[squid-users] deny squid to bump deny_info

Alex Rousskov rousskov at measurement-factory.com
Fri Dec 10 16:42:17 UTC 2021


On 12/10/21 11:01 AM, André Bolinhas wrote:

> I put this code at the beginning of squid.conf, just after listen_ports:
> 
> http_port 0.0.0.0:3128  name=MyPortNameID1 ssl-bump  generate-host-certificates=on dynamic_cert_mem_cache_size=4MB cert=/etc/squid3/ssl/861be42112afac3b82f6b992bcc464aa.dyn sslflags=VERIFY_CRL_ALL options=NO_SSLv3,No_Compression tls-dh=/etc/squid3/ssl/dhparam.pem
> 
> acl denybump dstdomain .xvideos.com
> acl CONNECT1 method CONNECT
> http_access deny CONNECT1 denybump
> ssl_bump terminate denybump
> http_access deny denybump
> 
> but still don't work, squid continues to bump the error page.
> 
> If I change the code to terminat all
> acl denybump dstdomain .xvideos.com
> acl CONNECT1 method CONNECT
> http_access deny CONNECT1 denybump
> ssl_bump terminate all
> http_access deny denybump
> 
> Squid is able to terminate all connections except the xvideos, because xvideos is denied, squid continues to bump it to shot the error page.

AFAICT, your configuration denies CONNECT requests _before_ "ssl_bump
terminate" logic kicks in. The existing SslBump documentation can be
interpreted as matching what is going on in your tests; see steps 1.ii
and 1.iii at https://wiki.squid-cache.org/Features/SslPeekAndSplice

We probably should document that a step1 http_access denial (which
happens during step 1.ii) blocks/prevents ssl_bump rules evaluation
(which happens in step 1.iii).

My recommendation from the very first response on this email thread
still stands: Close the offending client connection using an "ssl_bump
terminate" rule instead[1] of blocking client access using "http_access".

[1] It may be a good idea to also/still block client access using
http_access rules, as an additional safety layer, but it has to be done
carefully so that "ssl_bump terminate" rule matches _before_ any of the
corresponding "http_access deny" rules may match. For example, the two
rules cannot have exactly the same condition because step 1.ii happens
before step 1.iii.


HTH,

Alex.

