[squid-users] Peek'n Splice (ssl_bump) and authentication Somewhat OT: Content Filter with https
Eliezer Croitoru
eliezer at ngtech.co.il
Thu Jun 9 00:11:34 UTC 2016
Hey Sergio,
It depends on couple aspects of the setup.
The basic rule is that in the case you require authentication you are required to use a configured proxy and without Interception.
For SSL BUMP to work you need the clients to either access the proxy directly or to Intercept their connections.(Interception is not a must..)
If your setup doesn't have terminal servers for multiple clients then you can use an IP to USER authentication using a variety of options such as:
- Web Authentication portal
- DHCP level Authentication
- Radius based Authentication
- Couple others..
(all the above are based on IP level restrictions)
HTTPS and HTTP filtering are a bit different but if you have a basic "catch all" rule it would be much simpler to move on from there with the logic and implementation.
Specifically for HTTPS connections if you have a list of sites that you don't need to bump and you will be using a directly configured proxy(non intercept) then you would be able to minimize the noise that comes with fake certificates generation.
My suggestion in general is to first declare squid as a "first" trial and testing stage for a solution.
For some places Squid's breaking web-sockets are an overhead that cannot be tolerated while in other places it is acceptable as a security breach blocker.
If the place is not huge(200+ users) then I would start with a simple forward proxy with SSL BUMP but in a splice first(since peek and splice might not be needed due to the clients stating their target Domain Name) and later add the bump step.
It will help you to try and see how the proxy takes the load(with filtering but without caching).
Then move on to the next step of authentication, maybe Kerberos or if "transparent" authentication is required but if not then a simple LDAP based one.
If SquidGuard functionality is good for you then use it.
If not then ufdbguard or any other solution that is in your mind.
I tend to not publish my work too much here but if you want to take a peek and see how it works for you then:
http://new.ngtech.co.il/squidblocker_en.html
I also think that others work such as:
- http://www.quintolabs.com/ Diladele
- https://www.clearos.com/
- https://www.censornet.com/
is worth mentioning due to their high quality.( I have tested some of them myself)
About ufdbguard, it's not doing authentication but only url filtering as far as I know.
Squid's way of handling authentication is one and it's not on the same "channel" as filtering but an ICAP service can do that too.
Hope It Helps,
Eliezer
----
<http://ngtech.co.il/lmgtfy/> Eliezer Croitoru
Linux System Administrator
Mobile: +972-5-28704261
Email: eliezer at ngtech.co.il
From: Sergio Belkin [mailto:sebelk at gmail.com]
Sent: Thursday, June 9, 2016 1:53 AM
To: Eliezer Croitoru
Cc: Squid Users
Subject: Re: Peek'n Splice (ssl_bump) and authentication [squid-users] Somewhat OT: Content Filter with https
2016-06-08 19:09 GMT-03:00 Eliezer Croitoru <eliezer at ngtech.co.il <mailto:eliezer at ngtech.co.il> >:
Hey Sergio,
There are couple approaches to content filtering in the Linux world and in other spaces.
Squid is open source and gives a lot but there are other ideas and ways to perform content filtering.
Squid was designed for caching and does things in a specific way while other solution might give a feature that would work "without interception".
On http it is doable to perform filtering in a very efficient way that is similar to Squid's PEEK and SPLICE but there is a need in some level of Interception in one step or another to perform the actual "block" operation.
I do not know about Open Source products that offers everything and it is very simple to understand why.
What I know about are
- Squid + external tools(such as SquidGuard, ufdbguard, others)
- Ntop layer 7 filtering
- Custom DPI iptables modules
- NFQUEUE based IPS\IDS which can act as a url filtering engine
Consider that if you require only filtering and not caching then you can get very high performance from many applications.
The fact that Squid was designed for Caching doesn't mean that you need to use it.
Also there are couple cases which caching will hold your line and users speed.
The best case scenario would be to not Intercept the traffic into squid while in many cases it is not possible.
Eliezer
----
<http://ngtech.co.il/lmgtfy/> Eliezer Croitoru
Linux System Administrator
Mobile: +972-5-28704261
Email: eliezer at ngtech.co.il <mailto:eliezer at ngtech.co.il>
rg <http://www.lpi.org>
Thanks Eliezer, good summary. I've changed the subject to reflect better the issue. As far I undestand from documention one can bump https only by interception.
But what about if one Windows user login against an Active Directory, will the authenticacion work to use the proxy?
I mean, what I'd want is:
- Only users of an Active Directory can use the proxy
- Block certains urls
Is that possible with squid+ufwdbguard?
Or should I use other tools/ways just like you mentioned?
Thanks in advance!
--
--
Sergio Belkin
LPIC-2 Certified - http://www.lpi.org
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.squid-cache.org/pipermail/squid-users/attachments/20160609/319b1c51/attachment-0001.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image003.png
Type: image/png
Size: 11308 bytes
Desc: not available
URL: <http://lists.squid-cache.org/pipermail/squid-users/attachments/20160609/319b1c51/attachment-0002.png>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image004.png
Type: image/png
Size: 11317 bytes
Desc: not available
URL: <http://lists.squid-cache.org/pipermail/squid-users/attachments/20160609/319b1c51/attachment-0003.png>
More information about the squid-users
mailing list