[squid-users] Container Based Issues Lock Down Password and Terminate SSL
Jonathan Lee
jonathanlee571 at gmail.com
Tue Apr 23 03:51:04 UTC 2024
correction use both acl for and use
> ssl_bump peek step1
> miss_access deny no_miss
> ssl_bump splice https_login
> ssl_bump splice splice_only_mac splice_only
> ssl_bump splice NoBumpDNS
> ssl_bump splice NoSSLIntercept
> ssl_bump bump bump_only_mac bump_only
> ssl_bump terminate all # if its not on the list kill the connection
I did not know it could also check Layer 2 and Layer 3 addresses this way seems more secure
Have a good day everyone
> On Apr 22, 2024, at 16:52, Jonathan Lee <jonathanlee571 at gmail.com> wrote:
>
> Hello fellow Squid Accelerator/Dynamic Cache/Web Cache Users/PfSense users
>
> I think this might resolve any container based issues/fears if they happened to get into the cache. Ie a Docker Proxy got installed and tried to data marshal the network card inside of a freeBSD jail or something like that. Biggest fear with my cache it is a big cache now
>
> Please yet me know what you think or if it is wrong.
>
> Here is my configuration. I wanted to share it as it might help to secure some of this.
>
> Keep in mine I use cachemgr.cgi within Squidlight so I had to set the password and I have to also adapt the php status file to include the password and also the sqlight php file.
>
> After that the status and gui pages work still with the new password. Only issues area that it shows up in clear text when it goes over the proxy I can see my password clear as day again that was an issue listed inside the Squid O’REILLY book also.
>
>
> I am amazed at the warm updates that was the original goal I was tired of slow updates over and over again.
>
> # This file is automatically generated by pfSense
> # Do not edit manually !
>
> http_port 192.168.1.1:3128 ssl-bump generate-host-certificates=on dynamic_cert_mem_cache_size=20MB cert=/usr/local/etc/squid/serverkey.pem tls-cafile=/usr/local/share/certs/ca-root-nss.crt capath=/usr/local/share/certs/ cipher=EECDH+ECDSA+AESGCM:EECDH+aRSA+AESGCM:EECDH+ECDSA+SHA384:EECDH+ECDSA+SHA256:EECDH+aRSA+SHA384:EECDH+aRSA+SHA256:EECDH+aRSA+RC4:EECDH:EDH+aRSA:HIGH:!RC4:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!SRP:!DSS tls-dh=prime256v1:/etc/dh-parameters.2048 options=NO_SSLv3
>
> http_port 127.0.0.1:3128 intercept ssl-bump generate-host-certificates=on dynamic_cert_mem_cache_size=20MB cert=/usr/local/etc/squid/serverkey.pem tls-cafile=/usr/local/share/certs/ca-root-nss.crt capath=/usr/local/share/certs/ cipher=EECDH+ECDSA+AESGCM:EECDH+aRSA+AESGCM:EECDH+ECDSA+SHA384:EECDH+ECDSA+SHA256:EECDH+aRSA+SHA384:EECDH+aRSA+SHA256:EECDH+aRSA+RC4:EECDH:EDH+aRSA:HIGH:!RC4:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!SRP:!DSS tls-dh=prime256v1:/etc/dh-parameters.2048 options=NO_SSLv3
>
> https_port 127.0.0.1:3129 intercept ssl-bump generate-host-certificates=on dynamic_cert_mem_cache_size=20MB cert=/usr/local/etc/squid/serverkey.pem tls-cafile=/usr/local/share/certs/ca-root-nss.crt capath=/usr/local/share/certs/ cipher=EECDH+ECDSA+AESGCM:EECDH+aRSA+AESGCM:EECDH+ECDSA+SHA384:EECDH+ECDSA+SHA256:EECDH+aRSA+SHA384:EECDH+aRSA+SHA256:EECDH+aRSA+RC4:EECDH:EDH+aRSA:HIGH:!RC4:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!SRP:!DSS tls-dh=prime256v1:/etc/dh-parameters.2048 options=NO_SSLv3
>
> icp_port 0
> digest_generation off
> dns_v4_first on
> pid_filename /var/run/squid/squid.pid
> cache_effective_user squid
> cache_effective_group proxy
> error_default_language en
> icon_directory /usr/local/etc/squid/icons
> visible_hostname Lee_Family.home.arpa
> cache_mgr jonathanlee571 at gmail.com
> access_log /var/squid/logs/access.log
> cache_log /var/squid/logs/cache.log
> cache_store_log none
> netdb_filename /var/squid/logs/netdb.state
> pinger_enable on