> You can see the result images here:
> gmail bump terminated - https://ibb.co/3MsMt0C
> Xvideos bump not terminated - https://ibb.co/b24hL44
> 
> 
> -----Mensagem original-----
> De: Alex Rousskov <rousskov at measurement-factory.com>
> Enviada: 8 de dezembro de 2021 16:02
> Para: André Bolinhas <andre.bolinhas at articatech.com>; 
> squid-users at lists.squid-cache.org
> Assunto: Re: [squid-users] deny squid to bump deny_info
> 
> On 12/8/21 10:40 AM, André Bolinhas wrote:
>> where I need to add the ssl_bump terminate rule? Inside ssl.conf or 
>> http_access.conf?
>> I have tried in both both but continues to bump the error page.
> 
> Unfortunately, I cannot edit your configuration right now, but others on the 
> mailing list may be able to help you. Please note that we do not know how 
> those two files are included into your primary configuration file and 
> whether that primary configuration file contains any relevant settings 
> itself. The primary configuration file is what Squid parses first (e.g., it 
> may be specified using "squid -f").
> 
> 
>> Also tried ssl_bump terminate all in the top of both files and always
>> bump ther error_page.
> 
> I am not sure, but AFAICT, Squid bugs notwithstanding, if "ssl_bump 
> terminate all" is the very first ssl_bump rule in the entire Squid 
> configuration, and Squid still bumps traffic, then you may be denying 
> explicit CONNECT requests _before_ SslBump kicks in.
> 
> Alex.
> 
> 
>> This is my current files:
>> http_access.conf
>> #### tcp_outgoing_tos ####
>> #### tcp_outgoing_tos 0 Rules ####
>> # webfilters_sqacls HaClusterClient=0 2 rules [202]
>> [class.squid.acls.groups.inc] # webfilters_sqacls #10 : aclport=0 (  )
>> [212] [class.squid.acls.groups.inc] # [L.268]: rule id: 10
>> access_allow Port Direction=0 () # [L.303]:
>> class.squid.acls.groups.inc buildacls_bytype_items(10,..) http_access
>> allow Group17 # webfilters_sqacls #5 : aclport=0 (  ) [212]
>> [class.squid.acls.groups.inc] # [L.268]: rule id: 5 access_deny Port
>> Direction=0 () # [L.303]: class.squid.acls.groups.inc
>> buildacls_bytype_items(5,..) # Template Enabled for this ACL.
>> # Final acl is all, Template ID=1
>> deny_info TEMPLATE_5 all
>> http_access deny all
>> #
>> #
>> # ------------------ HTTP ACCESS -------------------- # 0 rule(s) from
>> engine (Line 2170)
>>
>>
>> # SquidStandardLDAPAuth = 0
>> # EnableOpenLDAP = 0
>> # SquidRadiusAuth = 0
>> # LDAP_AUTH = 0 caused by EnableOpenLDAP acl MyBlockedIPs src
>> "/etc/squid3/acls/DenyIPSrc"
>> http_access allow WindowsUpdates
>>
>> # LDAP Auth = 0
>> http_access deny HTTP !Safe_ports all
>> http_access deny CONNECT !SSL_ports all http_access deny MyBlockedIPs
>> http_access deny blockedsites http_access deny DomainsBlackLists
>> http_access deny NetworksBlackLists include
>> /etc/squid3/http_access_final.conf
>> # END http_access (defaults)
>>
>> # Allow all networks to finally pass trough proxy.
>> http_access allow all
>>
>> ssl.conf
>> # SSL used for port ID 1, :3128 on
>> # Patch 2020 - 08 - 03 SquidMikrotikEnabled = 0 # SSL Proxy options
>> Proxy version:5.2 [134] sslcrtd_program
>> /lib/squid3/security_file_certgen -s /var/lib/squid/session/ssl/ssl_db
>> -M 32MB sslcrtd_children 32 startup=5 idle=1 queue-size=64 #The
>> AppStore application in IOS (iPhone, iPad, MacOS) uses SSL Certificate
>> Pinning, #it means the application knows what certificate to expect when 
>> accessing AppStore.
>> #When you enable SSL Bump of HTTPS connections Squid replaces the
>> default certificate with a  ^`^xmimicked ^`^y one; #the application 
>> detects that and refuses to function.
