[squid-users] Squid 3 SSL bump: Google drive application could not connect

Eliezer Croitoru eliezer at ngtech.co.il
Mon Jan 5 02:44:15 UTC 2015


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hey Thread(Jason,Yuri,Douglas...),

There are couple aspects about the ssl and connections in general and
as we talk about ssl port I first would like to put couple things on
the table.

* Squid is a http caching proxy and there for every feature which is
out of the http related scope should not be handled by squid at all.
* Any squid operation is an application level and there for is limited
by the software(kernel + squid).
* There is a difference between servers taking a load of 1k requests
per second to a SMB which handles about 50 requests per second.

In general it's better to not intercept a connection which is not
bump-able.
The decision about if to DROP\REJECT or ACCEPT the connection should
better not involve squid in general if possible.
Squid offers a very nice interface but if you compare the Linux kernel
forwarding capabilities compared to squid you would see that squid is
very limited in the userspace.

So in a case the helper only needs to "know" if the connection is
bump-able there are other alternatives in the Linux kernel!!
And if you need logs.. you can use the *helper*(which one you ever
choose to work with) to log...

So now for the real thing:
My opinion about external_acl vs other solutions is that if squid with
an external_acl works for you and you understand what it means from
performance and security aspects try it, test it and then use it.

But if your squid load is high and in the case squid slows down the
bumped connections too much(compared to linux forwarding) I would try
to use something like NFQUEUE to just test if the connection is
bump-able or not by IP and DST PORT.

 * some information about NFQUEUE
https://home.regit.org/netfilter-en/using-nfqueue-and-libnetfilter_queue/
http://suricata-ids.org/

* Some examples:
https://www.wzdftpd.net/redmine/projects/nfqueue-bindings/repository/entry/examples/rewrite.py
http://danmcinerney.org/reliable-dns-spoofing-with-python-scapy-nfqueue/
http://5d4a.wordpress.com/2011/08/25/having-fun-with-nfqueue-and-scapy/

A squid helper is nice but... a NFQUEUE helper that can verify if to
FORWARD or BUMP the connection would be a better suited solution to my
opinion.

All The Bests,
Eliezer Croitoru

On 01/05/2015 03:07 AM, Douglas Davenport wrote:
> Seems to me it would be more useful as an external ACL so that a
> decision could be made based on other factors eg src or dstdomain
> whether to deny or allow the un-bumpable connection.

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQEcBAEBAgAGBQJUqfp/AAoJENxnfXtQ8ZQUSwoH/icug7X4oexKW1hewZ+u6mUd
/MTS+0pfrcl3ZiKi3oNcYBbnI+o1oqDVgYdW2XKpeWuUaZpvDF0NsIsO0Aj+0kjy
BccCiofUQABKPuG2MtM4ODMUbouoob3eBWdVmbbRr3KWyAu0aPnjMHUWX5QeSAif
8FF38xQvnR4EOLi7UmT8UOV4iugloxg8feDjIxRcRPJalfAGrOyfGmFYuxoFELjg
7XMTTLkJW2DuteIl4M1cdKRSJKt/CUKah3z5D3EyDBQcHhV4xDUk3ncTLXXr1cZH
kLnkFQWC2Jq43S2zEin7STJE3zumWu/YN/s2Wj3oAmyPAQBAlkNpHB4VPoF9w+c=
=L6HT
-----END PGP SIGNATURE-----


More information about the squid-users mailing list