> pinger_program /usr/local/libexec/squid/pinger
> sslcrtd_program /usr/local/libexec/squid/security_file_certgen -s /var/squid/lib/ssl_db -M 4MB -b 2048
> tls_outgoing_options cafile=/usr/local/share/certs/ca-root-nss.crt
> tls_outgoing_options capath=/usr/local/share/certs/
> tls_outgoing_options options=NO_SSLv3
> tls_outgoing_options cipher=EECDH+ECDSA+AESGCM:EECDH+aRSA+AESGCM:EECDH+ECDSA+SHA384:EECDH+ECDSA+SHA256:EECDH+aRSA+SHA384:EECDH+aRSA+SHA256:EECDH+aRSA+RC4:EECDH:EDH+aRSA:HIGH:!RC4:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!SRP:!DSS
> sslcrtd_children 10
>
> logfile_rotate 0
> debug_options rotate=0
> shutdown_lifetime 3 seconds
> # Allow local network(s) on interface(s)
> acl localnet src 192.168.1.0/27
> forwarded_for transparent
> httpd_suppress_version_string on
> uri_whitespace strip
> dns_nameservers 127.0.0.1
> acl getmethod method GET
> acl to_ipv6 dst ipv6
> acl from_ipv6 src ipv6
>
> tls_outgoing_options cipher=HIGH:MEDIUM:!RC4:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!SRP:!DSS
> tls_outgoing_options options=NO_SSLv3,SINGLE_DH_USE,SINGLE_ECDH_USE
>
> acl HttpAccess dstdomain '/usr/local/pkg/http.access'
> acl windowsupdate dstdomain '/usr/local/pkg/windowsupdate'
>
> acl rewritedoms dstdomain .facebook.com .akamaihd.net .fbcdn.net .google.com .static.com .apple.com .oracle.com .sun.com .java.com .adobe.com .steamstatic.com .steampowered.com .steamcontent.com .google.com
>
> store_id_program /usr/local/libexec/squid/storeid_file_rewrite /var/squid/storeid/storeid_rewrite.txt
> store_id_children 10 startup=5 idle=1 concurrency=0
> always_direct allow !getmethod
> store_id_access deny connect
> store_id_access deny !getmethod
> store_id_access allow rewritedoms
> reload_into_ims on
> max_stale 20 years
> minimum_expiry_time 0
>
>
> refresh_pattern -i squid.internal 10080 80% 79900 override-lastmod override-expire ignore-reload ignore-no-store ignore-private
>
> #FACEBOOK
> refresh_pattern ^https.*.facebook.com/* 10080 80% 43200 override-expire override-lastmod ignore-no-cache ignore-reload reload-into-ims ignore-private
>
> #FACEBOOK IMAGES
> refresh_pattern -i pixel.facebook.com..(jpg|png|gif|ico|css|js|jpg?) 10080 80% 43200 override-expire override-lastmod ignore-no-cache ignore-reload reload-into-ims ignore-private
> refresh_pattern -i .akamaihd.net..(jpg|png|gif|ico|css|js|jpg?) 10080 80% 43200 override-expire override-lastmod ignore-no-cache ignore-reload reload-into-ims ignore-private
> refresh_pattern -i facebook.com.(jpg|png|gif|jpg?) 10080 80% 43200 store-stale override-expire override-lastmod ignore-no-cache ignore-reload reload-into-ims ignore-private
> refresh_pattern static.(xx|ak).fbcdn.net.(jpg|gif|png|jpg?) 10080 80% 43200 override-expire override-lastmod ignore-no-cache ignore-reload reload-into-ims ignore-private
> refresh_pattern ^https.*profile.ak.fbcdn.net.*(jpg|gif|png|jpg?) 10080 80% 43200 override-expire override-lastmod ignore-no-cache ignore-reload reload-into-ims ignore-private
> refresh_pattern ^https.*fbcdn.net.*(jpg|gif|png|jpg?) 10080 80% 43200 override-expire override-lastmod ignore-no-cache ignore-reload reload-into-ims ignore-private
>
> #FACEBOOK VIDEO
> refresh_pattern -i .video.ak.fbcdn.net.*.(mp4|flv|mp3|amf) 10080 80% 43200 override-expire override-lastmod ignore-no-cache ignore-reload reload-into-ims ignore-private
> refresh_pattern (audio|video)/(webm|mp4) 10080 80% 43200 override-expire override-lastmod ignore-no-cache ignore-reload reload-into-ims ignore-private
>
> #APPLE STUFF
> refresh_pattern -i apple.com/..(cab|exe|msi|msu|msf|asf|wmv|wma|dat|zip|dist)$ 0 80% 43200 refresh-ims
>
> #apple update
> refresh_pattern -i (download|adcdownload).apple.com/.*.(pkg|dmg) 4320 100% 43200
> refresh_pattern -i appldnld.apple.com 129600 100% 129600