>> #
>> acl FakeCert ssl::server_name .apple.com acl FakeCert ssl::server_name
>> .icloud.com acl FakeCert ssl::server_name .mzstatic.com acl FakeCert
>> ssl::server_name .dropbox.com acl FakeCert ssl::server_name
>> .bnpparisbas acl ssl_step1 at_step SslBump1 acl ssl_step2 at_step
>> SslBump2 acl ssl_step3 at_step SslBump3 ssl_bump peek ssl_step1
>> ssl_bump splice GlobalWhitelistDSTNet ssl_bump splice
>> GlobalWhitelistDomainsRx ssl_bump splice GlobalWhitelistDomains
>> ssl_bump splice FakeCert
>>
>> # SNI Group google_sni/ssl_sni
>> # id:16 Type: ssl_sni
>> acl SNIGroup16 ssl::server_name_regex -i accounts\.google\.com
>>
>> # 0 Splice rules...
>> acl KeepSSL ssl::server_name "/etc/squid3/acls_whitelist.dstdomain.conf"
>> ssl_bump splice KeepSSL
>> ssl_bump splice GlobalWhitelistDSTNet
>>
>> # Rules (spliced) added by admins....
>>
>> # 1 BUMP rules...
>> #ssl_bump stare all
>> ssl_bump bump ssl_step2 SNIGroup16
>> ssl_bump splice all
>>
>> tls_outgoing_options options=NO_SSLv3,NO_TICKET
>> cipher=ALL:!SSLv2:!SSLv3:!ADH:!DSS:!MD5:!EXP:!DES:!PSK:!SRP:!RC4:!IDEA
>> :!SEED:!aNULL:!eNULL flags=DONT_VERIFY_PEER sslproxy_cert_error allow
>> all on_unsupported_protocol tunnel all
>>
>>
>> -----Mensagem original-----
>> De: Alex Rousskov <rousskov at measurement-factory.com>
>> Enviada: 8 de dezembro de 2021 15:13
>> Para: André Bolinhas <andre.bolinhas at articatech.com>;
>> squid-users at lists.squid-cache.org
>> Assunto: Re: [squid-users] deny squid to bump deny_info
>>
>> On 12/7/21 8:39 PM, André Bolinhas wrote:
>>
>>> We use Squid v5 with ssl_bump to decrypt only google domains. With a
>>> special configuration we also need to deny important websites. Squid
>>> tries to bump returned error pages
>>
>> Yes, when SslBump encounters an error, it tries to bump the client 
>> connection to deliver the error response.
>>
>> One way to prevent that error handling algorithm from kicking in is to 
>> close the offending client connection using an "ssl_bump terminate" rule 
>> (instead[1] of blocking client access using "http_access").
>>
>>
>>> We have tried using a TCP_RESET deny_info but this does not fix the
>>> bump operation
>>
>> I suspect the TCP_RESET feature is checked at error delivery time, after 
>> the client connection is bumped to prepare it for error delivery. This 
>> suspect behavior should be considered a Squid bug/deficiency IMO -- Squid 
>> should not be bumping the TLS connection to deliver a TCP RST or FIN 
>> packet.
>>
>> HTH,
>>
>> Alex.
>> [1] It may be a good idea to also/still block client access using 
>> http_access rules, as an additional safety layer, but it has to be done 
>> carefully so that "ssl_bump terminate" rule matches _before_ any of the 
>> corresponding "http_access deny" rules may match.
>>
>>
>>
>>> In this peace of log, you can see that squid is forcing bump for
>>> Access Denied website under https:
>>> 2021/12/08 05:05:53.774 kid2| 85,5| client_side_request.cc(769)
>>> clientAccessCheckDone: Access Denied: beacons2.gvt2.com:443
>>> 2021/12/08 05:05:53.774 kid2| 85,5| client_side_request.cc(770)
>>> clientAccessCheckDone: AclMatchedName = all
>>> 2021/12/08 05:05:53.774 kid2| 83,7| LogTags.cc(57) update: TAG_NONE
>>> to TCP_DENIED
>>> 2021/12/08 05:05:53.774 kid2| 28,4| FilledChecklist.cc(67)
>>> ~ACLFilledChecklist: ACLFilledChecklist destroyed 0x7ffc945c5b40
>>> 2021/12/08 05:05:53.774 kid2| 28,4| Checklist.cc(197) ~ACLChecklist:
>>> ACLChecklist::~ACLChecklist: destroyed 0x7ffc945c5b40
>>> 2021/12/08 05:05:53.774 kid2| 85,5| client_side_request.cc(1461)
>>> sslBumpAccessCheck: SslBump applies. Force bump action on error
