[squid-users] Questions Regarding Transparent Proxy, HTTPS, and ssl_bump

James Lay jlay at slave-tothe-box.net
Thu Jun 25 12:15:50 UTC 2015


On Thu, 2015-06-25 at 08:06 -0400, Tom Mowbray wrote:
> James,
> 
> 
> 
> Thank for for your help.  Now that I have a better understanding of
> how the https traffic is handled, I've been able to get things working
> as intended.
> 
> 
> 
> 
> 
> ---------------------------------
> 
> Tom Mowbray
> 
> tmowbray at dalabs.com
> 703-829-6694
> 
> 
> 
> On Wed, Jun 24, 2015 at 2:05 PM, James Lay <jlay at slave-tothe-box.net>
> wrote:
> 
>         On 2015-06-24 11:46 AM, Tom Mowbray wrote:
>         
>                 James,
>                 
>                 Yes, as a matter of fact I have read through those
>                 exact posts and
>                 modeled my config very similarly.  What I have found
>                 is that, however,
>                 when the line "http_access allow SSL_ports" is placed
>                 above the
>                 ssl_bump stuff and other acl's (as you have it), it
>                 seems to simply
>                 allow ALL https without doing any filtering
>                 whatsoever.
>                 
>                 Thanks for the response.
>                 
>                 ---------------------------------Tom Mowbray
>                 _tmowbray at dalabs.com_
>                 _703-829-6694_
>                 
>                 
>                 
>                 On Wed, Jun 24, 2015 at 1:31 PM, James Lay
>                 <jlay at slave-tothe-box.net>
>                 wrote:
>                 
>                 
>                         On 2015-06-24 09:41 AM, Tom Mowbray wrote:
>                         
>                         
>                                 Squid 3.5.5
>                                 
>                                 I seem to have some confusion about
>                                 how acl lists are processed
>                                 in
>                                 squid.conf regarding the handling of
>                                 SSL (HTTPS) traffic,
>                                 attempting
>                                 to use ssl_bump directives with
>                                 transparent proxy.
>                                 
>                                 Based on available documentation, I
>                                 believe my squid.conf is
>                                 correct,
>                                 however it never seems to actually
>                                 behave as expected.
>                                 
>                                 I define the SSL port, as usual:
>                                 
>                                 acl SSL_ports port 443
>                                 
>                                 But here's where my confusion lies...
>                                 Many state to place the
>                                 following line above the ssl_bump
>                                 configuration lines:
>                                 
>                                 http_access allow SSL_ports
>                                 
>                                 However when I do this, it appears to
>                                 simply stop processing any
>                                 other
>                                 rules and allows ALL https traffic
>                                 through the proxy (which is
>                                 actually how I'd expect a standard ACL
>                                 list to operate, but then
>                                 how
>                                 do I actually filter the traffic
>                                 though our content-based ACL
>                                 lists?).
>                                 If I put the above line below the
>                                 ssl_bump configuration options
>                                 in
>                                 my squid.conf, then it appears to BUMP
>                                 all, even though I've told
>                                 the
>                                 config to SPLICE all https traffic,
>                                 which doesn't work for our
>                                 deployment.
>                                 
>                                 So, does squid actually continue to
>                                 process the https traffic
>                                 using
>                                 the ssl_bump rules if the "http_access
>                                 allow SSL_ports" line is
>                                 placed
>                                 above it in the configuration?
>                                 
>                                 I should note that we've been able to
>                                 get filtering to work
>                                 correctly
>                                 when using our configuration in
>                                 NON-transparent mode, however our
>                                 goal
>                                 is get this functionality working as a
>                                 transparent proxy. We're
>                                 unable to load our self-signed cert
>                                 onto client machines that
>                                 will be
>                                 accessing the proxy, so using the
>                                 "bump" or man-in-the-middle
