump deny_info
>
> On 12/10/21 11:01 AM, André Bolinhas wrote:
>
>> I put this code at the beginning of squid.conf, just after listen_ports:
>>
>> http_port 0.0.0.0:3128 name=MyPortNameID1 ssl-bump
>> generate-host-certificates=on dynamic_cert_mem_cache_size=4MB
>> cert=/etc/squid3/ssl/861be42112afac3b82f6b992bcc464aa.dyn
>> sslflags=VERIFY_CRL_ALL options=NO_SSLv3,No_Compression
>> tls-dh=/etc/squid3/ssl/dhparam.pem
>>
>> acl denybump dstdomain .xvideos.com
>> acl CONNECT1 method CONNECT
>> http_access deny CONNECT1 denybump
>> ssl_bump terminate denybump
>> http_access deny denybump
>>
>> but still don't work, squid continues to bump the error page.
>>
>> If I change the code to terminat all
>> acl denybump dstdomain .xvideos.com
>> acl CONNECT1 method CONNECT
>> http_access deny CONNECT1 denybump
>> ssl_bump terminate all
>> http_access deny denybump
>>
>> Squid is able to terminate all connections except the xvideos, because xvideos is denied, squid continues to bump it to shot the error page.
>
> AFAICT, your configuration denies CONNECT requests _before_ "ssl_bump terminate" logic kicks in. The existing SslBump documentation can be interpreted as matching what is going on in your tests; see steps 1.ii and 1.iii at https://wiki.squid-cache.org/Features/SslPeekAndSplice
>
> We probably should document that a step1 http_access denial (which happens during step 1.ii) blocks/prevents ssl_bump rules evaluation (which happens in step 1.iii).
>
> My recommendation from the very first response on this email thread still stands: Close the offending client connection using an "ssl_bump terminate" rule instead[1] of blocking client access using "http_access".
>
> [1] It may be a good idea to also/still block client access using http_access rules, as an additional safety layer, but it has to be done carefully so that "ssl_bump terminate" rule matches _before_ any of the corresponding "http_access deny" rules may match. For example, the two rules cannot have exactly the same condition because step 1.ii happens before step 1.iii.
>
>
> HTH,
>
> Alex.
>
>> You can see the result images here:
>> gmail bump terminated - https://ibb.co/3MsMt0C Xvideos bump not
>> terminated - https://ibb.co/b24hL44
>>
>>
>> -----Mensagem original-----
>> De: Alex Rousskov <rousskov at measurement-factory.com>
>> Enviada: 8 de dezembro de 2021 16:02
>> Para: André Bolinhas <andre.bolinhas at articatech.com>;
>> squid-users at lists.squid-cache.org
>> Assunto: Re: [squid-users] deny squid to bump deny_info
>>
>> On 12/8/21 10:40 AM, André Bolinhas wrote:
>>> where I need to add the ssl_bump terminate rule? Inside ssl.conf or
>>> http_access.conf?
>>> I have tried in both both but continues to bump the error page.
>>
>> Unfortunately, I cannot edit your configuration right now, but others
>> on the mailing list may be able to help you. Please note that we do
>> not know how those two files are included into your primary
>> configuration file and whether that primary configuration file
>> contains any relevant settings itself. The primary configuration file
>> is what Squid parses first (e.g., it may be specified using "squid -f").
>>
>>
>>> Also tried ssl_bump terminate all in the top of both files and always
>>> bump ther error_page.
>>
>> I am not sure, but AFAICT, Squid bugs notwithstanding, if "ssl_bump
>> terminate all" is the very first ssl_bump rule in the entire Squid
>> configuration, and Squid still bumps traffic, then you may be denying
>> explicit CONNECT requests _before_ SslBump kicks in.
>>
>> Alex.
>>
>>
>>> This is my current files:
>>> http_access.conf
>>> #### tcp_outgoing_tos ####
>>> #### tcp_outgoing_tos 0 Rules ####
>>> # webfilters_sqacls HaClusterClient=0 2 rules [202]
>>> [class.squid.acls.groups.inc] # webfilters_sqacls #10 : aclport=0 (
>>> ) [212] [class.squid.acls.groups.inc] # [L.268]: rule id: 10
>>> access_allow Port Direction=0 () # [L.303]:
>>> class.squid.acls.groups.inc buildacls_bytype_items(10,..) http_access
>>> allow Group17 # webfilters_sqacls #5 : aclport=0 ( ) [212]
>>> [class.squid.acls.groups.inc] # [L.268]: rule id: 5 access_deny Port
>>> Direction=0 () # [L.303]: class.squid.acls.groups.inc
>>> buildacls_bytype_items(5,..) # Template Enabled for this ACL.
