[squid-users] deny squid to bump deny_info
André Bolinhas
andre.bolinhas at articatech.com
Wed Dec 8 15:40:03 UTC 2021
Thanks for the quick reply, where I need to add the ssl_bump terminate rule? Inside ssl.conf or http_access.conf?
I have tried in both both but continues to bump the error page.
Also tried ssl_bump terminate all in the top of both files and always bump ther error_page.
This is my current files:
http_access.conf
#### tcp_outgoing_tos ####
#### tcp_outgoing_tos 0 Rules ####
# webfilters_sqacls HaClusterClient=0 2 rules [202] [class.squid.acls.groups.inc]
# webfilters_sqacls #10 : aclport=0 ( ) [212] [class.squid.acls.groups.inc]
# [L.268]: rule id: 10 access_allow Port Direction=0 ()
# [L.303]: class.squid.acls.groups.inc buildacls_bytype_items(10,..)
http_access allow Group17
# webfilters_sqacls #5 : aclport=0 ( ) [212] [class.squid.acls.groups.inc]
# [L.268]: rule id: 5 access_deny Port Direction=0 ()
# [L.303]: class.squid.acls.groups.inc buildacls_bytype_items(5,..)
# Template Enabled for this ACL.
# Final acl is all, Template ID=1
deny_info TEMPLATE_5 all
http_access deny all
#
#
# ------------------ HTTP ACCESS --------------------
# 0 rule(s) from engine (Line 2170)
# SquidStandardLDAPAuth = 0
# EnableOpenLDAP = 0
# SquidRadiusAuth = 0
# LDAP_AUTH = 0 caused by EnableOpenLDAP
acl MyBlockedIPs src "/etc/squid3/acls/DenyIPSrc"
http_access allow WindowsUpdates
# LDAP Auth = 0
http_access deny HTTP !Safe_ports all
http_access deny CONNECT !SSL_ports all
http_access deny MyBlockedIPs
http_access deny blockedsites
http_access deny DomainsBlackLists
http_access deny NetworksBlackLists
include /etc/squid3/http_access_final.conf
# END http_access (defaults)
# Allow all networks to finally pass trough proxy.
http_access allow all
ssl.conf
# SSL used for port ID 1, :3128 on
# Patch 2020 - 08 - 03 SquidMikrotikEnabled = 0
# SSL Proxy options Proxy version:5.2 [134]
sslcrtd_program /lib/squid3/security_file_certgen -s /var/lib/squid/session/ssl/ssl_db -M 32MB
sslcrtd_children 32 startup=5 idle=1 queue-size=64
#The AppStore application in IOS (iPhone, iPad, MacOS) uses SSL Certificate Pinning,
#it means the application knows what certificate to expect when accessing AppStore.
#When you enable SSL Bump of HTTPS connections Squid replaces the default certificate with a ^`^xmimicked ^`^y one;
#the application detects that and refuses to function.
#
acl FakeCert ssl::server_name .apple.com
acl FakeCert ssl::server_name .icloud.com
acl FakeCert ssl::server_name .mzstatic.com
acl FakeCert ssl::server_name .dropbox.com
acl FakeCert ssl::server_name .bnpparisbas
acl ssl_step1 at_step SslBump1
acl ssl_step2 at_step SslBump2
acl ssl_step3 at_step SslBump3
ssl_bump peek ssl_step1
ssl_bump splice GlobalWhitelistDSTNet
ssl_bump splice GlobalWhitelistDomainsRx
ssl_bump splice GlobalWhitelistDomains
ssl_bump splice FakeCert
# SNI Group google_sni/ssl_sni
# id:16 Type: ssl_sni
acl SNIGroup16 ssl::server_name_regex -i accounts\.google\.com
# 0 Splice rules...
acl KeepSSL ssl::server_name "/etc/squid3/acls_whitelist.dstdomain.conf"
