[squid-users] filtering http(s) sites, transparently

Jok Thuau jok at spikes.com
Mon Apr 4 04:18:03 UTC 2016


I'm attempting to build a transparent proxy (policy based routing on
firewall to squid proxy) with the following behavior:

1) proxies http traffic for a given set of domains, provide an message
otherwise such "domain not allowed" or similar
2) proxies https traffic for a given set of domains (ideally, splicing
those, so as not to break HSTS, if enabled), otherwise provide an error
message (bumping and providing "domain not allowed")

I'm attempting this with a 3.5.15 compiled with icap (not yet used) and
ssl-bumping.

Part 1 seems easy enough (and is well documented)...

acl whitelist dstdomain .domain1.tld
acl whitelist dstdomain .domain2.tld

acl http_ok all-of whitelist !SSL_ports

http_access allow http_ok
http_access deny all

Moving onto Part 2 (the peek and splice setup) appears to be the topic of a
few discussions out there...

acl sni_whitelist ssl::server_name .domain1.tld
acl sni_whitelist ssl::server_name .domain2.tld

ssl_bump peek step1
ssl_bump splice sni_whitelist
ssl_bump bump all

It appears however that when combining the two, the generated
certificate(s), instead of mimic'ing the original server's certificate
comes out with the CN=<IP> where <IP> is the ip used by the "connect" part
of the connection. In addition, it appears that only the first entry ever
matches (at this point, i've tried so many combinations, i'm no longer
certain of anything).

If i remove *all* the http_access lines, then the behavior appears correct
(from a "splicing/bumping" standpoint).

Can anyone confirm that this is indeed possible to achieve?

I believe, based on experimentation that any http_access i have, because of
the "deny all" cause the bumping to "short circuit" and effectively send an
early "access denied" based on the only information it has (the ip address
from the "connect", rather than the SNI that would come later).

Would a setup where "deny http+!whitelist" so have the allow be the default
allow for the bumping to work and get to step2 and match the sni* acls
somehow? (with a "deny step2 !sni_whitelist").

Is 3.5.15 capable of doing this? If this requires some feature/effort, what
would be the procedure to sponsor that work?

Thanks,
Jok
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.squid-cache.org/pipermail/squid-users/attachments/20160403/4732411b/attachment.html>


More information about the squid-users mailing list