[squid-users] Filering HTTPS URLs - A complete configuration

Paul Doignon paul at doignon.fr
Mon Feb 11 10:55:05 UTC 2019 

> No need to compile and build it for AWS:
> I already built it for both AWS 1 and 2:
> http://ngtech.co.il/repo/amzn/
> 
> Can be downloaded and is tested to work very well on both OS. 
> 
> Eliezer

Thanks, looks really good !
I guess those Amazon Linux 1 packages come from there : http://gogs.ngtech.co.il/NgTech-LTD/squid-amzn1-squid4-rpms ?


> The closest you are going to get to the above is with:
> * bump everything[1], and
> * use http_access to check the https:// URLs for your policy
> * use "deny_info TCP_RESET" [2] on the blocked requests.
> 
> [1] some things literally cannot be bumped. So a decision needs to be
> made about what to do then.

All right, good point. I guess adding this second line will terminate those un-bumpable requests ?

# --
ssl_bump bump all
ssl_bump terminate all
# --

> [2] a regular deny error page will work fine. This TCP_RESET is just
> closest to the "ssl_bump terminate" behaviour.
> 
> Amos

This is perfect, thanks a lot.

I leave my complete config for other users :

# --
# General
cache_effective_user squid
cache_effective_group squid
shutdown_lifetime 1 seconds 
visible_hostname squid-something.unique

# Hide some reavealing stuffs
forwarded_for delete
httpd_suppress_version_string off
reply_header_access X-Cache deny all
reply_header_access X-Cache-Lookup deny all
via off
global_internal_static off
cache deny all

# Tuning
max_filedesc 10000

# Security
http_access deny manager
host_verify_strict on
ignore_unknown_nameservers on
snmp_port 0
snmp_access deny all
icp_port 0
icp_access deny all
htcp_port 0
htcp_access deny all

http_port localhost:3128 # Squid default port

# Handling HTTPS requests
# Ciphers from https://wiki.mozilla.org/Security/Server_Side_TLS
https_port 8080 act-as-origin ssl-bump generate-host-certificates=on dynamic_cert_mem_cache_size=4MB cert=/etc/squid/ssl/squid.pem cipher=ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256 options=NO_SSLv3,NO_TLSv1,NO_TLSv1_1,SINGLE_DH_USE,SINGLE_ECDH_USE intercept
sslcrtd_program /usr/lib/squid/security_file_certgen -s /var/cache/squid/ssl_db -M 4MB
sslcrtd_children 8 startup=1 idle=1
#
tls_outgoing_options cipher=ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256 min-version=1.2 options=NO_SSLv3,SINGLE_DH_USE

acl TO_SSL port 443
acl LAN src 172.16.0.0/24
acl whitelist-regex url_regex -i ^https://thirdparty\.com/upload/stuff/$
acl CONNECT method CONNECT
deny_info TCP_RESET all
http_access allow LAN TO_SSL CONNECT
http_access allow LAN TO_SSL whitelist-regex
http_access deny all

# SSL bump
ssl_bump bump all
ssl_bump terminate all
# --


 ---- On Thu, 07 Feb 2019 01:46:23 +0100 Amos Jeffries <squid3 at treenet.co.nz> wrote ---- 
 > On 7/02/19 3:52 am, Paul Doignon wrote:
 > > Thanks, I appreciate your detailed answer.
 > > 
 > >  > > I'm struggling a lot to configure Squid. To improve the security of my app in my AWS private subnet,
 > >  > 
 > >  > If it is indeed *your* app; then please alter it not to require the
 > >  > interception we see below. Ability to connect to a TLS explicit proxy or
 > >  > just sending regular proxy CONNECT tunnel is a leap up in security.
 > > 
 > > I wish I could too ! Unfortunately, we use some third party libraries that do not support proxies (or not well). What a shame : (
 > >  
 > >  > > # Hide some reavealing or useless headers
 > >  > > forwarded_for delete
 > >  > > httpd_suppress_version_string off
 > >  > > reply_header_access X-Cache deny all
 > >  > > reply_header_access X-Cache-Lookup deny all
 > >  > > via off
 > >  > > 
 > >  > > # Tuning
 > >  > > max_filedesc 10000
 > >  > > 
 > >  > > # Disable access to manager
 > >  > > http_access deny manager
 > >  > 
 > >  > 2) you are missing the security protections from the default squid.conf...
 > >  
 > > I have not hardened Squid yet, but you mean default `acl localnet src [...]` rules ? I'm not sure about this.
 > > 
 > 
 > The defaults that come with a new build or installation:
 > 
 > "
 >   http_access deny !Safe_ports
 >   http_access deny CONNECT !SSL_ports
 >   http_access allow localhost manager
 >   http_access deny manager
 > 
 >   ... your rules go here ...
 > 
 >   http_access deny all
 > "
 > 
 > 
 > >  > Please see <https://wiki.squid-cache.org/Features/SslPeekAndSplice> for
 > >  > details on the TLS handshake process and what SSL-Bump does during that.
 > > 
 > > Another read was indeed interesting, I think I corrected ssl_bump directives. However I still can't make it work.
 > > Just for the record, I would like to block everything but some HTTPS websites for particular URLs. The ssl::server_name acl is not enough for me, I would like to use url_regex or similar.
 > > Ant that's where it gets wrong, I can't make Squid make the link between `ssl_bump bump` and url_regex.
 > 
 > 
 > That is because ssl_bump is the access control governing the TLS
 > handshake process. TLS message/frames do not contain URLs. Even when a
 > client CONNECT request is being processed it only has an authority-URI
 > (not a full URL).
 > 
 > The http_access rules are the first point you get access to URL. The
 > https:// URLs start *after* the ssl_bump finishes with a successful
 > 'bump' action.
 > 
 > 
 > The closest you are going to get to the above is with:
 >  * bump everything[1], and
 >  * use http_access to check the https:// URLs for your policy
 >  * use "deny_info TCP_RESET" [2] on the blocked requests.
 > 
 > [1] some things literally cannot be bumped. So a decision needs to be
 > made about what to do then.
 > 
 > [2] a regular deny error page will work fine. This TCP_RESET is just
 > closest to the "ssl_bump terminate" behaviour.
 > 
 > 
 > Amos
 > _______________________________________________
 > squid-users mailing list
 > squid-users at lists.squid-cache.org
 > http://lists.squid-cache.org/listinfo/squid-users
 >

More information about the squid-users mailing list