>>> UNKNOWN
>>> 2021/12/08 05:05:53.774 kid2| 83,3| client_side_request.cc(1562)
>>> sslBumpNeed: sslBump required: bump
>>> 2021/12/08 05:05:53.774 kid2| 73,3| HttpRequest.cc(683) storeId: sent
>>> back
>>> effectiveRequestUrl: beacons2.gvt2.com:443
>>> 2021/12/08 05:05:53.774 kid2| 24,7| SBuf.cc(160) rawSpace: reserving
>>> 1 for
>>> SBuf77493929
>>> 2021/12/08 05:05:53.774 kid2| 24,7| SBuf.cc(866) reAlloc:
>>> SBuf77493929 new store capacity: 40
>>> 2021/12/08 05:05:53.774 kid2| 20,3| store.cc(769) storeCreatePureEntry:
>>> storeCreateEntry: 'beacons2.gvt2.com:443'
>>> 2021/12/08 05:05:53.774 kid2| 20,5| store.cc(349) StoreEntry:
>>> StoreEntry constructed, this=0x5561d9347e90
>>> 2021/12/08 05:05:53.774 kid2| 20,3| MemObject.cc(100) MemObject:
>>> MemObject constructed, this=0x5561d5e66f50
>>> 2021/12/08 05:05:53.774 kid2| 55,7| HttpHeader.cc(155) HttpHeader:
>>> init-ing
>>> hdr: 0x5561d80af128 owner: 3
>>> 2021/12/08 05:05:53.774 kid2| 88,3| MemObject.cc(83) setUris:
>>> 0x5561d5e66f50
>>> storeId: beacons2.gvt2.com:443
>>> 2021/12/08 05:05:53.774 kid2| 24,7| SBuf.cc(85) assign: assigning
>>> SBuf77493930 from SBuf77493860
>>> 2021/12/08 05:05:53.774 kid2| 20,3| store.cc(443) lock:
>>> storeCreateEntry locked key [null_store_key] e:=V/0x5561d9347e90*1
>>> 2021/12/08 05:05:53.774 kid2| 20,3| store.cc(569) setPrivateKey: 01
>>> e:=V/0x5561d9347e90*1
>>> 2021/12/08 05:05:53.774 kid2| 20,3| store.cc(421) hashInsert:
>>> StoreEntry::hashInsert: Inserting Entry e:=XIV/0x5561d9347e90*1 key
>>> '71570400000000002412000002000000'
>>> 2021/12/08 05:05:53.774 kid2| 83,3| client_side_request.cc(1562)
>>> sslBumpNeed: sslBump required: client-first
>>> 2021/12/08 05:05:53.774 kid2| 33,4| ServerBump.cc(28) ServerBump:
>>> will peek at beacons2.gvt2.com:443
>>> 2021/12/08 05:05:53.774 kid2| 20,3| store.cc(443) lock:
>>> Ssl::ServerBump locked key 71570400000000002412000002000000
>>> e:=XIV/0x5561d9347e90*2
>>> 2021/12/08 05:05:53.774 kid2| 4,4| errorpage.cc(720) errorAppendEntry:
>>> storing TEMPLATE_5 in e:=XIV/0x5561d9347e90*2
>>> 2021/12/08 05:05:53.774 kid2| 55,7| HttpHeader.cc(155) HttpHeader:
>>> init-ing
>>> hdr: 0x5561d66a8078 owner: 3
>>> 2021/12/08 05:05:53.774 kid2| 4,2| errorpage.cc(1389) buildBody: No
>>> existing error page language negotiated for TEMPLATE_5. Using default 
>>> error file.
>>>
>>> Ssl.conf
>>> # SSL used for port ID 1, :3128 on
>>> # Patch 2020 - 08 - 03 SquidMikrotikEnabled = 0 # SSL Proxy options
>>> Proxy
>>> version:5.2 [134] sslcrtd_program /lib/squid3/security_file_certgen
>>> sslcrtd_children 32 startup=5 idle=1 queue-size=64 #The AppStore
>>> application in IOS (iPhone, iPad, MacOS) uses SSL Certificate
>>> Pinning, #it means the application knows what certificate to expect when 
>>> accessing AppStore.
>>> #When you enable SSL Bump of HTTPS connections Squid replaces the
>>> default certificate with a  ^`^xmimicked ^`^y one;
>>>
>>> #the application detects that and refuses to function.
>>> #
>>> acl FakeCert ssl::server_name .apple.com acl FakeCert
>>> ssl::server_name .icloud.com acl FakeCert ssl::server_name
>>> .mzstatic.com acl FakeCert ssl::server_name .dropbox.com acl FakeCert
>>> ssl::server_name .bnpparisbas acl notbump ssl::server_name
>>> .redtube.com acl ssl_step1 at_step SslBump1 acl
>>> ssl_step2 at_step SslBump2 acl ssl_step3 at_step SslBump3
>>>
>>> acl Me dst 127.0.0.1 192.168.58.11
>>> acl GlobalWhitelistDSTNet dst "/etc/squid3/acls_whitelist.dst.conf"
>>>
>>> ssl_bump splice notbump all
>>> ssl_bump splice GlobalWhitelistDSTNet
>>>
>>> ssl_bump splice ssl_step1 Me
>>> ssl_bump splice ByPassRBL
