[squid-users] Questions about Squid configuration

にば taku0919.taku at gmail.com
Wed Aug 7 00:59:10 UTC 2024


Dear Squid Community

Nice to meet you. I am a newbie who just recently started using Squid.
I have a question about Squid configuration.
If there is any missing information or clarification, please let me know...

■Questions
When using Squid transparently, is it possible to control the
whitelist of the domain to connect to and inspect the Host field in
the request header together?
According to the verification results, the Host field can be inspected
by "host_verify_strict on" in squid-transparent.conf, but it seems
that the whitelist is not controlled.

■Requirements
・Proxy shall be transparently configured to accommodate clients that
cannot configure proxy settings.
・Communication is possible only with authorized domains using the
whitelist method.
・Whitelists are managed by domain, not IP address.
・Check the Host field in the request header and reject communication
if the value is invalid.
・If the actual destination IP is different from the result of name
resolution of the FQDN specified by SNI, communication is denied.

■Environment
server:AWS EC2
platform:Amazon Linux
Squid Cache:Version 4.15

■Configuration Details
〇squid-transparent.conf(Excerpts)
#Whitelist
acl whitelist dstdomain "/etc/squid/whitelist"
acl whitelist dstdomain "/etc/squid/whitelist_transparent"
acl whitelist_https dstdomain "/etc/squid/whitelist_https"
acl whitelist_transparent_https dstdomain
"/etc/squid/whitelist_transparent_https"

proxy_protocol_access allow localnet
proxy_protocol_access deny all
http_access allow localnet whitelist
http_access deny localnet whitelist_https !https_port
http_access deny localnet whitelist_transparent_https !https_port

# Handling HTTP requests
http_port 3129 intercept
# Handling HTTPS requests
https_port 3130 intercept tcpkeepalive=60,30,3 ssl-bump
generate-host-certificates=on dynamic_cert_mem_cache_size=20MB
tls-cert=/etc/squid/ssl/squid.crt tls-key=/etc/squid/ssl/squid.key
cipher=HIGH:MEDIUM:!LOW:!RC4:!SEED:!IDEA:!3DES:!MD5:!EXP:!PSK:!DSS
options=NO_TLSv1,NO_SSLv3,SINGLE_DH_USE,SINGLE_ECDH_USE
tls-dh=prime256v1:/etc/squid/ssl/bump_dhparam.pem
# Start up for squid process
http_port 3131
http_access allow https_port
acl allowed_https_sites ssl::server_name "/etc/squid/whitelist"
acl allowed_https_sites ssl::server_name "/etc/squid/whitelist_transparent"
acl allowed_https_sites ssl::server_name "/etc/squid/whitelist_https"
acl allowed_https_sites ssl::server_name
"/etc/squid/whitelist_transparent_https"

http_access deny all

# strict setting
host_verify_strict on

# SSL_BUMP
sslcrtd_program /usr/lib64/squid/security_file_certgen -s
/var/lib/squid/ssl_db -M 20MB
acl step1 at_step SslBump1
acl step2 at_step SslBump2
acl step3 at_step SslBump3

ssl_bump bump all


〇/etc/squid/whitelist
.pypi.org


■Verification of Settings
I ran the curl command from each of the client environments that use Squid.
1. if SNI, Destination IP, and HeaderHost are correct, the user should
be able to connect to pypi.org
Command:
date;curl https://pypi.org/ -v --cacert squid_2.crt -k
Result: OK

2. rejection of communication to pypi.org if SNI is correct but
destination IP and HeaderHost are incorrect
Command:
date;curl https://pypi.org/ --resolve pypi.org:443:182.22.24.252 -H
"Host: www.yahoo.co.jp"  -v --cacert squid_2.crt -k
Result: OK (409 Conflict is returned)

3. rejection of communication to pypi.org if SNI and destination IP
are correct and HeaderHost is incorrect
Command:
date;curl https://pypi.org/ -H "Host: www.yahoo.co.jp" -v --cacert
squid_2.crt -k
Result: OK (409 Confilic returned)

4. rejection of communication to pypi.org if SNI and HeaderHost are
correct but destination IP is incorrect
Command:
date;curl https://pypi.org/ --resolve pypi.org:443:182.22.24.252 -v
--cacert squid_2.crt -k
Result: OK (409 Confilic returned)

5. if SNI, destination IP, and HeaderHost are all invalid (yahoo.co.jp
not registered in whitelist), communication will be rejected
Command:
date;curl https://yahoo.co.jp/ -v --cacert squid_2.crt -k
Result: NG (301 Moved Permanently is returned, but it appears that the
communication is reaching yahoo.co.jp)


More information about the squid-users mailing list