[squid-users] Browser circunvents acl's blocking https (intercept mode)

Sergio Belkin sebelk at gmail.com
Sat Apr 16 23:10:49 UTC 2016 

Hi,

I cannot block some sites using squid 3.4.8, this the configuration. On
Firefox, blocking works, browser says:

`Error code: SSL_ERROR_RX_RECORD_TOO_LONG`

But on Chromium VersiĆ³n 49.0.2623.108, browser is not affected by the
blocking acl's, despite access_logs says:

````
192.168.80.250 - - [16/Apr/2016:19:53:17 -0300] "CONNECT 172.217.29.14:443
HTTP/1.1" 403 3443 "-" "-" TCP_DENIED:HIER_NONE
192.168.80.250 - - [16/Apr/2016:19:53:17 -0300] "NONE error:invalid-request
HTTP/0.0" 400 4042 "-" "-" TAG_NONE:HIER_NONE
192.168.80.250 - - [16/Apr/2016:19:53:17 -0300] "CONNECT 172.217.29.14:443
HTTP/1.1" 403 3443 "-" "-" TCP_DENIED:HIER_NONE
192.168.80.250 - - [16/Apr/2016:19:53:17 -0300] "CONNECT 172.217.29.14:443
HTTP/1.1" 403 3443 "-" "-" TCP_DENIED:HIER_NONE
192.168.80.250 - - [16/Apr/2016:19:53:17 -0300] "CONNECT 172.217.29.14:443
HTTP/1.1" 403 3443 "-" "-" TCP_DENIED:HIER_NONE
192.168.80.250 - - [16/Apr/2016:19:53:17 -0300] "NONE error:invalid-request
HTTP/0.0" 400 4042 "-" "-" TAG_NONE:HIER_NONE
192.168.80.250 - - [16/Apr/2016:19:53:17 -0300] "CONNECT 172.217.29.14:443
HTTP/1.1" 403 3443 "-" "-" TCP_DENIED:HIER_NONE
192.168.80.250 - - [16/Apr/2016:19:53:17 -0300] "
%BA%5D%B71A%E2%90C%BD0:Ep%82%99%FE%88 HTTP/0.0" 400 3638 "-" "-"
TAG_NONE:HIER_NONE
192.168.80.250 - - [16/Apr/2016:19:53:17 -0300] "CONNECT 172.217.29.14:443
HTTP/1.1" 403 3443 "-" "-" TCP_DENIED:HIER_NONE
192.168.80.250 - - [16/Apr/2016:19:53:17 -0300] "NONE error:invalid-request
HTTP/0.0" 400 4042 "-" "-" TAG_NONE:HIER_NONE
192.168.80.250 - - [16/Apr/2016:19:53:17 -0300] "CONNECT 172.217.29.14:443
HTTP/1.1" 403 3443 "-" "-" TCP_DENIED:HIER_NONE
192.168.80.250 - - [16/Apr/2016:19:53:17 -0300] "NONE error:invalid-request
HTTP/0.0" 400 4042 "-" "-" TAG_NONE:HIER_NONE
192.168.80.250 - - [16/Apr/2016:19:53:17 -0300] " %11Tf%03%A4%83%F3%8C%EE
HTTP/0.0" 400 3614 "-" "-" TAG_NONE:HIER_NONE
192.168.80.250 - - [16/Apr/2016:19:53:17 -0300] "NONE error:invalid-request
HTTP/0.0" 400 4042 "-" "-" TAG_NONE:HIER_NONE
192.168.80.250 - - [16/Apr/2016:19:53:23 -0300] "CONNECT 172.217.29.14:443
HTTP/1.1" 403 3443 "-" "-" TCP_DENIED:HIER_NONE
192.168.80.250 - - [16/Apr/2016:19:53:23 -0300] "NONE error:invalid-request
HTTP/0.0" 400 4042 "-" "-" TAG_NONE:HIER_NONE
````

Debugging I've found this in cache.log:

````
2016/04/16 20:00:21.924 kid1| client_side.cc(864) swanSong: local=
172.217.28.225:443 remote=192.168.80.250:55068 flags=33
2016/04/16 20:00:21.925 kid1| Checklist.cc(62) preCheck: 0x7eff3754
checking fast ACLs
2016/04/16 20:00:21.925 kid1| Acl.cc(157) matches: checking access_log
daemon:/var/log/squid3/access.log
2016/04/16 20:00:21.925 kid1| Acl.cc(157) matches: checking (access_log
daemon:/var/log/squid3/access.log line)
2016/04/16 20:00:21.925 kid1| Acl.cc(177) matches: checked: (access_log
daemon:/var/log/squid3/access.log line) = 1
2016/04/16 20:00:21.926 kid1| Acl.cc(177) matches: checked: access_log
daemon:/var/log/squid3/access.log = 1
2016/04/16 20:00:21.926 kid1| Checklist.cc(55) markFinished: 0x7eff3754
answer ALLOWED for match
````

Please could you help? Am I missing something? Below, my configuration:

````
acl localnet src 192.168.0.0/16 # RFC1918 possible internal network
acl SSL_ports port 443
acl Safe_ports port 80          # http
acl Safe_ports port 21          # ftp
acl Safe_ports port 443         # https
acl Safe_ports port 70          # gopher
acl Safe_ports port 210         # wais
acl Safe_ports port 1025-65535  # unregistered ports
acl Safe_ports port 280         # http-mgmt
acl Safe_ports port 488         # gss-http
acl Safe_ports port 591         # filemaker
acl Safe_ports port 777         # multiling http
acl CONNECT method CONNECT
acl tvsamsung src 192.168.80.160
acl sarmiento src 192.168.80.248
acl netbook src 192.168.80.245
acl dompermitidos dstdomain "/etc/squid3/rules/whitelistdom"
acl streaming dstdomain "/etc/squid3/rules/streaming"
acl test  dstdomain .debian.org
acl streamingips dst "/etc/squid3/rules/streamingips"
acl sergiocel src 192.168.80.249
acl tiempojuanse time SMTWHFA 10:00-13:00
acl tiempojuanse time SMTWHFA 16:00-22:00
acl yt dstdomain .youtube.com
acl facebook dstdomain .facebook.com
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
http_access allow localhost manager
http_access deny manager
always_direct allow all
ssl_bump none all
sslproxy_cert_error allow all
sslproxy_flags DONT_VERIFY_PEER
http_access allow  tvsamsung
http_access deny yt
http_access allow facebook
http_access deny  streaming
http_access deny  streamingips
http_access allow dompermitidos
http_access allow  sarmiento
http_access allow localnet
http_access allow localhost
http_access deny all
http_port 3128
http_port 3127 intercept
https_port 8080 intercept ssl-bump generate-host-certificates=on
dynamic_cert_mem_cache_size=4MB cert=/home/proxy/ssl_cert/example.com.cert
key=/home/proxy/ssl_cert/example.com.private
sslcrtd_program /usr/lib/squid3/ssl_crtd -s /var/spool/squid3_ssldb -M 4MB
access_log daemon:/var/log/squid3/access.log combined
coredump_dir /var/spool/squid3
refresh_pattern ^ftp:           1440    20%     10080
refresh_pattern ^gopher:        1440    0%      1440
refresh_pattern -i (/cgi-bin/|\?) 0     0%      0
refresh_pattern .               0       20%     4320
````

Thanks in advance!
-- 
--
Sergio Belkin
LPIC-2 Certified - http://www.lpi.org
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.squid-cache.org/pipermail/squid-users/attachments/20160416/0654e284/attachment-0001.html>

More information about the squid-users mailing list