[squid-users] How to completely blacklist a domain + subdomains, including HTTPS?
squid3 at treenet.co.nz
Tue Mar 9 12:43:25 UTC 2021
On 10/03/21 12:57 am, roee klinger wrote:
> I have found a lot of outdated or conflicting information about this
> online, and since this is a really important matter, I wanted to make
> sure I am doing this correctly.
> I am attempting to block some websites completely, including all HTTPS
> traffic and subdomains.
Basically there are two protocols that need to be considered for this.
HTTP and TLS.
In HTTP the "website" is identified by a domain name in the
request-target (aka URI, sometimes called URL).
* The 'dstdomain' ACL type matches URI domain name.
* The http_access directive is where that domain name becomes
available for Squid to check.
In TLS the "website" is identified by the TLS SNI sent by the client, or
a field in the server X.509 certificate.
* The 'ssl::server_name' ACL type matches those details.
* The ssl_bump directive
Next thing is to be aware that there are many ways to layer protocols.
Do expect to see vastly different proxy behaviours for each permutation
* port 443 "HTTPS" is TLS then HTTP
* port 80 "HTTPS" is HTTP then TLS (quite rare)
* forward-proxy "HTTPS" is HTTP then TLS then HTTP
> acl domain_blacklist dstdomain "/etc/squid/domain_blacklist.txt"
> http_access deny all domain_blacklist
The "all" here is pointless.
> http_reply_access deny domain_blacklist
Use of reply access directive for blacklisting by request details is not
The request already got blocked. So any response reaching here is just
the error page saying forbidden. Blocking that error page would just
change it to a slightly different error page saying the *response* was
forbidden - which is a bit confusing for any user trying to understand
why their request didn't work.
> http_access deny CONNECT domain_blacklist
This line is useless here.
squid.conf lines are interpreted top-down. The "deny all
domain_blacklist" already stopped all requests that could possibly match
the second condition of this line.
> Am I doing this the right way?
Sort of. Your http_access denial will catch all the HTTP and decrypted
HTTP(S) traffic. It will not be able to block any HTTP(S) requests that
are not able to decrypt.
To catch and block these domains without needing the decrypt you should
acl server_blacklist ssl::server_name "/etc/squid/domain_blacklist.txt"
ssl_bump terminate server_blacklist
Of course there is always the failure case where traffic cannot decrypt
and the TLS details use different server names.
More information about the squid-users