[squid-users] How to completely blacklist a domain + subdomains, including HTTPS?

Amos Jeffries squid3 at treenet.co.nz
Tue Mar 9 12:43:25 UTC 2021


On 10/03/21 12:57 am, roee klinger wrote:
> Hey,
> 
> I have found a lot of outdated or conflicting information about this 
> online, and since this is a really important matter, I wanted to make 
> sure I am doing this correctly.
> 
> I am attempting to block some websites completely, including all HTTPS 
> traffic and subdomains.
> 

Basically there are two protocols that need to be considered for this. 
HTTP and TLS.

In HTTP the "website" is identified by a domain name in the 
request-target (aka URI, sometimes called URL).
  * The 'dstdomain' ACL type matches URI domain name.
  * The http_access directive is where that domain name becomes 
available for Squid to check.


In TLS the "website" is identified by the TLS SNI sent by the client, or 
a field in the server X.509 certificate.
  * The 'ssl::server_name' ACL type matches those details.
  * The ssl_bump directive


Next thing is to be aware that there are many ways to layer protocols. 
Do expect to see vastly different proxy behaviours for each permutation 
of those.
  * port 443 "HTTPS" is TLS then HTTP
  * port 80 "HTTPS" is HTTP then TLS (quite rare)
  * forward-proxy "HTTPS" is HTTP then TLS then HTTP



> Squid.conf:
> 
>     acl domain_blacklist dstdomain "/etc/squid/domain_blacklist.txt"
>     http_access deny all domain_blacklist

The "all" here is pointless.


>     http_reply_access deny domain_blacklist

Use of reply access directive for blacklisting by request details is not 
useful.

The request already got blocked. So any response reaching here is just 
the error page saying forbidden. Blocking that error page would just 
change it to a slightly different error page saying the *response* was 
forbidden - which is a bit confusing for any user trying to understand 
why their request didn't work.


>     http_access deny CONNECT domain_blacklist
> 

This line is useless here.

squid.conf lines are interpreted top-down. The "deny all 
domain_blacklist" already stopped all requests that could possibly match 
the second condition of this line.


> 
> /etc/squid/domain_blacklist.txt:
> 
>     .ph
>     .somepornwebsite.com
>     .facebook.com
> 
...
> 
> Am I doing this the right way?


Sort of. Your http_access denial will catch all the HTTP and decrypted 
HTTP(S) traffic. It will not be able to block any HTTP(S) requests that 
are not able to decrypt.

To catch and block these domains without needing the decrypt you should 
also use:

  acl server_blacklist ssl::server_name "/etc/squid/domain_blacklist.txt"
  ssl_bump terminate server_blacklist

Of course there is always the failure case where traffic cannot decrypt 
and the TLS details use different server names.


Amos


More information about the squid-users mailing list