ssl_bump splice KeepSSL
ssl_bump splice GlobalWhitelistDSTNet
# Rules (spliced) added by admins....
# 1 BUMP rules...
#ssl_bump stare all
ssl_bump bump ssl_step2 SNIGroup16
ssl_bump splice all
tls_outgoing_options options=NO_SSLv3,NO_TICKET cipher=ALL:!SSLv2:!SSLv3:!ADH:!DSS:!MD5:!EXP:!DES:!PSK:!SRP:!RC4:!IDEA:!SEED:!aNULL:!eNULL flags=DONT_VERIFY_PEER
sslproxy_cert_error allow all
on_unsupported_protocol tunnel all
-----Mensagem original-----
De: Alex Rousskov <rousskov at measurement-factory.com>
Enviada: 8 de dezembro de 2021 15:13
Para: André Bolinhas <andre.bolinhas at articatech.com>; squid-users at lists.squid-cache.org
Assunto: Re: [squid-users] deny squid to bump deny_info
On 12/7/21 8:39 PM, André Bolinhas wrote:
> We use Squid v5 with ssl_bump to decrypt only google domains. With a
> special configuration we also need to deny important websites. Squid
> tries to bump returned error pages
Yes, when SslBump encounters an error, it tries to bump the client connection to deliver the error response.
One way to prevent that error handling algorithm from kicking in is to close the offending client connection using an "ssl_bump terminate" rule (instead[1] of blocking client access using "http_access").
> We have tried using a TCP_RESET deny_info but this does not fix the
> bump operation
I suspect the TCP_RESET feature is checked at error delivery time, after the client connection is bumped to prepare it for error delivery. This suspect behavior should be considered a Squid bug/deficiency IMO -- Squid should not be bumping the TLS connection to deliver a TCP RST or FIN packet.
HTH,
Alex.
[1] It may be a good idea to also/still block client access using http_access rules, as an additional safety layer, but it has to be done carefully so that "ssl_bump terminate" rule matches _before_ any of the corresponding "http_access deny" rules may match.
> In this peace of log, you can see that squid is forcing bump for
> Access Denied website under https:
> 2021/12/08 05:05:53.774 kid2| 85,5| client_side_request.cc(769)
> clientAccessCheckDone: Access Denied: beacons2.gvt2.com:443
> 2021/12/08 05:05:53.774 kid2| 85,5| client_side_request.cc(770)
> clientAccessCheckDone: AclMatchedName = all
> 2021/12/08 05:05:53.774 kid2| 83,7| LogTags.cc(57) update: TAG_NONE to
> TCP_DENIED
> 2021/12/08 05:05:53.774 kid2| 28,4| FilledChecklist.cc(67)
> ~ACLFilledChecklist: ACLFilledChecklist destroyed 0x7ffc945c5b40
> 2021/12/08 05:05:53.774 kid2| 28,4| Checklist.cc(197) ~ACLChecklist:
> ACLChecklist::~ACLChecklist: destroyed 0x7ffc945c5b40
> 2021/12/08 05:05:53.774 kid2| 85,5| client_side_request.cc(1461)
> sslBumpAccessCheck: SslBump applies. Force bump action on error
> UNKNOWN
> 2021/12/08 05:05:53.774 kid2| 83,3| client_side_request.cc(1562)
> sslBumpNeed: sslBump required: bump
> 2021/12/08 05:05:53.774 kid2| 73,3| HttpRequest.cc(683) storeId: sent
> back
> effectiveRequestUrl: beacons2.gvt2.com:443
> 2021/12/08 05:05:53.774 kid2| 24,7| SBuf.cc(160) rawSpace: reserving 1
> for
> SBuf77493929
> 2021/12/08 05:05:53.774 kid2| 24,7| SBuf.cc(866) reAlloc: SBuf77493929
> new store capacity: 40
> 2021/12/08 05:05:53.774 kid2| 20,3| store.cc(769) storeCreatePureEntry:
