[squid-users] Using SSL bump and reverse proxy for DNS sinkhole
Antony Stone
Antony.Stone at squid.open.source.it
Sat Sep 8 08:41:54 UTC 2018
On Saturday 08 September 2018 at 10:25:44, thompsonm wrote:
> Hello, I have a question about squid SSL bump and reverse proxy. Basically
> for a final project I want to create a DNS sinkhole, where the client tries
> to query a domain that has a bad reputation or is known for drive-by
> downloads etc, and the DNS server returns false information, such as an
> internal IP. Then the client is redirected to this internal IP, where a web
> server is listening, and makes the HTTP request as normal.
Okat, that makes sense (technically, at least) so far...
> All the HTTP requests along with host, URL, client IP etc, are then logged.
Yep, the web server (which I presume is run by you) will do that for you.
> It's easy to make this work with HTTP. However, I want it to work also with
> HTTPS.
What's the difference? A web server can serve HTTPS as easily as it can serve
HTTP.
> So basically set up a MITM
In The Middle of what?
Client is one end, but what's at the "other end" of some connection you're in
the "middle" of?
Surely the other end is your own web server - I mean, you're trying to prevent
people from connecting to (certain) real sites by giving the clients fake DNS
replies, yes? So, they never end up on the real site, and there's no
connection for you to intercept.
> SSL proxy, where the proxy generates its own certificate for the suspicious
> website the client is trying to connect to, and then HTTP requests are
> forwarded to a web server listening on the same host.
This is over-complicated. You just need one of:
1. a web server which will generate an SSL certificate on the fly and then serve
HTT{S content back to the client using that certificate
or
2. a pile of SSL certificates which you generate using your own CA at the same
time you put the fake entries into DNS. After all, you know what domains
you're putting into your "DNS sinkhole", so just generate an SSL certificate
for each one as you do it, load them onto your web server, and there you go.
Basically, if you don't need to use Squid in intercept mode for the HTTP
solution, you don't need to use SSL Bump for the HTTPS solution.
> I'm not sure how to do this. Is there any way to do this with squid SSL
> bump and reverse proxy?
Not that I can see, no, because there is no connection to be in the middle of
that you want to intercept. You want the client to be at one end, and your
own server at the other end, whether it's HTTP or HTTPS - in neither case do
you want clients to connect to the real servers.
Or, have I misunderstood something about your objective?
Antony.
--
<flopsie> yes, but this is #lbw, we don't do normal
Please reply to the list;
please *don't* CC me.
More information about the squid-users
mailing list