>>> # Final acl is all, Template ID=1
>>> deny_info TEMPLATE_5 all
>>> http_access deny all
>>> #
>>> #
>>> # ------------------ HTTP ACCESS -------------------- # 0 rule(s)
>>> from engine (Line 2170)
>>>
>>>
>>> # SquidStandardLDAPAuth = 0
>>> # EnableOpenLDAP = 0
>>> # SquidRadiusAuth = 0
>>> # LDAP_AUTH = 0 caused by EnableOpenLDAP acl MyBlockedIPs src
>>> "/etc/squid3/acls/DenyIPSrc"
>>> http_access allow WindowsUpdates
>>>
>>> # LDAP Auth = 0
>>> http_access deny HTTP !Safe_ports all http_access deny CONNECT
>>> !SSL_ports all http_access deny MyBlockedIPs http_access deny
>>> blockedsites http_access deny DomainsBlackLists http_access deny
>>> NetworksBlackLists include /etc/squid3/http_access_final.conf
>>> # END http_access (defaults)
>>>
>>> # Allow all networks to finally pass trough proxy.
>>> http_access allow all
>>>
>>> ssl.conf
>>> # SSL used for port ID 1, :3128 on
>>> # Patch 2020 - 08 - 03 SquidMikrotikEnabled = 0 # SSL Proxy options
>>> Proxy version:5.2 [134] sslcrtd_program
>>> /lib/squid3/security_file_certgen -s
>>> /var/lib/squid/session/ssl/ssl_db -M 32MB sslcrtd_children 32
>>> startup=5 idle=1 queue-size=64 #The AppStore application in IOS
>>> (iPhone, iPad, MacOS) uses SSL Certificate Pinning, #it means the
>>> application knows what certificate to expect when accessing AppStore.
>>> #When you enable SSL Bump of HTTPS connections Squid replaces the
>>> default certificate with a ^`^xmimicked ^`^y one; #the application
>>> detects that and refuses to function.
>>> #
>>> acl FakeCert ssl::server_name .apple.com acl FakeCert
>>> ssl::server_name .icloud.com acl FakeCert ssl::server_name
>>> .mzstatic.com acl FakeCert ssl::server_name .dropbox.com acl FakeCert
>>> ssl::server_name .bnpparisbas acl ssl_step1 at_step SslBump1 acl
>>> ssl_step2 at_step
>>> SslBump2 acl ssl_step3 at_step SslBump3 ssl_bump peek ssl_step1
>>> ssl_bump splice GlobalWhitelistDSTNet ssl_bump splice
>>> GlobalWhitelistDomainsRx ssl_bump splice GlobalWhitelistDomains
>>> ssl_bump splice FakeCert
>>>
>>> # SNI Group google_sni/ssl_sni
>>> # id:16 Type: ssl_sni
>>> acl SNIGroup16 ssl::server_name_regex -i accounts\.google\.com
>>>
>>> # 0 Splice rules...
>>> acl KeepSSL ssl::server_name "/etc/squid3/acls_whitelist.dstdomain.conf"
>>> ssl_bump splice KeepSSL
>>> ssl_bump splice GlobalWhitelistDSTNet
>>>
>>> # Rules (spliced) added by admins....
>>>
>>> # 1 BUMP rules...
>>> #ssl_bump stare all
>>> ssl_bump bump ssl_step2 SNIGroup16
>>> ssl_bump splice all
>>>
>>> tls_outgoing_options options=NO_SSLv3,NO_TICKET
>>> cipher=ALL:!SSLv2:!SSLv3:!ADH:!DSS:!MD5:!EXP:!DES:!PSK:!SRP:!RC4:!IDE
>>> A :!SEED:!aNULL:!eNULL flags=DONT_VERIFY_PEER sslproxy_cert_error
>>> allow all on_unsupported_protocol tunnel all
>>>
>>>
>>> -----Mensagem original-----
>>> De: Alex Rousskov <rousskov at measurement-factory.com>
>>> Enviada: 8 de dezembro de 2021 15:13
>>> Para: André Bolinhas <andre.bolinhas at articatech.com>;
>>> squid-users at lists.squid-cache.org
>>> Assunto: Re: [squid-users] deny squid to bump deny_info
>>>
>>> On 12/7/21 8:39 PM, André Bolinhas wrote:
>>>
>>>> We use Squid v5 with ssl_bump to decrypt only google domains. With a
>>>> special configuration we also need to deny important websites. Squid
>>>> tries to bump returned error pages
>>>
>>> Yes, when SslBump encounters an error, it tries to bump the client
>>> connection to deliver the error response.