> storeCreateEntry: 'beacons2.gvt2.com:443'
> 2021/12/08 05:05:53.774 kid2| 20,5| store.cc(349) StoreEntry:
> StoreEntry constructed, this=0x5561d9347e90
> 2021/12/08 05:05:53.774 kid2| 20,3| MemObject.cc(100) MemObject:
> MemObject constructed, this=0x5561d5e66f50
> 2021/12/08 05:05:53.774 kid2| 55,7| HttpHeader.cc(155) HttpHeader:
> init-ing
> hdr: 0x5561d80af128 owner: 3
> 2021/12/08 05:05:53.774 kid2| 88,3| MemObject.cc(83) setUris:
> 0x5561d5e66f50
> storeId: beacons2.gvt2.com:443
> 2021/12/08 05:05:53.774 kid2| 24,7| SBuf.cc(85) assign: assigning
> SBuf77493930 from SBuf77493860
> 2021/12/08 05:05:53.774 kid2| 20,3| store.cc(443) lock:
> storeCreateEntry locked key [null_store_key] e:=V/0x5561d9347e90*1
> 2021/12/08 05:05:53.774 kid2| 20,3| store.cc(569) setPrivateKey: 01
> e:=V/0x5561d9347e90*1
> 2021/12/08 05:05:53.774 kid2| 20,3| store.cc(421) hashInsert:
> StoreEntry::hashInsert: Inserting Entry e:=XIV/0x5561d9347e90*1 key
> '71570400000000002412000002000000'
> 2021/12/08 05:05:53.774 kid2| 83,3| client_side_request.cc(1562)
> sslBumpNeed: sslBump required: client-first
> 2021/12/08 05:05:53.774 kid2| 33,4| ServerBump.cc(28) ServerBump: will
> peek at beacons2.gvt2.com:443
> 2021/12/08 05:05:53.774 kid2| 20,3| store.cc(443) lock:
> Ssl::ServerBump locked key 71570400000000002412000002000000
> e:=XIV/0x5561d9347e90*2
> 2021/12/08 05:05:53.774 kid2| 4,4| errorpage.cc(720) errorAppendEntry:
> storing TEMPLATE_5 in e:=XIV/0x5561d9347e90*2
> 2021/12/08 05:05:53.774 kid2| 55,7| HttpHeader.cc(155) HttpHeader:
> init-ing
> hdr: 0x5561d66a8078 owner: 3
> 2021/12/08 05:05:53.774 kid2| 4,2| errorpage.cc(1389) buildBody: No
> existing error page language negotiated for TEMPLATE_5. Using default error file.
>
> Ssl.conf
> # SSL used for port ID 1, :3128 on
> # Patch 2020 - 08 - 03 SquidMikrotikEnabled = 0 # SSL Proxy options
> Proxy
> version:5.2 [134] sslcrtd_program /lib/squid3/security_file_certgen
> sslcrtd_children 32 startup=5 idle=1 queue-size=64 #The AppStore
> application in IOS (iPhone, iPad, MacOS) uses SSL Certificate Pinning,
> #it means the application knows what certificate to expect when accessing AppStore.
> #When you enable SSL Bump of HTTPS connections Squid replaces the
> default certificate with a ^`^xmimicked ^`^y one;
>
> #the application detects that and refuses to function.
> #
> acl FakeCert ssl::server_name .apple.com acl FakeCert ssl::server_name
> .icloud.com acl FakeCert ssl::server_name .mzstatic.com acl FakeCert
> ssl::server_name .dropbox.com acl FakeCert ssl::server_name
> .bnpparisbas acl notbump ssl::server_name .redtube.com acl ssl_step1
> at_step SslBump1 acl
> ssl_step2 at_step SslBump2 acl ssl_step3 at_step SslBump3
>
> acl Me dst 127.0.0.1 192.168.58.11
> acl GlobalWhitelistDSTNet dst "/etc/squid3/acls_whitelist.dst.conf"
>
> ssl_bump splice notbump all
> ssl_bump splice GlobalWhitelistDSTNet
>
> ssl_bump splice ssl_step1 Me
> ssl_bump splice ByPassRBL
> ssl_bump splice FakeCert
>
> # SNI Group sni_domains/ssl_sni
> # id:7 Type: ssl_sni
> acl SNIGroup7 ssl::server_name_regex -i account\.google\.com acl
> SNIGroup7 ssl::server_name_regex -i accounts\.google\.com ssl_bump
> peek ssl_step1 all # 0 Splice rules...
