[squid-users] Config audit for 3.5.3

Dan Charlesworth dan at getbusi.com
Sat Apr 25 03:09:53 UTC 2015 

This was pretty interesting and informative —despite the egregious typos 😁 — thanks Amos!

On Sat, Apr 25, 2015 at 12:25 PM, Amos Jeffries <squid3 at treenet.co.nz>
wrote:

> On 25/04/2015 12:50 a.m., James Lay wrote:
>> Hey all.
>> 
>> Topic says it....I'm running squid-3.5.3-20150420-r13802 and wanted to
>> see if there's anything glaring that I'm missing/have misconfigured.  My
>> setup is squid is running on a router, one nic external, one nic
>> internal.  This is running as a transparent proxy with iptables doing a
>> redirect to ports 3128 and 3129.  Config below:
>> 
>> #############################################################
>> acl localnet src 192.168.1.0/24
>> 
>> acl SSL_ports port 443
>> acl Safe_ports port 80		# http
>> acl Safe_ports port 443		# https
>> 
>> acl CONNECT method CONNECT
>> acl broken_sites dst 96.16.0.0/15
>> <others redacted>
>> acl broken_sites dst 54.160.0.0/12
>> acl allowed_sites url_regex "/opt/etc/squid/url.txt"
>> acl all_others dst all
> Using "dst all" is very inefficient. It requires Squid to perform DNS
> lookups just to answer "yes". Unless there is some unusual reason
> requiring that you might as well use the provided "all" ACL for faster
> operation.
>> acl SSL method CONNECT
> This is a bit dangerous. CONNECT does not necessarily mean SSL - even
> with the port 443 restriction.  CONNECT could as easily contain a tunnel
> to email server and be pumping spam, or literally any other type of
> traffic to any other server. Spam emails, FTP, BitTorrent, and Skype are
> pretty popular protocols seen with CONNECT.
> So you can easily mistake security rules about SSL and create allow
> policies that make you vulnerable to some nasty attacks.
> Its also a redundant ACL definition with the default CONNECT ACL earlier.
>> 
>> http_access deny !Safe_ports
>> http_access deny CONNECT !SSL_ports
>> 
>> http_access allow manager localhost
>> http_access deny manager
>> 
>> http_access allow allowed_sites
>> http_access allow broken_sites
>> 
>> http_access deny all_others 
> The above being equivalent to "deny all" makes the below rules not do
> anything. I dont know yoru policy, maybe you did.
> Consider whether that is what you expected/wanted to happen.
>> http_access allow localnet
>> http_access allow localhost
>> 
>> http_access deny all
>> icp_access deny all
>> 
>> 
>> sslproxy_cert_error allow broken_sites
>> sslproxy_cert_error deny all
>> 
>> sslproxy_options ALL
>> acl p3129 myportname 3129
> This name "3129" does not match any listening port name. See below...
>> acl step1 at_step SslBump1
>> ssl_bump peek step1
>> #ssl_bump splice broken_sites
>> ssl_bump bump p3129
>> 
>> 
>> http_port 192.168.1.253:3128 intercept 
> ... in the absence of a name= parameter the default name for tis port is
> "192.168.1.253:3128".
>> https_port 192.168.1.253:3129 intercept ssl-bump
>> cert=/opt/sslsplit/sslsplit.crt key=/opt/sslsplit/sslsplitca.key
>> cafile=/opt/sslsplit/sslsplitca.pem generate-host-certificates=on
>> dynamic_cert_mem_cache_size=4MB sslflags=NO_SESSION_REUSE
> ... in the absence of a name= parameter the default name for tis port is
> "192.168.1.253:3129".
> Do you see the pattern?
>  set the name= parameter eplicitly or it becomes teh *string* value of
> the host:port field.
>> 
>> always_direct allow all
> Has no use in your config.
>> 
>> logformat common %>a %[ui %[un [%tl] "%rm %ru HTTP/%rv" %>Hs %<st %Ss:%
>> Sh %ssl::>cert_subject
> Bad: do not re-define built in format definitions please.
> Either use the provided format, or use a different name if you need the
> custom one.
>> 
>> access_log syslog:daemon.info common
>> 
>> refresh_pattern ^ftp:		1440	20%	10080
>> refresh_pattern ^gopher:	1440	0%	1440
>> refresh_pattern -i (cgi-bin|\?)	0	0%	0
>> refresh_pattern .		0	20%	4320
>> 
>> icp_port 3130
> You are initializing ICP port, but also configured "icp_access deny all".
> To disble ICP leave remove the icp_* directives from your config.
> To enable ICP, configure the icp_access to allow some sources to make
> queries.
>> 
>> coredump_dir /opt/var
>> #############################################################
>> 
>> My goal has been to at least get the domain logged on any https access,
>> but alas some sites show:
>> 
>> Apr 24 06:39:32 gateway (squid-1): 192.168.1.101 - -
>> [24/Apr/2015:06:39:32 -0600] "CONNECT 216.58.216.162:443 HTTP/1.1" 200
>> 401 TCP_TUNNEL:ORIGINAL_DST -
>> 
> With interception + your custom rule using %ru you should always see
> raw-IP:port. If you see a TLS SNI domain in there *that* is a bug. "%ru"
> is explicitly asking for the client-presented CONNECT *URL*, not the
> server details.
> That "TCP_TUNNEL" will always happen whenever the protocol found on port
> 443 is not HTTPS.
> Amos
> _______________________________________________
> squid-users mailing list
> squid-users at lists.squid-cache.org
> http://lists.squid-cache.org/listinfo/squid-users
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.squid-cache.org/pipermail/squid-users/attachments/20150424/9c0af2b7/attachment-0001.html>

More information about the squid-users mailing list