[squid-users] Squid checking for both dstdomain and IP
Alex Rousskov
rousskov at measurement-factory.com
Tue Jun 28 13:52:10 UTC 2022
On 6/28/22 08:08, Bruno de Paula Larini wrote:
> I have a pretty simple configuration for website filtering (intercepted)
> and ssl_bump, which follows below.
> However, for some reason, it seems Squid resolves the website domain
> address, then uses the IP to compare with the ACLs.
Most likely, what is actually happening is that Squid does not have
domain information during SslBump step1, and then gets that information
during step2. Squid http_access rules apply to each SslBump step, so you
have to write them accordingly.
Available to Squid information and expected Squid behavior is documented
for each step at the following wiki page. There are bugs in that
algorithm _implementation_, but they are being fixed, and I am not aware
of better docs:
https://wiki.squid-cache.org/Features/SslPeekAndSplice#Processing_steps
HTH,
Alex.
> As the IP is not included in the ACL, the access to the website is denied.
> Before that, it already checked for the domain name. I can tell based on
> the error from the browser.
> I'm using Squid version 5.5.
>
> For example, while trying to open https://repo.maven.apache.org/
> (included in the allowed sites), the browser shows the error:
>
> The following error was encountered while trying to retrieve the
> URL: https://199.232.192.215/*
>
> Access Denied.
>
> If I replace 'deny all' with 'allow all', the website will open as
> expected.
> Is there something wrong with my config? I have something similar
> running and working on version 4.4 (unless I'm missing something).
> I'm still only splicing for now.
>
> Thanks for the help!
>
>
> ### SQUID.CONF
> ...
> #
> # INSERT YOUR OWN RULE(S) HERE TO ALLOW ACCESS FROM YOUR CLIENTS
> #
>
> acl allowed_sites dstdomain "/etc/squid/allowed-sites.txt"
> http_access allow allowed_sites
>
> acl step1 at_step SslBump1
> ssl_bump peek step1
> ssl_bump splice all
>
> tls_outgoing_options capath=/etc/pki/tls/certs options=ALL
>
> sslcrtd_program /usr/lib64/squid/security_file_certgen -s
> /var/lib/squid/ssl_db -M 8MB
> sslcrtd_children 3
>
> http_access allow localhost
>
> # And finally deny all other access to this proxy
> http_access deny all
>
> # Squid normally listens to port 3128
> http_port 192.168.10.10:8080
> http_port 192.168.10.10:3128 intercept
> https_port 192.168.10.10:3129 tls-cert=/etc/squid/ssl/squidCA.pem
> tls-key=/etc/squid/ssl/squidCA.key ssl-bump intercept
> generate-host-certificates=on dynamic_cert_mem_cache_size=8MB
> ...
>
> ### IPTABLES
> ...
> iptables -t nat -A PREROUTING -i eth0 -s 192.168.10.0/24 -p tcp --dport
> 80 -j REDIRECT --to-port 3128
> iptables -t nat -A PREROUTING -i eth0 -s 192.168.10.0/24 -p tcp --dport
> 443 -j REDIRECT --to-port 3129
> ...
>
> _______________________________________________
> squid-users mailing list
> squid-users at lists.squid-cache.org
> http://lists.squid-cache.org/listinfo/squid-users
More information about the squid-users
mailing list