> refresh_pattern -i phobos.apple.com 129600 100% 129600
> refresh_pattern -i iosapps.itunes.apple.com 129600 100% 129600
>
> # Updates: Windows
> refresh_pattern -i microsoft.com/..(cab|exe|msi|msu|msf|asf|wma|dat|zip)$ 4320 80% 43200 refresh-ims
> refresh_pattern -i windowsupdate.com/..(cab|exe|msi|msu|msf|asf|wma|wmv)|dat|zip)$ 4320 80% 43200 refresh-ims
> refresh_pattern -i windows.com/..(cab|exe|msi|msu|msf|asf|wmv|wma|dat|zip)$ 4320 80% 43200 refresh-ims
> refresh_pattern -i microsoft.com/.*.(cab|exe|ms[i|u|f]|[ap]sf|wm[v|a]|dat|zip) 4320 80% 43200
> refresh_pattern -i windowsupdate.com/.*.(cab|exe|ms[i|u|f]|[ap]sf|wm[v|a]|dat|zip) 4320 80% 43200
> refresh_pattern -i windows.com/.*.(cab|exe|ms[i|u|f]|[ap]sf|wm[v|a]|dat|zip) 4320 80% 43200
> refresh_pattern -i .*windowsupdate.com/.*.(cab|exe) 259200 100% 259200
> refresh_pattern -i .*update.microsoft.com/.*.(cab|exe|dll|msi|psf) 259200 100% 259200
> refresh_pattern windowsupdate.com/.*.(cab|exe|dll|msi|psf) 10080 100% 43200
> refresh_pattern download.microsoft.com/.*.(cab|exe|dll|msi|psf) 10080 100% 43200
> refresh_pattern www.microsoft.com/.*.(cab|exe|dll|msi|psf) 10080 100% 43200
> refresh_pattern au.download.windowsupdate.com/.*.(cab|exe|dll|msi|psf) 4320 100% 43200
> refresh_pattern bg.v4.pr.dl.ws.microsoft.com/.*.(cab|exe|dll|msi|psf) 4320 100% 43200
> #windows update NEW UPDATE 0.04
> refresh_pattern update.microsoft.com/.*.(cab|exe) 43200 100% 129600
> refresh_pattern ([^.]+.)?(download|(windows)?update).(microsoft.)?com/.*.(cab|exe|msi|msp|psf) 4320 100% 43200
> refresh_pattern update.microsoft.com/.*.(cab|exe|dll|msi|psf) 10080 100% 43200
> refresh_pattern -i .update.microsoft.com/.*.(cab|exe|ms[i|u|f]|[ap]sf|wm[v|a]|dat|zip) 525600 100% 525600
> refresh_pattern -i .windowsupdate.com/.*.(cab|exe|ms[i|u|f]|[ap]sf|wm[v|a]|dat|zip) 525600 100% 525600
> refresh_pattern -i .download.microsoft.com/.*.(cab|exe|ms[i|u|f]|[ap]sf|wm[v|a]|dat|zip) 525600 100% 525600
> refresh_pattern -i .ws.microsoft.com/.*.(cab|exe|ms[i|u|f]|[ap]sf|wm[v|a]|dat|zip) 525600 100% 525600
>
> refresh_pattern ([^.]+.)?(cs|content[1-9]|hsar|content-origin|client-download).[steampowered|steamcontent].com/.*.* 43200 100% 43200 reload-into-ims ignore-reload ignore-no-store override-expire override-lastmod
> refresh_pattern ([^.]+.)?.akamai.steamstatic.com/.*.* 43200 100% 43200 reload-into-ims ignore-reload ignore-no-store override-expire override-lastmod
>
> refresh_pattern -i ([^.]+.)?.adobe.com/.*.(zip|exe) 43200 100% 43200 reload-into-ims ignore-reload ignore-no-store override-expire override-lastmod
> refresh_pattern -i ([^.]+.)?.java.com/.*.(zip|exe) 43200 100% 43200 reload-into-ims ignore-reload ignore-no-store override-expire override-lastmod
> refresh_pattern -i ([^.]+.)?.sun.com/.*.(zip|exe) 43200 100% 43200 reload-into-ims ignore-reload ignore-no-store override-expire override-lastmod
> refresh_pattern -i ([^.]+.)?.oracle.com/.*.(zip|exe|tar.gz) 43200 100% 43200 reload-into-ims ignore-reload ignore-no-store override-expire override-lastmod
>
> refresh_pattern -i appldnld.apple.com 43200 100% 43200 ignore-reload ignore-no-store override-expire override-lastmod
> refresh_pattern -i ([^.]+.)?apple.com/.*.(ipa) 43200 100% 43200 ignore-reload ignore-no-store override-expire override-lastmod
>
> refresh_pattern -i ([^.]+.)?.google.com/.*.(exe|crx) 10080 80% 43200 override-expire override-lastmod ignore-reload reload-into-ims ignore-private
> refresh_pattern -i ([^.]+.)?g.static.com/.*.(exe|crx) 10080 80% 43200 override-expire override-lastmod ignore-reload reload-into-ims ignore-private
>
> acl https_login url_regex -i ^https.*(login|Login).*
> cache deny https_login
>
> range_offset_limit 512 MB windowsupdate
> range_offset_limit 4 MB
> range_offset_limit 0
> quick_abort_min -1 KB
>
> cache_mem 64 MB
> maximum_object_size_in_memory 256 KB