> ssl_bump splice ByPassRBL
> ssl_bump splice GlobalWhitelistDSTNet
>
> # Rules (spliced) added by admins....
>
> # 1 BUMP rules...
> ssl_bump bump ssl_step2 SNIGroup7
> ssl_bump splice all
>
> tls_outgoing_options options=NO_SSLv3,NO_TICKET
> cipher=ALL:!SSLv2:!SSLv3:!ADH:!DSS:!MD5:!EXP:!DES:!PSK:!SRP:!RC4:!IDEA
> :!SEED :!aNULL:!eNULL flags=DONT_VERIFY_PEER sslproxy_cert_error allow
> all
>
> http_access.conf
> #### tcp_outgoing_tos ####
> #### tcp_outgoing_tos 0 Rules ####
> # SquidUrgency = 0 exec.squid.global.access.php[2233]
> # HaClusterClient=0 class.squid.acls.groups.inc/buildacls_order
> # mysql_for_port='' aclgpid=0 [L.174]
> # [3] rules [220]
>
>
> # webfilters_sqacls #2 : aclport=0 ( ) [239]
> [class.squid.acls.groups.inc] # [L.292]: rule id: 2 access_allow Port Direction=0 () # [L.320]:
> class.squid.acls.groups.inc buildacls_bytype_items(2,..) acl
> AnnotateRule2 annotate_transaction accessrule=Rule2 http_access allow
> Group2 AnnotateRule2 # webfilters_sqacls #4 : aclport=0 ( ) [239]
> [class.squid.acls.groups.inc] # [L.292]: rule id: 4 access_allow Port Direction=0 () # [L.320]:
> class.squid.acls.groups.inc buildacls_bytype_items(4,..) acl
> AnnotateRule4 annotate_transaction accessrule=Rule4 http_access allow
> Group8 AnnotateRule4 # webfilters_sqacls #3 : aclport=0 ( ) [239]
> [class.squid.acls.groups.inc] # [L.292]: rule id: 3 access_deny Port Direction=0 () # [L.320]:
> class.squid.acls.groups.inc buildacls_bytype_items(3,..) # Template
> Enabled for this ACL.
> # Final acl is all, Template ID=1
> acl AnnotateRule3 annotate_transaction accessrule=Rule3 http_access
> deny CONNECT AnnotateRule3 deny_info TCP_RESET AnnotateRule3
>
> acl MyAll dst 0.0.0.0/0
> http_access deny Myall
> deny_info 302:http://artica/me Myall
> #
> #
> # ------------------ HTTP ACCESS -------------------- # 0 rule(s) from
> engine (Line 2240)
>
>
> #
> # SquidStandardLDAPAuth = 0
> # EnableOpenLDAP = 0
> # SquidRadiusAuth = 0
> # LDAP_AUTH = 0 caused by EnableOpenLDAP acl MyBlockedIPs src
> "/etc/squid3/acls/DenyIPSrc"
> acl AnnotateWindowsUpdates annotate_transaction
> accessrule=AllowWindowsUpdates http_access allow WindowsUpdates
> AnnotateWindowsUpdates # # -------------------- AUTH Schemes Squid
> v5.2-----------------------
>
> # ----------------------------------------------------------
>
> # LDAP Auth = 0
> acl AnnotateSafePorts annotate_transaction
> accessrule=deny_remote_ports http_access deny HTTP !Safe_ports all
> AnnotateSafePorts http_access deny CONNECT !SSL_ports all
> AnnotateSafePorts deny_info TCP_RESET all
>
> acl AnnotateBLK annotate_transaction accessrule=global_blacklist
> http_access deny MyBlockedIPs AnnotateBLK http_access deny
> blockedsites AnnotateBLK http_access deny DomainsBlackLists
> AnnotateBLK http_access deny NetworksBlackLists AnnotateBLK include
> /etc/squid3/http_access_final.conf
> # END http_access (defaults)
>
> _______________________________________________
> squid-users mailing list
> squid-users at lists.squid-cache.org
> http://lists.squid-cache.org/listinfo/squid-users
>
More information about the squid-users
mailing list