[squid-users] URL Regex ACLs Don't Evaluate After Bumping
Shane Poage
Shane.Poage at entrustdatacard.com
Thu Nov 1 20:46:36 UTC 2018
Hello,
I have a proxy configured to bump all traffic in order to do traffic filtering to a target server (Artifactory, in my case) from a particular environment. The proxy needs to be able to allow or permit traffic based on the path part of the URL in order to only allow access to a certain set of Artifactory repositories. I have my proxy configured to bump all traffic so that the urlpath_regex ACL can be applied, but it appears to not have any effect post-bump. I have dug through the debug logging and it evaluates the ACL before the bump occurs, but not after. I know it's bumping and decrypting the request properly because the access logs shows the information I need, but it's not actually applying the ACL.
Can anybody provide recommendations as to what I might be doing wrong? My (highly simplified, to remove possible points of failure) squid.conf is provided below, as well as the debug logs from a couple of sample requests.
Thanks,
-Shane
---- squid.conf ----------------------------
# enable ACL debug logging
debug_options 28,3
# Configure a man-in-the-middle sslbumping strategy
http_port 3128 ssl-bump \
cert=/etc/squid/ssl_certs/artifactory_mitm_ca.pem \
generate-host-certificates=on \
dynamic_cert_mem_cache_size=4MB
sslcrtd_program /usr/lib64/squid/ssl_crtd -s /var/lib/ssl_db -M 4MB
ssl_bump bump all
# Additional custom ACLs
acl artifactory_repo_filter urlpath_regex ^/artifactory
http_access allow artifactory_repo_filter
# And finally deny all other access to this proxy
http_access deny all
---- access.log -----------------------------
1541104544.428 0 <CLIENT_IP> TCP_DENIED/200 0 CONNECT google.com:443 - HIER_NONE/- -
1541104544.433 0 <CLIENT_IP> TAG_NONE/403 3900 GET https://google.com/ - HIER_NONE/- text/html
1541104555.408 0 <CLIENT_IP> TCP_DENIED/200 0 CONNECT <ARTIFACTORY_SERVER_DOMAIN>:8443 - HIER_NONE/- -
1541104555.411 0 <CLIENT_IP> TAG_NONE/403 3975 GET https://<ARTIFACTORY_SERVER_DOMAIN>:8443/artifactory/path/matching/the_request.jar - HIER_NONE/- text/html
---- cache.log -----------------------------
2018/11/01 20:35:44.427 kid1| 28,3| Checklist.cc(70) preCheck: 0x55d5742e4918 checking slow rules
2018/11/01 20:35:44.427 kid1| 28,3| Acl.cc(158) matches: checked: artifactory_repo_filter = -1
2018/11/01 20:35:44.427 kid1| 28,3| Acl.cc(158) matches: checked: http_access#1 = 0
2018/11/01 20:35:44.427 kid1| 28,3| Ip.cc(539) match: aclIpMatchIp: '<CLIENT_IP>:41736' found
2018/11/01 20:35:44.428 kid1| 28,3| Acl.cc(158) matches: checked: all = 1
2018/11/01 20:35:44.428 kid1| 28,3| Acl.cc(158) matches: checked: http_access#2 = 1
2018/11/01 20:35:44.428 kid1| 28,3| Acl.cc(158) matches: checked: http_access = 1
2018/11/01 20:35:44.428 kid1| 28,3| Checklist.cc(63) markFinished: 0x55d5742e4918 answer DENIED for match
2018/11/01 20:35:44.428 kid1| 28,3| Checklist.cc(163) checkCallback: ACLChecklist::checkCallback: 0x55d5742e4918 answer=DENIED
2018/11/01 20:35:44.428 kid1| 28,3| Checklist.cc(70) preCheck: 0x55d5742e5378 checking slow rules
2018/11/01 20:35:44.428 kid1| 28,3| Ip.cc(539) match: aclIpMatchIp: '<CLIENT_IP>:41736' found
2018/11/01 20:35:44.428 kid1| 28,3| Acl.cc(158) matches: checked: all = 1
2018/11/01 20:35:44.428 kid1| 28,3| Acl.cc(158) matches: checked: (ssl_bump rule) = 1
2018/11/01 20:35:44.428 kid1| 28,3| Acl.cc(158) matches: checked: (ssl_bump rules) = 1
