[squid-users] Thinking out loud about "applications" definition for squid

Wed May 11 05:14:15 UTC 2022

OK so, an update.
I wrote a basic application that does just the basic features.

I am looking for someone that want's to help me enhance the feature.

Thanks,
Eliezer

----
Eliezer Croitoru
NgTech, Tech Support
Mobile: +972-5-28704261
Email: ngtech1ltd at gmail.com

-----Original Message-----
From: Eliezer Croitoru <ngtech1ltd at gmail.com> 
Sent: Sunday, March 27, 2022 04:33
To: squid-users at lists.squid-cache.org
Subject: Thinking out loud about "applications" definition for squid

Hey,

I have been thinking about defining a specific way that will tag connections
with an APP ID for simplicity.
For example I have just seen couple support websites of web systems vendors
that provide their domains and ip addresses.
The basic example would be:
https://help.pluralsight.com/help/ip-allowlist

Which provides the next basic info:
*.pluralsight.com
*.typekit.com

# Video CDN
vid.pluralsight.com
vid5.pluralsight.com
vid20.pluralsight.com
vid21.pluralsight.com
vid30.pluralsight.com

# Excertises files
ip-video-course-exercise-files-us-west-2.s3.us-west-2.amazonaws.com

So it means that technically if I have this defined somewhere I can run an
external acl helper that will get all the details of the request and will
tag
the request and/or connection with an APP ID that can be allowed or denied
by the next external acl helper in the pipe line.
The next access log:
https://www.ngtech.co.il/squid/pluralsight-access-log.txt

is a bit redacted but still contains the relevant log lines.

So the relevant ACL options are:
http_access Allow/deny
TLS Splice/bump
Dst_ip - APP ID
Src_ip - Allow/Deny/others
Cache allow/deny

I would assume that every request with the dstdomain:
.pluralsight.com
ip-video-course-exercise-files-us-west-2.s3.us-west-2.amazonaws.com

Or SNI regex:
\.pluralsight\.com$
^ip-video-course-exercise-files-us-west-2\.s3\.us-west-2\.amazonaws\.com$

Should 100% be tagged with a pluralsight APP ID tag.

It would be a similar idea with goolge/gmail/Microsoft/AV/others
And since it's a very simple and re-producible APP ID tagging technique it
can be simplified into a set of helpers.

So first, what do you as a squid user think about it?
Can you and others help me work on a simple project that will help with this
specific idea?
A list of applications ID might be a good starter for the first
POC/Development process.

One place I have seen a similar implementation would be:
https://github.com/ntop/nDPI/blob/dev/src/include/ndpi_protocol_ids.h

I think that the goal would be that it would be possible to use an API that
will be able to change a rule or a ruleset per client paired with a
protocol.
Much like in a FW rules the helper would be able to run a query against a
small embedded json/other dbase/base that will contain all the relevant
details of the apps
And another part of it would be to contain the ruleset itself.

So for example a definition of:
Match: client, appID, verdict(allow/deny)
Match: client, appID, verdict(bump/splice)
Match: dst, appID, verdict(allow/deny)..

Would be pretty simple to define by the proxy admin.

Let me know how can you help with this project.

Thanks,
Eliezer

----
Eliezer Croitoru
NgTech, Tech Support
Mobile: +972-5-28704261
Email: ngtech1ltd at gmail.com