> memory_replacement_policy heap LFUDA
> cache_replacement_policy heap LFUDA
> minimum_object_size 0 KB
> maximum_object_size 512 MB
> cache_dir diskd /var/squid/cache 64000 256 256
> offline_mode off
> cache_swap_low 90
> cache_swap_high 95
> acl donotcache dstdomain '/var/squid/acl/donotcache.acl'
> cache deny donotcache
> cache allow all
> # Add any of your own refresh_pattern entries above these.
> refresh_pattern ^ftp: 1440 20% 10080
> refresh_pattern ^gopher: 1440 0% 1440
> refresh_pattern -i (/cgi-bin/|?) 0 0% 0
> refresh_pattern . 0 20% 4320
>
>
> #Remote proxies
>
>
> # Setup some default acls
> # ACLs all, manager, localhost, and to_localhost are predefined.
> acl allsrc src all
> acl safeports port 21 70 80 210 280 443 488 563 591 631 777 901 8080 3128 3129 1025-65535
> acl sslports port 443 563 8080 5223 2197
>
> acl purge method PURGE
> acl connect method CONNECT
>
> # Define protocols used for redirects
> acl HTTP proto HTTP
> acl HTTPS proto HTTPS
>
> # SslBump Peek and Splice
> # http://wiki.squid-cache.org/Features/SslPeekAndSplice
> # http://wiki.squid-cache.org/ConfigExamples/Intercept/SslBumpExplicit
> # Match against the current step during ssl_bump evaluation [fast]
> # Never matches and should not be used outside the ssl_bump context.
> #
> # At each SslBump step, Squid evaluates ssl_bump directives to find
> # the next bumping action (e.g., peek or splice). Valid SslBump step
> # values and the corresponding ssl_bump evaluation moments are:
> # SslBump1: After getting TCP-level and HTTP CONNECT info.
> # SslBump2: After getting TLS Client Hello info.
> # SslBump3: After getting TLS Server Hello info.
> # These ACLs exist even when 'SSL/MITM Mode' is set to 'Custom' so that
> # they can be used there for custom configuration.
> acl step1 at_step SslBump1
> acl step2 at_step SslBump2
> acl step3 at_step SslBump3
> acl banned_hosts src '/var/squid/acl/banned_hosts.acl'
> acl whitelist dstdom_regex -i '/var/squid/acl/whitelist.acl'
> acl blacklist dstdom_regex -i '/var/squid/acl/blacklist.acl'
> http_access allow manager localhost
>
> http_access deny manager
> http_access allow purge localhost
> http_access deny purge
> http_access deny !safeports
> http_access deny CONNECT !sslports
>
> # Always allow localhost connections
> http_access allow localhost
>
> quick_abort_min 0 KB
> quick_abort_max 0 KB
> quick_abort_pct 95
> request_body_max_size 0 KB
> delay_pools 1
> delay_class 1 2
> delay_parameters 1 -1/-1 -1/-1
> delay_initial_bucket_level 100
> delay_access 1 allow allsrc
>
> # Reverse Proxy settings
>
> deny_info TCP_RESET allsrc
>
> # Package Integration
> url_rewrite_program /usr/local/bin/squidGuard -c /usr/local/etc/squidGuard/squidGuard.conf
> url_rewrite_bypass off
> url_rewrite_children 32 startup=8 idle=4 concurrency=0
>
> # Custom options before auth
> #host_verify_strict on
>
> # These hosts are banned
> http_access deny banned_hosts
> # Always allow access to whitelist domains
> http_access allow whitelist
> # Block access to blacklist domains
> http_access deny blacklist
> # List of domains allowed to logging in to Google services
> request_header_access X-GoogApps-Allowed-Domains deny all
> request_header_add X-GoogApps-Allowed-Domains consumer_accounts
> # Set YouTube safesearch restriction
> acl youtubedst dstdomain -n www.youtube.com m.youtube.com youtubei.googleapis.com youtube.googleapis.com www.youtube-nocookie.com
> request_header_access YouTube-Restrict deny all
> request_header_add YouTube-Restrict none youtubedst
> acl sglog url_regex -i sgr=ACCESSDENIED
> http_access deny sglog
> # Custom SSL/MITM options before auth
> cachemgr_passwd disable offline_toggle reconfigure shutdown
> cachemgr_passwd REDACTED_CLASSIFIED all
> eui_lookup on
> acl no_miss url_regex -i gateway.facebook.com/ws/realtime?
