[squid-users] req_header acl with ssl_bump

Wed Dec 7 21:45:29 UTC 2022

On 12/7/22 16:26, Toler, Matt wrote:
> Hello,
> 
> We are attempting to leverage headers to isolate access to external 
> sites with squid 4.14. The Loadbalencer is injecting headers and squid 
> is simply verifying them:
> 
> acl ACL_HDR_1 req_header Repo_Svr_VerifiedHdr True 
> acl REPO_DST_ALLOW dstdomain "/etc/squid/acls.d/hosts.acl" 
> http_access allow PROXY-SRC REPO_DST_ALLOW ACL_HDR_1
> 
> We are currently decrypting this traffic and it’s working well.
> 
> Now we have a requirement to skip ssl decrypt for only certain 
> destinations. My thought was to simply create a separate ACL where 
> skipping ssl decrypt is required and add the header ACL to the end of 
> the ssl_bump directive like so:
> 
> acl Repo_Skip_HDR req_header Repo_Svr_VerifiedHdr True 
> acl Repo_SkipSslDecrypt dstdomain "/etc/squid/acls.d/hosts.acl" 
> ssl_bump none Repo_SkipSslDecrypt Repo_Skip_HDR
> 
> This parsed successfully but did not have the desired effect. The squid 
> is still inspecting the traffic even with the header present as we can 
> see in the logs. Making things a little more complex, the ssl_bump 
> directive seems to have a global effect

I am not sure what you mean by "global effect". The ssl_bump directive 
affects transactions that are received on ports marked with an 
"ssl-bump" option and only them.

> and also imply “http_access allow” 

There is no such implication. In fact, conflating ssl_bump rules and 
HTTP-level access controls is a common configuration mistake. Correct 
configurations treat those two areas separately.

The only case where one could see a legitimate intersection of SslBump 
and access-controls is an "ssl_bump terminate" rule that triggers TCP 
connection(s) closure. One can view that termination as a form of access 
control (at TCP rather than HTTP level) -- http_access rules are not 
evaluated after Squid closes the connections, of course. In all other 
cases, http_access rules are evaluated after every ssl_bump rules scan. 
For more information, see 
https://wiki.squid-cache.org/Features/SslPeekAndSplice

> making it difficult isolate access. To get around this I thought 
> to simply skip ssl decrypt for the traffic with verified headers:
> 
> acl Repo_Skip_HDR req_header Repo_Svr_VerifiedHdr True
> 
> ssl_bump none Repo_Skip_HDR
> 
> Unfortunately even this isn’t working, again the config checks out and 
> runs happily, we see the header in the logs, but squid still tries to 
> inspect the traffic.
> 
> Any thoughts on why ssl_bump would ignore the header ACL or other 
> suggestions to isolate traffic when being required to skip ssl decrypt 
> would be greatly appreciated.

SslBump acts on the first applicable matching rule. It sounds like your 
(unsupported legacy) "none" rule is located below some other ssl_bump 
rules that are applicable to the current SslBump step and that match at 
least once. For more information, see 
https://wiki.squid-cache.org/Features/SslPeekAndSplice
  You can (indirectly and partially) test that theory by making the 
ssl_bump "none" rule the very first ssl_bump rule in the entire Squid 
configuration. Assuming all CONNECT requests have the right headers, 
that ssl_bump "none" rule should match as appropriate, and Squid should 
establish a blind TCP tunnel instead of doing TLS.

In modern configurations, the correct action is "splice", not "none". 
The above SslPeekAndSplice page documents the difference.

HTH,

Alex.