>>>
>>> One way to prevent that error handling algorithm from kicking in is
>>> to close the offending client connection using an "ssl_bump
>>> terminate" rule (instead[1] of blocking client access using "http_access").
>>>
>>>
>>>> We have tried using a TCP_RESET deny_info but this does not fix the
>>>> bump operation
>>>
>>> I suspect the TCP_RESET feature is checked at error delivery time,
>>> after the client connection is bumped to prepare it for error
>>> delivery. This suspect behavior should be considered a Squid
>>> bug/deficiency IMO -- Squid should not be bumping the TLS connection
>>> to deliver a TCP RST or FIN packet.
>>>
>>> HTH,
>>>
>>> Alex.
>>> [1] It may be a good idea to also/still block client access using
>>> http_access rules, as an additional safety layer, but it has to be
>>> done carefully so that "ssl_bump terminate" rule matches _before_ any
>>> of the corresponding "http_access deny" rules may match.
>>>
>>>
>>>
>>>> In this peace of log, you can see that squid is forcing bump for
>>>> Access Denied website under https:
>>>> 2021/12/08 05:05:53.774 kid2| 85,5| client_side_request.cc(769)
>>>> clientAccessCheckDone: Access Denied: beacons2.gvt2.com:443
>>>> 2021/12/08 05:05:53.774 kid2| 85,5| client_side_request.cc(770)
>>>> clientAccessCheckDone: AclMatchedName = all
>>>> 2021/12/08 05:05:53.774 kid2| 83,7| LogTags.cc(57) update: TAG_NONE
>>>> to TCP_DENIED
>>>> 2021/12/08 05:05:53.774 kid2| 28,4| FilledChecklist.cc(67)
>>>> ~ACLFilledChecklist: ACLFilledChecklist destroyed 0x7ffc945c5b40
>>>> 2021/12/08 05:05:53.774 kid2| 28,4| Checklist.cc(197) ~ACLChecklist:
>>>> ACLChecklist::~ACLChecklist: destroyed 0x7ffc945c5b40
>>>> 2021/12/08 05:05:53.774 kid2| 85,5| client_side_request.cc(1461)
>>>> sslBumpAccessCheck: SslBump applies. Force bump action on error
>>>> UNKNOWN
>>>> 2021/12/08 05:05:53.774 kid2| 83,3| client_side_request.cc(1562)
>>>> sslBumpNeed: sslBump required: bump
>>>> 2021/12/08 05:05:53.774 kid2| 73,3| HttpRequest.cc(683) storeId:
>>>> sent back
>>>> effectiveRequestUrl: beacons2.gvt2.com:443
>>>> 2021/12/08 05:05:53.774 kid2| 24,7| SBuf.cc(160) rawSpace: reserving
>>>> 1 for
>>>> SBuf77493929
>>>> 2021/12/08 05:05:53.774 kid2| 24,7| SBuf.cc(866) reAlloc:
>>>> SBuf77493929 new store capacity: 40
>>>> 2021/12/08 05:05:53.774 kid2| 20,3| store.cc(769) storeCreatePureEntry:
>>>> storeCreateEntry: 'beacons2.gvt2.com:443'
>>>> 2021/12/08 05:05:53.774 kid2| 20,5| store.cc(349) StoreEntry:
>>>> StoreEntry constructed, this=0x5561d9347e90
>>>> 2021/12/08 05:05:53.774 kid2| 20,3| MemObject.cc(100) MemObject:
>>>> MemObject constructed, this=0x5561d5e66f50
>>>> 2021/12/08 05:05:53.774 kid2| 55,7| HttpHeader.cc(155) HttpHeader:
>>>> init-ing
>>>> hdr: 0x5561d80af128 owner: 3
>>>> 2021/12/08 05:05:53.774 kid2| 88,3| MemObject.cc(83) setUris:
>>>> 0x5561d5e66f50
>>>> storeId: beacons2.gvt2.com:443
>>>> 2021/12/08 05:05:53.774 kid2| 24,7| SBuf.cc(85) assign: assigning
