[squid-users] Questions Regarding Transparent Proxy, HTTPS, and ssl_bump
Klavs Klavsen
kl at vsen.dk
Thu Jun 25 12:16:23 UTC 2015
Hi Tom,
How did you succeed in filtering https traffic? using http_access.. or
the way James did it, using domainname only ?
Tom Mowbray wrote on 06/25/2015 02:06 PM:
> James,
>
> Thank for for your help. Now that I have a better understanding of how
> the https traffic is handled, I've been able to get things working as
> intended.
>
>
> ---------------------------------
> Tom Mowbray
> /tmowbray at dalabs.com/ <mailto:tmowbray at dalabs.com>
> /703-829-6694/
>
> On Wed, Jun 24, 2015 at 2:05 PM, James Lay <jlay at slave-tothe-box.net
> <mailto:jlay at slave-tothe-box.net>> wrote:
>
> On 2015-06-24 11:46 AM, Tom Mowbray wrote:
>
> James,
>
> Yes, as a matter of fact I have read through those exact posts and
> modeled my config very similarly. What I have found is that,
> however,
> when the line "http_access allow SSL_ports" is placed above the
> ssl_bump stuff and other acl's (as you have it), it seems to simply
> allow ALL https without doing any filtering whatsoever.
>
> Thanks for the response.
>
> ---------------------------------Tom Mowbray
> _tmowbray at dalabs.com_
> _703-829-6694 <tel:703-829-6694>_
>
>
> On Wed, Jun 24, 2015 at 1:31 PM, James Lay
> <jlay at slave-tothe-box.net <mailto:jlay at slave-tothe-box.net>>
> wrote:
>
> On 2015-06-24 09:41 AM, Tom Mowbray wrote:
>
> Squid 3.5.5
>
> I seem to have some confusion about how acl lists are
> processed
> in
> squid.conf regarding the handling of SSL (HTTPS) traffic,
> attempting
> to use ssl_bump directives with transparent proxy.
>
> Based on available documentation, I believe my squid.conf is
> correct,
> however it never seems to actually behave as expected.
>
> I define the SSL port, as usual:
>
> acl SSL_ports port 443
>
> But here's where my confusion lies... Many state to
> place the
> following line above the ssl_bump configuration lines:
>
> http_access allow SSL_ports
>
> However when I do this, it appears to simply stop
> processing any
> other
> rules and allows ALL https traffic through the proxy
> (which is
> actually how I'd expect a standard ACL list to operate,
> but then
> how
> do I actually filter the traffic though our
> content-based ACL
> lists?).
> If I put the above line below the ssl_bump configuration
> options
> in
> my squid.conf, then it appears to BUMP all, even though
> I've told
> the
> config to SPLICE all https traffic, which doesn't work
> for our
> deployment.
>
> So, does squid actually continue to process the https
> traffic
> using
> the ssl_bump rules if the "http_access allow SSL_ports"
> line is
> placed
> above it in the configuration?
>
> I should note that we've been able to get filtering to work
> correctly
> when using our configuration in NON-transparent mode,
> however our
> goal
> is get this functionality working as a transparent
> proxy. We're
> unable to load our self-signed cert onto client machines
> that
> will be
> accessing the proxy, so using the "bump" or
> man-in-the-middle
> style
> https filtering isn't a viable option for us.
>
> Any help or advice is appreciated!
>
> Thanks,
>
> Tom
>
>
> Tom,
>
> You kinda have to change the way you think about filtering
> when it
> comes to Squid 3.5.5 and SSL(TLS). Normal http traffic is
> easy....here's where we're trying to go and here's a list of
> place
> we're alloed to go...simple.
>
> Not so with SSL(TLS). Squid can't filter, since Squid may or may
> not know where we're going...and that's the issue..it's
> where those
> ssl_bump atStep ACL's come in. Some sites when you connect
> to them
> are easy-ish..when you connect your device sends a "Server Name
> Information" (SNI) that says where you're going. Other sites
> don't
> have any information until you complete the SSL handshake
> (how can
> you filter a site name, until squid KNOWS the site or at least
> domain name?).
>
> If you're still wanting to go through with transparent
> (intercept)
> proxy with SSL, search through the list for my SSL Deep dive
> posts...that config is working for me so far (granted, not in an
> enterprise environment). However, as Amos said,....if you choose
> not to install the cert on the client machines, you are
> either a)
> going to be out of luck on LOT'S of websites because they
> will fail
> the SSL handshake, or b) teaching your users to ignore the
> security
> warnings of their browser's....neither of which is a good thing.
>
> Hope that helps.
>
> James
>
>
> Tom,
>
> You are right...that absolutely will allow all SSL initially...the
> filtering is down lower in the config here:
>
> With single list of regex sites/domains like \.google\.com...peek,
> splice, no bump...I'm currently using this config section.
> ############################################################################
> ssl_bump peek step1 all
> ssl_bump peek step2 all
> acl allowed_https_sites ssl::server_name_regex
> "/opt/etc/squid/http_url.txt"
> ssl_bump splice step3 allowed_https_sites
> ssl_bump terminate all
>
>
> With broken acl list of networks list 208.85.40.0/21
> <http://208.85.40.0/21>
> ###########################################################################
> ssl_bump peek step1 broken
> ssl_bump peek step2 broken
> ssl_bump splice broken
> ssl_bump peek step1 all
> ssl_bump peek step2 all
> acl allowed_https_sites ssl::server_name_regex
> "/opt/etc/squid/http_url.txt"
> ssl_bump bump allowed_https_sites
> ssl_bump terminate all
>
> In both configs above, the SNI and server names are checked, bounced
> off the http_url.txt list, and if the site/domain is NOT in the list
> the ssl session is terminated. The big drag is, you won't be able
> to see that in the squid logs. I have a bug open ( I don't remember
> the number :( ) to show this in the logs...so far in my setup I only
> see the first peek, nothing after that. You can test the above
> setups with:
>
> openssl s_client -connect x.x.x.x:443
>
> The above will test with no SNI...these look like the below in the logs:
> Jun 24 11:35:08 gateway (squid-1): 192.168.1.101 - -
> [24/Jun/2015:11:35:08 -0600] "CONNECT 31.13.76.101:443
> <http://31.13.76.101:443> HTTP/1.1" - - 200 0 TAG_NONE:ORIGINAL_DST peek
>
> wget -d --ca-certificate=<your.cert.file)
>
> The above WILL send an SNI...which you should see in your logs as:
> Jun 24 12:01:44 gateway (squid-1): 192.168.1.101 - -
> [24/Jun/2015:12:01:44 -0600] "CONNECT 172.230.156.79:443
> <http://172.230.156.79:443> HTTP/1.1" device-api.urbanairship.com
> <http://device-api.urbanairship.com> - 200 0 TAG_NONE:ORIGINAL_DST peek
>
> Hope that helps.
>
> James
>
>
>
>
> _______________________________________________
> squid-users mailing list
> squid-users at lists.squid-cache.org
> http://lists.squid-cache.org/listinfo/squid-users
>
--
Regards,
Klavs Klavsen, GSEC - kl at vsen.dk - http://www.vsen.dk - Tlf. 61281200
"Those who do not understand Unix are condemned to reinvent it, poorly."
--Henry Spencer
More information about the squid-users
mailing list