>>> ssl_bump splice FakeCert
>>>
>>> # SNI Group sni_domains/ssl_sni
>>> # id:7 Type: ssl_sni
>>> acl SNIGroup7 ssl::server_name_regex -i account\.google\.com acl
>>> SNIGroup7 ssl::server_name_regex -i accounts\.google\.com ssl_bump
>>> peek ssl_step1 all # 0 Splice rules...
>>> ssl_bump splice ByPassRBL
>>> ssl_bump splice GlobalWhitelistDSTNet
>>>
>>> # Rules (spliced) added by admins....
>>>
>>> # 1 BUMP rules...
>>> ssl_bump bump ssl_step2 SNIGroup7
>>> ssl_bump splice all
>>>
>>> tls_outgoing_options options=NO_SSLv3,NO_TICKET
>>> cipher=ALL:!SSLv2:!SSLv3:!ADH:!DSS:!MD5:!EXP:!DES:!PSK:!SRP:!RC4:!IDE
>>> A :!SEED :!aNULL:!eNULL flags=DONT_VERIFY_PEER sslproxy_cert_error
>>> allow all
>>>
>>> http_access.conf
>>> #### tcp_outgoing_tos ####
>>> #### tcp_outgoing_tos 0 Rules ####
>>> # SquidUrgency = 0 exec.squid.global.access.php[2233]
>>> #       HaClusterClient=0 class.squid.acls.groups.inc/buildacls_order
>>> #       mysql_for_port='' aclgpid=0 [L.174]
>>> #       [3] rules [220]
>>>
>>>
>>> # webfilters_sqacls #2 : aclport=0 (  ) [239]
>>> [class.squid.acls.groups.inc] # [L.292]: rule id: 2 access_allow Port 
>>> Direction=0 () # [L.320]:
>>> class.squid.acls.groups.inc buildacls_bytype_items(2,..) acl
>>> AnnotateRule2 annotate_transaction accessrule=Rule2 http_access allow
>>> Group2 AnnotateRule2 # webfilters_sqacls #4 : aclport=0 (  ) [239]
>>> [class.squid.acls.groups.inc] # [L.292]: rule id: 4 access_allow Port 
>>> Direction=0 () # [L.320]:
>>> class.squid.acls.groups.inc buildacls_bytype_items(4,..) acl
>>> AnnotateRule4 annotate_transaction accessrule=Rule4 http_access allow
>>> Group8 AnnotateRule4 # webfilters_sqacls #3 : aclport=0 (  ) [239]
>>> [class.squid.acls.groups.inc] # [L.292]: rule id: 3 access_deny Port 
>>> Direction=0 () # [L.320]:
>>> class.squid.acls.groups.inc buildacls_bytype_items(3,..) # Template
>>> Enabled for this ACL.
>>> # Final acl is all, Template ID=1
>>> acl AnnotateRule3 annotate_transaction accessrule=Rule3 http_access
>>> deny CONNECT  AnnotateRule3 deny_info TCP_RESET AnnotateRule3
>>>
>>> acl MyAll dst 0.0.0.0/0
>>> http_access deny Myall
>>> deny_info 302:http://artica/me Myall
>>> #
>>> #
>>> # ------------------ HTTP ACCESS -------------------- # 0 rule(s)
>>> from engine (Line 2240)
>>>
>>>
>>> #
>>> # SquidStandardLDAPAuth = 0
>>> # EnableOpenLDAP = 0
>>> # SquidRadiusAuth = 0
>>> # LDAP_AUTH = 0 caused by EnableOpenLDAP acl MyBlockedIPs src
>>> "/etc/squid3/acls/DenyIPSrc"
>>> acl AnnotateWindowsUpdates annotate_transaction
>>> accessrule=AllowWindowsUpdates http_access allow WindowsUpdates
>>> AnnotateWindowsUpdates # # -------------------- AUTH Schemes Squid
>>> v5.2-----------------------
>>>
>>> # ----------------------------------------------------------
>>>
>>> # LDAP Auth = 0
>>> acl AnnotateSafePorts annotate_transaction
>>> accessrule=deny_remote_ports http_access deny HTTP !Safe_ports all
>>> AnnotateSafePorts http_access deny CONNECT !SSL_ports all
>>> AnnotateSafePorts deny_info TCP_RESET all
>>>
>>> acl AnnotateBLK annotate_transaction accessrule=global_blacklist
>>> http_access deny MyBlockedIPs AnnotateBLK http_access deny
>>> blockedsites AnnotateBLK http_access deny DomainsBlackLists
>>> AnnotateBLK http_access deny NetworksBlackLists AnnotateBLK include
>>> /etc/squid3/http_access_final.conf
>>> # END http_access (defaults)
>>>
>>> _______________________________________________
>>> squid-users mailing list
>>> squid-users at lists.squid-cache.org
>>> http://lists.squid-cache.org/listinfo/squid-users
>>>
>>
> 



More information about the squid-users mailing list