>>>> SBuf77493930 from SBuf77493860
>>>> 2021/12/08 05:05:53.774 kid2| 20,3| store.cc(443) lock:
>>>> storeCreateEntry locked key [null_store_key] e:=V/0x5561d9347e90*1
>>>> 2021/12/08 05:05:53.774 kid2| 20,3| store.cc(569) setPrivateKey: 01
>>>> e:=V/0x5561d9347e90*1
>>>> 2021/12/08 05:05:53.774 kid2| 20,3| store.cc(421) hashInsert:
>>>> StoreEntry::hashInsert: Inserting Entry e:=XIV/0x5561d9347e90*1 key
>>>> '71570400000000002412000002000000'
>>>> 2021/12/08 05:05:53.774 kid2| 83,3| client_side_request.cc(1562)
>>>> sslBumpNeed: sslBump required: client-first
>>>> 2021/12/08 05:05:53.774 kid2| 33,4| ServerBump.cc(28) ServerBump:
>>>> will peek at beacons2.gvt2.com:443
>>>> 2021/12/08 05:05:53.774 kid2| 20,3| store.cc(443) lock:
>>>> Ssl::ServerBump locked key 71570400000000002412000002000000
>>>> e:=XIV/0x5561d9347e90*2
>>>> 2021/12/08 05:05:53.774 kid2| 4,4| errorpage.cc(720) errorAppendEntry:
>>>> storing TEMPLATE_5 in e:=XIV/0x5561d9347e90*2
>>>> 2021/12/08 05:05:53.774 kid2| 55,7| HttpHeader.cc(155) HttpHeader:
>>>> init-ing
>>>> hdr: 0x5561d66a8078 owner: 3
>>>> 2021/12/08 05:05:53.774 kid2| 4,2| errorpage.cc(1389) buildBody: No
>>>> existing error page language negotiated for TEMPLATE_5. Using
>>>> default error file.
>>>>
>>>> Ssl.conf
>>>> # SSL used for port ID 1, :3128 on
>>>> # Patch 2020 - 08 - 03 SquidMikrotikEnabled = 0 # SSL Proxy options
>>>> Proxy
>>>> version:5.2 [134] sslcrtd_program /lib/squid3/security_file_certgen
>>>> sslcrtd_children 32 startup=5 idle=1 queue-size=64 #The AppStore
>>>> application in IOS (iPhone, iPad, MacOS) uses SSL Certificate
>>>> Pinning, #it means the application knows what certificate to expect
>>>> when accessing AppStore.
>>>> #When you enable SSL Bump of HTTPS connections Squid replaces the
>>>> default certificate with a ^`^xmimicked ^`^y one;
>>>>
>>>> #the application detects that and refuses to function.
>>>> #
>>>> acl FakeCert ssl::server_name .apple.com acl FakeCert
>>>> ssl::server_name .icloud.com acl FakeCert ssl::server_name
>>>> .mzstatic.com acl FakeCert ssl::server_name .dropbox.com acl
>>>> FakeCert ssl::server_name .bnpparisbas acl notbump ssl::server_name
>>>> .redtube.com acl ssl_step1 at_step SslBump1 acl
>>>> ssl_step2 at_step SslBump2 acl ssl_step3 at_step SslBump3
>>>>
>>>> acl Me dst 127.0.0.1 192.168.58.11
>>>> acl GlobalWhitelistDSTNet dst "/etc/squid3/acls_whitelist.dst.conf"
>>>>
>>>> ssl_bump splice notbump all
>>>> ssl_bump splice GlobalWhitelistDSTNet
>>>>
>>>> ssl_bump splice ssl_step1 Me
>>>> ssl_bump splice ByPassRBL
>>>> ssl_bump splice FakeCert
>>>>
>>>> # SNI Group sni_domains/ssl_sni
>>>> # id:7 Type: ssl_sni
>>>> acl SNIGroup7 ssl::server_name_regex -i account\.google\.com acl
>>>> SNIGroup7 ssl::server_name_regex -i accounts\.google\.com ssl_bump
>>>> peek ssl_step1 all # 0 Splice rules...
>>>> ssl_bump splice ByPassRBL
>>>> ssl_bump splice GlobalWhitelistDSTNet
>>>>
>>>> # Rules (spliced) added by admins....
>>>>
>>>> # 1 BUMP rules...
