[squid-users] Squid TPROXY issues with Google sites

Vieri rentorbuy at yahoo.com
Fri May 26 23:22:02 UTC 2017


I forgot to put the emphasis on one thing. I did not change my squid.conf or my ACLs. The only difference is in the ssl_bump configuration directives.

If I have this:

acl AllowTroublesome ssl::server_name .google.com .gmail.com
acl DenyTroublesome ssl::server_name mail.google.com
http_access deny DenyTroublesome
ssl_bump peek all
ssl_bump splice AllowTroublesome
ssl_bump bump all

then access to https://mail.google.com is allowed when I was hoping to block it.

If I replace the above snippet with this:

ssl_bump stare all
ssl_bump bump all

then access to https://mail.google.com is blocked as expected.

The above puzzles me since I haven't changed anything else.
If I had an http_access rule that allowed the transaction to take place then I would expect it to happen regardless of the ssl_bump directive.

Alex, you mention the SSLPeekAndSplice web page. I'll try to sum it up in just a few lines (correct me if I'm wrong):
- peek implies splice which means you can't do content analysis (as in scan for threats via c-icap modules)
- stare implies bump which means you can do content analysis
- you don't need to stare, you can just bump
- you need to stare before bump if you want the clients to accept a certificate with domain names instead of IP addresses
- you can bump first by ACLs and then splice the rest
- you can bump after peek but only if you do that at SslBump1

I'm asking this because the wiki page isn't all that clear to me. Especially the "Bump All Sites Except Banks" example where the next phrase contradicts the title by saying that the requests to non-banks won't be bumped.

Anyway, I'm only interested in bumping as much as possible so I can scan content for threats.

So Amos, here goes my full squid.conf:

# grep -v ^# squid.conf  | grep -v "^\$"
acl SSL_ports port 443
acl Safe_ports port 80		# http
acl Safe_ports port 21		# ftp
acl Safe_ports port 443		# https
acl Safe_ports port 70		# gopher
acl Safe_ports port 210		# wais
acl Safe_ports port 1025-65535	# unregistered ports
acl Safe_ports port 280		# http-mgmt
acl Safe_ports port 488		# gss-http
acl Safe_ports port 591		# filemaker
acl Safe_ports port 777		# multiling http
acl Safe_ports port 901		# SWAT
acl CONNECT method CONNECT
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
http_access allow localhost manager
http_access deny manager
include /etc/squid/squid.custom.rules
http_access allow localhost
http_access deny all
coredump_dir /var/cache/squid
refresh_pattern ^ftp:		1440	20%	10080
refresh_pattern ^gopher:	1440	0%	1440
refresh_pattern -i (/cgi-bin/|\?) 0	0%	0
refresh_pattern .		0	20%	4320

