[squid-users] How to completely blacklist a domain + subdomains, including HTTPS?

Wed Mar 10 12:28:57 UTC 2021

Thanks, Amos.

I tried implementing the configuration you suggested but I am getting an
error message:

FATAL: Invalid ACL type 'ssl::server_name'
FATAL: Bungled /etc/squid/squid.conf line 36: acl server_blacklist
ssl::server_name "/etc/squid/domain_blacklist.txt"

I tried reading the documentation but can't find anything wrong in my
config file, I used the 2 lines exactly like they are in your suggestion,
and I am running Squid 4.10.

On Tue, Mar 9, 2021 at 2:48 PM Amos Jeffries <squid3 at treenet.co.nz> wrote:

> On 10/03/21 12:57 am, roee klinger wrote:
> > Hey,
> >
> > I have found a lot of outdated or conflicting information about this
> > online, and since this is a really important matter, I wanted to make
> > sure I am doing this correctly.
> >
> > I am attempting to block some websites completely, including all HTTPS
> > traffic and subdomains.
> >
>
> Basically there are two protocols that need to be considered for this.
> HTTP and TLS.
>
> In HTTP the "website" is identified by a domain name in the
> request-target (aka URI, sometimes called URL).
>   * The 'dstdomain' ACL type matches URI domain name.
>   * The http_access directive is where that domain name becomes
> available for Squid to check.
>
>
> In TLS the "website" is identified by the TLS SNI sent by the client, or
> a field in the server X.509 certificate.
>   * The 'ssl::server_name' ACL type matches those details.
>   * The ssl_bump directive
>
>
> Next thing is to be aware that there are many ways to layer protocols.
> Do expect to see vastly different proxy behaviours for each permutation
> of those.
>   * port 443 "HTTPS" is TLS then HTTP
>   * port 80 "HTTPS" is HTTP then TLS (quite rare)
>   * forward-proxy "HTTPS" is HTTP then TLS then HTTP
>
>
>
> > Squid.conf:
> >
> >     acl domain_blacklist dstdomain "/etc/squid/domain_blacklist.txt"
> >     http_access deny all domain_blacklist
>
> The "all" here is pointless.
>
>
> >     http_reply_access deny domain_blacklist
>
> Use of reply access directive for blacklisting by request details is not
> useful.
>
> The request already got blocked. So any response reaching here is just
> the error page saying forbidden. Blocking that error page would just
> change it to a slightly different error page saying the *response* was
> forbidden - which is a bit confusing for any user trying to understand
> why their request didn't work.
>
>
> >     http_access deny CONNECT domain_blacklist
> >
>
> This line is useless here.
>
> squid.conf lines are interpreted top-down. The "deny all
> domain_blacklist" already stopped all requests that could possibly match
> the second condition of this line.
>
>
> >
> > /etc/squid/domain_blacklist.txt:
> >
> >     .ph
> >     .somepornwebsite.com
> >     .facebook.com
> >
> ...
> >
> > Am I doing this the right way?
>
>
> Sort of. Your http_access denial will catch all the HTTP and decrypted
> HTTP(S) traffic. It will not be able to block any HTTP(S) requests that
> are not able to decrypt.
>
> To catch and block these domains without needing the decrypt you should
> also use:
>
>   acl server_blacklist ssl::server_name "/etc/squid/domain_blacklist.txt"
>   ssl_bump terminate server_blacklist
>
> Of course there is always the failure case where traffic cannot decrypt
> and the TLS details use different server names.
>
>
> Amos
> _______________________________________________
> squid-users mailing list
> squid-users at lists.squid-cache.org
> http://lists.squid-cache.org/listinfo/squid-users
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.squid-cache.org/pipermail/squid-users/attachments/20210310/3828e7f1/attachment.htm>