>>>> ssl_bump bump ssl_step2 SNIGroup7
>>>> ssl_bump splice all
>>>>
>>>> tls_outgoing_options options=NO_SSLv3,NO_TICKET
>>>> cipher=ALL:!SSLv2:!SSLv3:!ADH:!DSS:!MD5:!EXP:!DES:!PSK:!SRP:!RC4:!ID
>>>> E A :!SEED :!aNULL:!eNULL flags=DONT_VERIFY_PEER sslproxy_cert_error
>>>> allow all
>>>>
>>>> http_access.conf
>>>> #### tcp_outgoing_tos ####
>>>> #### tcp_outgoing_tos 0 Rules ####
>>>> # SquidUrgency = 0 exec.squid.global.access.php[2233]
>>>> # HaClusterClient=0 class.squid.acls.groups.inc/buildacls_order
>>>> # mysql_for_port='' aclgpid=0 [L.174]
>>>> # [3] rules [220]
>>>>
>>>>
>>>> # webfilters_sqacls #2 : aclport=0 ( ) [239]
>>>> [class.squid.acls.groups.inc] # [L.292]: rule id: 2 access_allow
>>>> Port
>>>> Direction=0 () # [L.320]:
>>>> class.squid.acls.groups.inc buildacls_bytype_items(2,..) acl
>>>> AnnotateRule2 annotate_transaction accessrule=Rule2 http_access
>>>> allow
>>>> Group2 AnnotateRule2 # webfilters_sqacls #4 : aclport=0 ( ) [239]
>>>> [class.squid.acls.groups.inc] # [L.292]: rule id: 4 access_allow
>>>> Port
>>>> Direction=0 () # [L.320]:
>>>> class.squid.acls.groups.inc buildacls_bytype_items(4,..) acl
>>>> AnnotateRule4 annotate_transaction accessrule=Rule4 http_access
>>>> allow
>>>> Group8 AnnotateRule4 # webfilters_sqacls #3 : aclport=0 ( ) [239]
>>>> [class.squid.acls.groups.inc] # [L.292]: rule id: 3 access_deny Port
>>>> Direction=0 () # [L.320]:
>>>> class.squid.acls.groups.inc buildacls_bytype_items(3,..) # Template
>>>> Enabled for this ACL.
>>>> # Final acl is all, Template ID=1
>>>> acl AnnotateRule3 annotate_transaction accessrule=Rule3 http_access
>>>> deny CONNECT AnnotateRule3 deny_info TCP_RESET AnnotateRule3
>>>>
>>>> acl MyAll dst 0.0.0.0/0
>>>> http_access deny Myall
>>>> deny_info 302:http://artica/me Myall # # # ------------------ HTTP
>>>> ACCESS -------------------- # 0 rule(s) from engine (Line 2240)
>>>>
>>>>
>>>> #
>>>> # SquidStandardLDAPAuth = 0
>>>> # EnableOpenLDAP = 0
>>>> # SquidRadiusAuth = 0
>>>> # LDAP_AUTH = 0 caused by EnableOpenLDAP acl MyBlockedIPs src
>>>> "/etc/squid3/acls/DenyIPSrc"
>>>> acl AnnotateWindowsUpdates annotate_transaction
>>>> accessrule=AllowWindowsUpdates http_access allow WindowsUpdates
>>>> AnnotateWindowsUpdates # # -------------------- AUTH Schemes Squid
>>>> v5.2-----------------------
>>>>
>>>> # ----------------------------------------------------------
>>>>
>>>> # LDAP Auth = 0
>>>> acl AnnotateSafePorts annotate_transaction
>>>> accessrule=deny_remote_ports http_access deny HTTP !Safe_ports all
>>>> AnnotateSafePorts http_access deny CONNECT !SSL_ports all
>>>> AnnotateSafePorts deny_info TCP_RESET all
>>>>
>>>> acl AnnotateBLK annotate_transaction accessrule=global_blacklist
>>>> http_access deny MyBlockedIPs AnnotateBLK http_access deny
>>>> blockedsites AnnotateBLK http_access deny DomainsBlackLists
>>>> AnnotateBLK http_access deny NetworksBlackLists AnnotateBLK include
>>>> /etc/squid3/http_access_final.conf
>>>> # END http_access (defaults)
>>>>
>>>> _______________________________________________
>>>> squid-users mailing list
>>>> squid-users at lists.squid-cache.org
>>>> http://lists.squid-cache.org/listinfo/squid-users
>>>>
>>>
>>
>
More information about the squid-users
mailing list