2018/11/01 20:35:44.428 kid1| 28,3| Checklist.cc(63) markFinished: 0x55d5742e5378 answer ALLOWED for match
2018/11/01 20:35:44.428 kid1| 28,3| Checklist.cc(163) checkCallback: ACLChecklist::checkCallback: 0x55d5742e5378 answer=ALLOWED
2018/11/01 20:35:44.428 kid1| 28,3| Checklist.cc(70) preCheck: 0x7ffebd1f0df0 checking fast ACLs
2018/11/01 20:35:44.428 kid1| 28,3| Acl.cc(158) matches: checked: (access_log daemon:/var/log/squid/access.log line) = 1
2018/11/01 20:35:44.428 kid1| 28,3| Acl.cc(158) matches: checked: access_log daemon:/var/log/squid/access.log = 1
2018/11/01 20:35:44.428 kid1| 28,3| Checklist.cc(63) markFinished: 0x7ffebd1f0df0 answer ALLOWED for match
2018/11/01 20:35:44.433 kid1| 28,3| Checklist.cc(70) preCheck: 0x7ffebd1f0ec0 checking fast ACLs
2018/11/01 20:35:44.433 kid1| 28,3| Acl.cc(158) matches: checked: (access_log daemon:/var/log/squid/access.log line) = 1
2018/11/01 20:35:44.433 kid1| 28,3| Acl.cc(158) matches: checked: access_log daemon:/var/log/squid/access.log = 1
2018/11/01 20:35:44.433 kid1| 28,3| Checklist.cc(63) markFinished: 0x7ffebd1f0ec0 answer ALLOWED for match
2018/11/01 20:35:55.408 kid1| 28,3| Checklist.cc(70) preCheck: 0x55d5742e4918 checking slow rules
2018/11/01 20:35:55.408 kid1| 28,3| Acl.cc(158) matches: checked: artifactory_repo_filter = -1
2018/11/01 20:35:55.408 kid1| 28,3| Acl.cc(158) matches: checked: http_access#1 = 0
2018/11/01 20:35:55.408 kid1| 28,3| Ip.cc(539) match: aclIpMatchIp: '<CLIENT_IP>:41738' found
2018/11/01 20:35:55.408 kid1| 28,3| Acl.cc(158) matches: checked: all = 1
2018/11/01 20:35:55.408 kid1| 28,3| Acl.cc(158) matches: checked: http_access#2 = 1
2018/11/01 20:35:55.408 kid1| 28,3| Acl.cc(158) matches: checked: http_access = 1
2018/11/01 20:35:55.408 kid1| 28,3| Checklist.cc(63) markFinished: 0x55d5742e4918 answer DENIED for match
2018/11/01 20:35:55.408 kid1| 28,3| Checklist.cc(163) checkCallback: ACLChecklist::checkCallback: 0x55d5742e4918 answer=DENIED
2018/11/01 20:35:55.408 kid1| 28,3| Checklist.cc(70) preCheck: 0x55d5742e5378 checking slow rules
2018/11/01 20:35:55.408 kid1| 28,3| Ip.cc(539) match: aclIpMatchIp: '<CLIENT_IP>:41738' found
2018/11/01 20:35:55.408 kid1| 28,3| Acl.cc(158) matches: checked: all = 1
2018/11/01 20:35:55.408 kid1| 28,3| Acl.cc(158) matches: checked: (ssl_bump rule) = 1
2018/11/01 20:35:55.408 kid1| 28,3| Acl.cc(158) matches: checked: (ssl_bump rules) = 1
2018/11/01 20:35:55.408 kid1| 28,3| Checklist.cc(63) markFinished: 0x55d5742e5378 answer ALLOWED for match
2018/11/01 20:35:55.408 kid1| 28,3| Checklist.cc(163) checkCallback: ACLChecklist::checkCallback: 0x55d5742e5378 answer=ALLOWED
2018/11/01 20:35:55.408 kid1| 28,3| Checklist.cc(70) preCheck: 0x7ffebd1f0df0 checking fast ACLs
2018/11/01 20:35:55.408 kid1| 28,3| Acl.cc(158) matches: checked: (access_log daemon:/var/log/squid/access.log line) = 1
2018/11/01 20:35:55.408 kid1| 28,3| Acl.cc(158) matches: checked: access_log daemon:/var/log/squid/access.log = 1
2018/11/01 20:35:55.408 kid1| 28,3| Checklist.cc(63) markFinished: 0x7ffebd1f0df0 answer ALLOWED for match
2018/11/01 20:35:55.411 kid1| 28,3| Checklist.cc(70) preCheck: 0x7ffebd1f0ec0 checking fast ACLs
2018/11/01 20:35:55.411 kid1| 28,3| Acl.cc(158) matches: checked: (access_log daemon:/var/log/squid/access.log line) = 1
2018/11/01 20:35:55.411 kid1| 28,3| Acl.cc(158) matches: checked: access_log daemon:/var/log/squid/access.log = 1
2018/11/01 20:35:55.411 kid1| 28,3| Checklist.cc(63) markFinished: 0x7ffebd1f0ec0 answer ALLOWED for match
More information about the squid-users
mailing list