[squid-users] Questions Regarding Transparent Proxy, HTTPS, and ssl_bump

James Lay jlay at slave-tothe-box.net
Wed Jun 24 18:05:53 UTC 2015 

On 2015-06-24 11:46 AM, Tom Mowbray wrote:
> James,
> 
> Yes, as a matter of fact I have read through those exact posts and
> modeled my config very similarly.  What I have found is that, however,
> when the line "http_access allow SSL_ports" is placed above the
> ssl_bump stuff and other acl's (as you have it), it seems to simply
> allow ALL https without doing any filtering whatsoever.
> 
> Thanks for the response.
> 
> ---------------------------------Tom Mowbray
> _tmowbray at dalabs.com_
> _703-829-6694_
> 
> On Wed, Jun 24, 2015 at 1:31 PM, James Lay <jlay at slave-tothe-box.net>
> wrote:
> 
>> On 2015-06-24 09:41 AM, Tom Mowbray wrote:
>> 
>>> Squid 3.5.5
>>> 
>>> I seem to have some confusion about how acl lists are processed
>>> in
>>> squid.conf regarding the handling of SSL (HTTPS) traffic,
>>> attempting
>>> to use ssl_bump directives with transparent proxy.
>>> 
>>> Based on available documentation, I believe my squid.conf is
>>> correct,
>>> however it never seems to actually behave as expected.
>>> 
>>> I define the SSL port, as usual:
>>> 
>>> acl SSL_ports port 443
>>> 
>>> But here's where my confusion lies... Many state to place the
>>> following line above the ssl_bump configuration lines:
>>> 
>>> http_access allow SSL_ports
>>> 
>>> However when I do this, it appears to simply stop processing any
>>> other
>>> rules and allows ALL https traffic through the proxy (which is
>>> actually how I'd expect a standard ACL list to operate, but then
>>> how
>>> do I actually filter the traffic though our content-based ACL
>>> lists?).
>>> If I put the above line below the ssl_bump configuration options
>>> in
>>> my squid.conf, then it appears to BUMP all, even though I've told
>>> the
>>> config to SPLICE all https traffic, which doesn't work for our
>>> deployment.
>>> 
>>> So, does squid actually continue to process the https traffic
>>> using
>>> the ssl_bump rules if the "http_access allow SSL_ports" line is
>>> placed
>>> above it in the configuration?
>>> 
>>> I should note that we've been able to get filtering to work
>>> correctly
>>> when using our configuration in NON-transparent mode, however our
>>> goal
>>> is get this functionality working as a transparent proxy. We're
>>> unable to load our self-signed cert onto client machines that
>>> will be
>>> accessing the proxy, so using the "bump" or man-in-the-middle
>>> style
>>> https filtering isn't a viable option for us.
>>> 
>>> Any help or advice is appreciated!
>>> 
>>> Thanks,
>>> 
>>> Tom
>> 
>> Tom,
>> 
>> You kinda have to change the way you think about filtering when it
>> comes to Squid 3.5.5 and SSL(TLS). Normal http traffic is
>> easy....here's where we're trying to go and here's a list of place
>> we're alloed to go...simple.
>> 
>> Not so with SSL(TLS). Squid can't filter, since Squid may or may
>> not know where we're going...and that's the issue..it's where those
>> ssl_bump atStep ACL's come in. Some sites when you connect to them
>> are easy-ish..when you connect your device sends a "Server Name
>> Information" (SNI) that says where you're going. Other sites don't
>> have any information until you complete the SSL handshake (how can
>> you filter a site name, until squid KNOWS the site or at least
>> domain name?).
>> 
>> If you're still wanting to go through with transparent (intercept)
>> proxy with SSL, search through the list for my SSL Deep dive
>> posts...that config is working for me so far (granted, not in an
>> enterprise environment). However, as Amos said,....if you choose
>> not to install the cert on the client machines, you are either a)
>> going to be out of luck on LOT'S of websites because they will fail
>> the SSL handshake, or b) teaching your users to ignore the security
>> warnings of their browser's....neither of which is a good thing.
>> 
>> Hope that helps.
>> 
>> James
>> 

Tom,

You are right...that absolutely will allow all SSL initially...the 
filtering is down lower in the config here:

With single list of regex sites/domains like \.google\.com...peek, 
splice, no bump...I'm currently using this config section.
############################################################################
ssl_bump peek step1 all
ssl_bump peek step2 all
acl allowed_https_sites ssl::server_name_regex 
"/opt/etc/squid/http_url.txt"
ssl_bump splice step3 allowed_https_sites
ssl_bump terminate all


With broken acl list of networks list 208.85.40.0/21
###########################################################################
ssl_bump peek step1 broken
ssl_bump peek step2 broken
ssl_bump splice broken
ssl_bump peek step1 all
ssl_bump peek step2 all
acl allowed_https_sites ssl::server_name_regex 
"/opt/etc/squid/http_url.txt"
ssl_bump bump allowed_https_sites
ssl_bump terminate all

In both configs above, the SNI and server names are checked, bounced off 
the http_url.txt list, and if the site/domain is NOT in the list the ssl 
session is terminated.  The big drag is, you won't be able to see that 
in the squid logs.  I have a bug open ( I don't remember the number :( ) 
to show this in the logs...so far in my setup I only see the first peek, 
nothing after that.  You can test the above setups with:

openssl s_client -connect x.x.x.x:443

The above will test with no SNI...these look like the below in the logs:
Jun 24 11:35:08 gateway (squid-1): 192.168.1.101 - - 
[24/Jun/2015:11:35:08 -0600] "CONNECT 31.13.76.101:443 HTTP/1.1" - - 200 
0 TAG_NONE:ORIGINAL_DST peek

wget -d --ca-certificate=<your.cert.file)

The above WILL send an SNI...which you should see in your logs as:
Jun 24 12:01:44 gateway (squid-1): 192.168.1.101 - - 
[24/Jun/2015:12:01:44 -0600] "CONNECT 172.230.156.79:443 HTTP/1.1" 
device-api.urbanairship.com - 200 0 TAG_NONE:ORIGINAL_DST peek

Hope that helps.

James

More information about the squid-users mailing list