[squid-users] Basic HTTPS filtering via CONNECT in Squid

Varun Singh varun.singh at gslab.com
Mon Feb 13 03:36:51 UTC 2017


On Feb 12, 2017 5:43 PM, "Amos Jeffries" <squid3 at treenet.co.nz> wrote:

On 12/02/2017 11:51 p.m., Varun Singh wrote:
> On Feb 12, 2017 2:21 PM, "Amos Jeffries" <squid3 at treenet.co.nz> wrote:
>
> On 12/02/2017 7:40 p.m., Varun Singh wrote:
>>
>> The answer points to installing a CA on client.
>
> The question was about how to get browsers talking TLS *directly to a
> Squid reverse-proxy*. Your Ubuntu package is not capable of that and you
> are not using a reverse-proxy.
>
>> Does this mean even if I don't want Squid-in-the-middle approach, my
>> clients would still have to install a certificate?
>
> No. It is irrelevant to yrou sitation.
>
>
> You began this thread with a simple question:
>
>> Hi,
>> I have a Squid 3 installed on Ubuntu 16.04. It works perfectly as an
>> HTTP proxy server in transparent mode.
>> I wanted to know whether it can be configured to run as HTTPS proxy
>> server without ssl-bump i.e. without 'man in the middle attack'
>> technique.
>
>
> Everything you have been asking about since then is various ways to do
> parts of the SSL-bump process. Which does not fit very well with the
> "without ssl-bump" requirement.
>
>
> Simply put; if you are not going to SSL-Bump then you can discard any
> thoughts of doing things with the HTTPS messages or port 443 traffic.
>
> If you have changed your mind and want to use SSL-Bump now, please
> re-describe what you want to actually happen now.
>

You have not described what you want to happen. Just asked how to do
this unknown thing...


I want to implement a URL filter using proxy server. My clients will use
this server either from their web-browsers or via strongSwan IPSec VPN
server. If they use the proxy server via VPN server, their VPN profile will
have HTTP and HTTPS proxy server configuration.

This proxy server will filter HTTP and HTTPS websites based on ACL
provided. For security reasons, I want to avoid using SSL-bump.


>
> Hi,
> Simply put, my question has three parts:
> 1. Can Squid be configured as an HTTPS proxy server without SSL-Bump?


* The term "HTTPS" is a generic term used to simultaneously describe two
completely different traffic syntaxes (CONNECT tunnels, and port 443 TLS).

* There are three proxy operating "modes" which may receive each of
those types of traffic (explicit/forward, intercept/tproxy, and
reverse/CDN/accel).

* For each type of traffic one mode is invalid, leaving 2x2= 4 different
sets of operations all called "proxying HTTPS".


This means the combinations are:
#1 CONNECT - explicit/forward
#2 443 TLS - explicit/forward

#3 CONNECT - intercept/tproxy
#4 443 TLS - intercept/tproxy

#5 CONNECT - reverse/CDN/accel
#6 443 TLS - reverse/CDN/accel

One of modes in each type is invalid. So, from Squid's HTTPS feature page,
looks like my scenario falls either in #1 or #3.

* all 4 of those ways may be done with or without SSL-Bump feature.

When not using SSL-Bump 2 of the ways of "proxying HTTPS" will work, 2
will not.

When using SSL-Bump the non-working ways of "proxying HTTPS" will start
working, and the working ways will have an extra permutation of splice
vs bump operation that can happen. Extending the possibilities to be 6
ways of "proxying HTTPS".


So the answer(s) to your first question are:

yes, no.  yes, no.  no, yes.



> 2. If yes, then what other configurations have to performed other than
> "https_port XXXX"?

For the cases where the #1 answer was "yes" and not "no".

a) An explicit/forward or intercept proxy not using ssl-bump and
receiving CONNECT requests does not need any special configuration to
"proxy HTTPS". The proxy will simply enact the requested opaque tunnel
in accordance to HTTP rules.


So this means other than specifying "https_port XXXX" no other config is
needed.
When I setup Squid with just "https_port xxxx" and configured Firefox to
use my proxy server for HTTP and HTTPS, it worked fine for HTTP but for
HTTPS it gave "Proxy server rejected connection".

So either something is wrong in my squid.conf or my assumption is incorrect
that my scenario falls in #1 or #3.


b) A reverse proxy requires the 'accel' mode flag, and the cert= option
must load the cert for the domain you are hosting on that port, and the
key= option must load the private key for that certificate.

c) all other modes will not work without SSL-Bump feature.



> 3. In this configuration, can Squid filter HTTPS requests from ACL?
>

That depends on the meaning of "this". There are 3 different
configurations in the answer to #2.

For (2a) - no. Only the CONNECT request can be filterd.


>From below links it looks like destination IP Address or hostname of a
CONNECT request is same as HTTPS request. Is that correct?

https://en.m.wikipedia.org/wiki/HTTP_tunnel#HTTP_CONNECT_tunneling

http://stackoverflow.com/a/11698002/548403


For (2b) - yes. BUT, notice that it requires private key data for certs.
This configuration is only usable when _you own the domain_ which the
client is visiting.

For (2c) - SSL-Bump feature is the mechanism which enables https://
filtering for all traffic modes other than that described by (2b).
Without using that feature - no.


Do you understand now why every path you have tried ends up with how-tos
for configuring SSL-Bump?


Yes, thanks for the elaborate explanation.


HTH
Amos
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.squid-cache.org/pipermail/squid-users/attachments/20170213/da576b34/attachment.html>


More information about the squid-users mailing list