[squid-users] Squid checking for both dstdomain and IP

Alex Rousskov rousskov at measurement-factory.com
Tue Jun 28 20:05:50 UTC 2022 

On 6/28/22 14:32, Bruno de Paula Larini wrote:

> http_access allow allowed_sites
> http_access allow SSL_ports

The above rules allow abuse of sites matching allowed_sites (by proxying 
CONNECT traffic to any port on those sites). They also allow any traffic 
to SSL_ports of any site. In summary, they are not much better than 
allowing all traffic, creating an open proxy ripe for abuse.

Most likely, Squid interpretation of http_access rules significantly 
differs from yours -- you probably thought the above rules achieve some 
other (desirable) effect. You may need to start from squid.conf.default 
rules and studying how http_access rules work in Squid. Once your 
interpretation matches Squid's you can advance to dealing with SslBump 
complexities; the above problems are not even related to SslBump.

You may find the following page useful, but I realize that it has a lot 
of information irrelevant to your specific use case:
https://wiki.squid-cache.org/SquidFaq/SquidAcl


HTH,

Alex.


On 6/28/22 14:32, Bruno de Paula Larini wrote:

> I was already following the provided link for reference.
> It seems that splicing on step2 was correct, but in fact there were other things that I missed.
> 
> acl allowed_sites dstdomain "/etc/squid/allowed-sites.txt"
> # Creates acl containing domain names for splice.
> acl spliced_sites ssl::server_name "/etc/squid/allowed-sites.txt"
> http_access allow allowed_sites
> # This eliminates the browser error containing the IP from the website.
> # >> I don't know if there are caveats for allowing free access to SSL_ports. <<
> http_access allow SSL_ports
> 
> acl step1 at_step SslBump1
> acl step2 at_step SslBump2
> 
> ssl_bump peek step1
> ssl_bump splice step2 spliced_sites
> # Same effect of 'deny all' for https websites.
> ssl_bump terminate all
> ...
> 
> *Apparently* that does it.
> If I stated anything wrong, please correct me.
> 
> Cheers.
> 
> 
> Em 28/06/2022 10:52, Alex Rousskov escreveu:
>> On 6/28/22 08:08, Bruno de Paula Larini wrote:
>>
>>> I have a pretty simple configuration for website filtering (intercepted) and ssl_bump, which follows below.
>>> However, for some reason, it seems Squid resolves the website domain address, then uses the IP to compare with the ACLs.
>>
>> Most likely, what is actually happening is that Squid does not have domain information during SslBump step1, and then gets that information during step2. Squid http_access rules apply to each SslBump step, so you have to write them accordingly.
>>
>> Available to Squid information and expected Squid behavior is documented for each step at the following wiki page. There are bugs in that algorithm _implementation_, but they are being fixed, and I am not aware of better docs: https://wiki.squid-cache.org/Features/SslPeekAndSplice#Processing_steps
>>
>>
>> HTH,
>>
>> Alex.
>>
>>
>>> As the IP is not included in the ACL, the access to the website is denied.
>>> Before that, it already checked for the domain name. I can tell based on the error from the browser.
>>> I'm using Squid version 5.5.
>>>
>>> For example, while trying to open https://repo.maven.apache.org/ (included in the allowed sites), the browser shows the error:
>>>
>>>      The following error was encountered while trying to retrieve the URL: https://199.232.192.215/*
>>>
>>>      Access Denied.
>>>
>>> If I replace 'deny all' with 'allow all', the website will open as expected.
>>> Is there something wrong with my config? I have something similar running and working on version 4.4 (unless I'm missing something).
>>> I'm still only splicing for now.
>>>
>>> Thanks for the help!
>>>
>>>
>>> ### SQUID.CONF
>>> ...
>>> #
>>> # INSERT YOUR OWN RULE(S) HERE TO ALLOW ACCESS FROM YOUR CLIENTS
>>> #
>>>
>>> acl allowed_sites dstdomain "/etc/squid/allowed-sites.txt"
>>> http_access allow allowed_sites
>>>
>>> acl step1 at_step SslBump1
>>> ssl_bump peek step1
>>> ssl_bump splice all
>>>
>>> tls_outgoing_options capath=/etc/pki/tls/certs options=ALL
>>>
>>> sslcrtd_program /usr/lib64/squid/security_file_certgen -s /var/lib/squid/ssl_db -M 8MB
>>> sslcrtd_children 3
>>>
>>> http_access allow localhost
>>>
>>> # And finally deny all other access to this proxy
>>> http_access deny all
>>>
>>> # Squid normally listens to port 3128
>>> http_port 192.168.10.10:8080
>>> http_port 192.168.10.10:3128 intercept
>>> https_port 192.168.10.10:3129 tls-cert=/etc/squid/ssl/squidCA.pem tls-key=/etc/squid/ssl/squidCA.key ssl-bump intercept generate-host-certificates=on dynamic_cert_mem_cache_size=8MB
>>> ...
>>>
>>> ### IPTABLES
>>> ...
>>> iptables -t nat -A PREROUTING -i eth0 -s 192.168.10.0/24 -p tcp --dport 80 -j REDIRECT --to-port 3128
>>> iptables -t nat -A PREROUTING -i eth0 -s 192.168.10.0/24 -p tcp --dport 443 -j REDIRECT --to-port 3129
>>> ...

More information about the squid-users mailing list