[squid-users] Ubuntu 18 with Squid 4.11 SSL_BUMP

Amos Jeffries squid3 at treenet.co.nz
Wed Apr 29 20:33:17 UTC 2020


On 30/04/20 8:15 am, Anthony Mead wrote:
> Thanks!  I've re-compiled without the unnecessary flag, and restarted the service with a new whitelist, unfortunately i'm getting such a varying of /var/log/squid/access.log messages that I'm not sure what to google anymore.
> 
> I want to deny all access to external sites except http/https github.com but some sites seem to connect, while others don't:
> 

There are a lot of details missing from your quoted log lines. Details
such as which server was contacted are important when there are more
than one TCP connection involved.

Since this is SSL-Bump _each_ curl request should result in _3_
access.log lines - with varying client, server and URI values.

You are only showing us one log line at a time. With only the client and
URI parts.


Bellow is a *guess* about what is going on, based on what the status
says. This is only to demonstrate that for each line you show there is
at least one situation where your squid.conf file tells Squid to do an
action which would result in that line. Whether these guesses are right
requires all the information you are omitting.



> ~$ # this is correct
> ~$ curl http://github.com/
> 10.0.1.180 TCP_MISS/301 200 GET http://github.com/
> 

 acl allowed_http_sites dstdomain "/etc/squid/whitelist.txt"
 http_access allow allowed_http_sites


> ~$ # this is correct
> ~$ curl https://github.com/ 
> 10.0.1.180 TCP_TUNNEL/200 107323 CONNECT 140.82.114.4:443
> 

  acl SSL_port port 443
  http_access allow SSL_port

  ssl_bump peek all


> ~$ # this should deny
> ~$ curl https://youtube.com/
> 10.0.1.180 TCP_TUNNEL/200 4844 CONNECT 172.217.15.110:443
> 

  acl SSL_port port 443
  http_access allow SSL_port

  ssl_bump peek all


> ~$ # this should deny
> ~$ curl https://google.com/
> 10.0.1.180 TCP_TUNNEL_ABORTED/200 5103 CONNECT 172.217.2.110:443
> 

  acl SSL_port port 443
  http_access allow SSL_port

  ssl_bump peek all


> ~$ # this is denying - but not from squid, but openssl?
> ~$ curl https://news.ycombinator.com/
> curl: (35) OpenSSL SSL_connect: SSL_ERROR_SYSCALL in connection to news.ycombinator.com:443
> 10.0.1.180 NONE_ABORTED/200 0 CONNECT 209.216.230.240:443
> 

  acl SSL_port port 443
  http_access allow SSL_port

  ssl_bump terminate all



Amos


More information about the squid-users mailing list