>                                 style
>                                 https filtering isn't a viable option
>                                 for us.
>                                 
>                                 Any help or advice is appreciated!
>                                 
>                                 Thanks,
>                                 
>                                 Tom
>                         
>                         
>                         Tom,
>                         
>                         You kinda have to change the way you think
>                         about filtering when it
>                         comes to Squid 3.5.5 and SSL(TLS). Normal http
>                         traffic is
>                         easy....here's where we're trying to go and
>                         here's a list of place
>                         we're alloed to go...simple.
>                         
>                         Not so with SSL(TLS). Squid can't filter,
>                         since Squid may or may
>                         not know where we're going...and that's the
>                         issue..it's where those
>                         ssl_bump atStep ACL's come in. Some sites when
>                         you connect to them
>                         are easy-ish..when you connect your device
>                         sends a "Server Name
>                         Information" (SNI) that says where you're
>                         going. Other sites don't
>                         have any information until you complete the
>                         SSL handshake (how can
>                         you filter a site name, until squid KNOWS the
>                         site or at least
>                         domain name?).
>                         
>                         If you're still wanting to go through with
>                         transparent (intercept)
>                         proxy with SSL, search through the list for my
>                         SSL Deep dive
>                         posts...that config is working for me so far
>                         (granted, not in an
>                         enterprise environment). However, as Amos
>                         said,....if you choose
>                         not to install the cert on the client
>                         machines, you are either a)
>                         going to be out of luck on LOT'S of websites
>                         because they will fail
>                         the SSL handshake, or b) teaching your users
>                         to ignore the security
>                         warnings of their browser's....neither of
>                         which is a good thing.
>                         
>                         Hope that helps.
>                         
>                         James
>                         
>         
>         
>         Tom,
>         
>         You are right...that absolutely will allow all SSL
>         initially...the filtering is down lower in the config here:
>         
>         With single list of regex sites/domains like \.google
>         \.com...peek, splice, no bump...I'm currently using this
>         config section.
>         ############################################################################
>         ssl_bump peek step1 all
>         ssl_bump peek step2 all
>         acl allowed_https_sites ssl::server_name_regex
>         "/opt/etc/squid/http_url.txt"
>         ssl_bump splice step3 allowed_https_sites
>         ssl_bump terminate all
>         
>         
>         With broken acl list of networks list 208.85.40.0/21
>         ###########################################################################
>         ssl_bump peek step1 broken
>         ssl_bump peek step2 broken
>         ssl_bump splice broken
>         ssl_bump peek step1 all
>         ssl_bump peek step2 all
>         acl allowed_https_sites ssl::server_name_regex
>         "/opt/etc/squid/http_url.txt"
>         ssl_bump bump allowed_https_sites
>         ssl_bump terminate all
>         
>         In both configs above, the SNI and server names are checked,
>         bounced off the http_url.txt list, and if the site/domain is
>         NOT in the list the ssl session is terminated.  The big drag
>         is, you won't be able to see that in the squid logs.  I have a
>         bug open ( I don't remember the number :( ) to show this in
>         the logs...so far in my setup I only see the first peek,
>         nothing after that.  You can test the above setups with:
>         
>         openssl s_client -connect x.x.x.x:443
>         
>         The above will test with no SNI...these look like the below in
>         the logs:
>         Jun 24 11:35:08 gateway (squid-1): 192.168.1.101 - -
>         [24/Jun/2015:11:35:08 -0600] "CONNECT 31.13.76.101:443
>         HTTP/1.1" - - 200 0 TAG_NONE:ORIGINAL_DST peek
>         
>         wget -d --ca-certificate=<your.cert.file)
>         
>         The above WILL send an SNI...which you should see in your logs
>         as:
>         Jun 24 12:01:44 gateway (squid-1): 192.168.1.101 - -
>         [24/Jun/2015:12:01:44 -0600] "CONNECT 172.230.156.79:443
>         HTTP/1.1" device-api.urbanairship.com - 200 0
>         TAG_NONE:ORIGINAL_DST peek
>         
>         Hope that helps.
>         
>         James
> 
> 
> 

Excellent!

James
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.squid-cache.org/pipermail/squid-users/attachments/20150625/79e44813/attachment-0001.html>


More information about the squid-users mailing list