> acl no_miss url_regex -i web-chat-e2ee.facebook.com/ws/chat
> acl CONNECT method CONNECT
> acl wuCONNECT dstdomain www.update.microsoft.com
> acl wuCONNECT dstdomain sls.microsoft.com
> http_access allow CONNECT wuCONNECT localnet
> http_access allow CONNECT wuCONNECT localhost
> http_access allow windowsupdate localnet
> http_access allow windowsupdate localhost
> http_access allow HttpAccess localnet
> http_access allow HttpAccess localhost
> http_access deny manager
> http_access deny to_ipv6
> http_access deny from_ipv6
>
> acl BrokenButTrustedServers dstdomain '/usr/local/pkg/dstdom.broken'
> acl DomainMismatch ssl_error SQUID_X509_V_ERR_DOMAIN_MISMATCH
> sslproxy_cert_error allow BrokenButTrustedServers DomainMismatch
> sslproxy_cert_error deny all
>
> acl splice_only src 192.168.1.8 #Tasha iPhone
> acl splice_only src 192.168.1.10 #Jon iPhone
> acl splice_only src 192.168.1.11 #Amazon Fire
> acl splice_only src 192.168.1.15 #Tasha HP
> acl splice_only src 192.168.1.16 #iPad
>
> acl splice_only_mac arp REDACTED
> acl splice_only_mac arp REDACTED
> acl splice_only_mac arp REDACTED
> acl splice_only_mac arp REDACTED
> acl splice_only_mac arp REDACTED
>
> acl NoSSLIntercept ssl::server_name_regex -i '/usr/local/pkg/reg.url.nobump'
> acl NoBumpDNS dstdomain '/usr/local/pkg/dns.nobump'
>
> acl markBumped annotate_client bumped=true
> acl bump_only src 192.168.1.3 #webtv
> acl bump_only src 192.168.1.4 #toshiba
> acl bump_only src 192.168.1.5 #imac
> acl bump_only src 192.168.1.9 #macbook
> acl bump_only src 192.168.1.13 #dell
>
> acl bump_only_mac arp REDACTED
> acl bump_only_mac arp REDACTED
> acl bump_only_mac arp REDACTED
> acl bump_only_mac arp REDACTED
> acl bump_only_mac arp REDACTED
>
>
> ssl_bump peek step1
> miss_access deny no_miss
> ssl_bump splice https_login
> ssl_bump splice splice_only_mac
> ssl_bump splice NoBumpDNS
> ssl_bump splice NoSSLIntercept
> ssl_bump bump bump_only_mac
> ssl_bump terminate all # if its not on the list kill the connection
>
> acl markedBumped note bumped true
> url_rewrite_access deny markedBumped
>
> read_ahead_gap 64 KB
> negative_ttl 1 second
> connect_timeout 30 seconds
> request_timeout 60 seconds
> half_closed_clients off
> shutdown_lifetime 10 seconds
> negative_dns_ttl 1 seconds
> ignore_unknown_nameservers on
> pipeline_prefetch 100
>
> #acl SSLIntercept ssl::server_name_regex -i '/usr/local/pkg/url.bump'
> #ssl_bump bump SSLIntercept
>
> # Setup allowed ACLs
> # Allow local network(s) on interface(s)
> http_access allow localnet
> # Default block all to be sure
> http_access deny allsrc
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.squid-cache.org/pipermail/squid-users/attachments/20240422/3190fbed/attachment-0001.htm>
More information about the squid-users
mailing list