# grep -v ^# squid.custom.rules  | grep -v "^\$"
http_port 3128
http_port 3129 tproxy
https_port 3130 tproxy ssl-bump generate-host-certificates=on dynamic_cert_mem_cache_size=16MB cert=/etc/ssl/squid/proxyserver.pem
external_acl_type nt_group ttl=0 children-max=10 %LOGIN /usr/libexec/squid/ext_wbinfo_group_acl -K
auth_param negotiate program /usr/libexec/squid/negotiate_kerberos_auth -s HTTP/prx1.mydomain.org at MYDOMAIN.ORG
auth_param negotiate children 60
auth_param negotiate keep_alive on
auth_param basic realm MYORG proxy
acl localnet src 10.0.0.0/8	# RFC1918 possible internal network
acl localnet src 192.168.0.0/16	# RFC1918 possible internal network
acl localnet src fc00::/7       # RFC 4193 local private network range
acl FHM_all proxy_auth REQUIRED
acl explicit myportname 3128
acl intercepted myportname 3129
acl interceptedssl myportname 3130
acl interceptednormal myportname 3131
acl interceptedsslnormal myportname 3132
acl allowed_ips src "/usr/local/share/proxy-settings/allowed.ips"
acl allowed_groups external nt_group "/usr/local/share/proxy-settings/allowed.groups"
acl denied_domains dstdomain "/usr/local/share/proxy-settings/denied.domains"
acl denied_ads url_regex "/usr/local/share/proxy-settings/denied.ads"
acl denied_filetypes urlpath_regex -i "/usr/local/share/proxy-settings/denied.filetypes"
acl restricted_ips src "/usr/local/share/proxy-settings/restricted.ips"
acl restricted_groups external nt_group "/usr/local/share/proxy-settings/restricted.groups"
acl restricted_domains dstdomain "/usr/local/share/proxy-settings/restricted.domains"
http_access deny restricted_ips !restricted_domains
http_access deny restricted_groups !restricted_domains
http_access deny denied_domains !allowed_groups !allowed_ips
http_access deny CONNECT denied_domains !allowed_groups !allowed_ips
http_access deny denied_ads !allowed_groups !allowed_ips
http_access deny denied_filetypes !allowed_groups !allowed_ips
http_access deny explicit !FHM_all
http_access deny intercepted !localnet
http_access deny interceptedssl !localnet
http_access deny interceptedsslnormal !localnet
http_access deny interceptednormal !localnet
cache_mgr it at mydomain.org
email_err_data on
error_directory /usr/share/squid/errors/MYORG
append_domain .mydomain.org
sslcrtd_program /usr/libexec/squid/ssl_crtd -s /var/lib/squid/ssl_db -M 16MB
sslcrtd_children 10
reply_header_access Alternate-Protocol deny all
ssl_bump stare all
ssl_bump bump all
icap_enable on
icap_send_client_ip on
icap_send_client_username on
icap_client_username_encode off
icap_client_username_header X-Authenticated-User
icap_preview_enable on
icap_preview_size 1024
icap_service squidclamav respmod_precache bypass=0 icap://127.0.0.1:1344/clamav
adaptation_access squidclamav allow all
include /etc/squid/squid.custom.common
include /etc/squid/squid.custom.hide
cache_dir diskd /var/cache/squid 100 16 256
http_access allow localnet

# grep -v ^# squid.custom.common  | grep -v "^\$"
cache_mgr it at mydomain.org
email_err_data on
error_directory /usr/share/squid/errors/MYORG

# grep -v ^# squid.custom.hide  | grep -v "^\$"
httpd_suppress_version_string on
dns_v4_first on
via off
forwarded_for off
request_header_access Allow allow all
request_header_access Authorization allow all
request_header_access Cache-Control allow all
request_header_access Content-Encoding allow all
request_header_access Content-Length allow all
request_header_access Content-Type allow all
request_header_access Date allow all
request_header_access Expires allow all
request_header_access Host allow all
request_header_access If-Modified-Since allow all
request_header_access Last-Modified allow all
request_header_access Location allow all
request_header_access Pragma allow all
request_header_access Accept allow all
request_header_access Accept-Charset allow all
request_header_access Accept-Encoding allow all
request_header_access Accept-Language allow all
request_header_access Content-Language allow all
request_header_access Mime-Version allow all
request_header_access Retry-After allow all
request_header_access Connection allow all
request_header_access User-Agent allow all
request_header_access Cookie allow all
request_header_access All deny all

Do you require the full ACLs too?

# grep google /usr/local/share/proxy-settings/*
/usr/local/share/proxy-settings/denied.domains:play.google.com
/usr/local/share/proxy-settings/denied.domains:mail.google.com

Note that the above configuration correctly blocks access to https://mail.google.com.
It also allows access to https://accounts.google.com and I can enter my Google username. However, I cannot press "the Next button" to enter the password. I could try to study the web page's source code but at a first glance:
1) Google login works fine if I by-pass the Squid proxy or if I use "ssl_bump splice".
2) I am not denying access to any Google service except for "play" and "mail".

Not being able to press "the Next button" is what I meant by "unreported error" in my previous e-mail. It is easy to reproduce with my squid.conf.

Thanks,

Vieri


More information about the squid-users mailing list