[squid-users] Questions about Squid configuration

Alex Rousskov rousskov at measurement-factory.com
Thu Aug 8 12:32:55 UTC 2024 

On 2024-08-06 20:59, にば wrote:

> When using Squid transparently, is it possible to control the
> whitelist of the domain to connect to and inspect the Host field in
> the request header together?

Short answer: Yes.


> According to the verification results, the Host field can be inspected
> by "host_verify_strict on" in squid-transparent.conf, but it seems
> that the whitelist is not controlled.

AFAICT, the configuration you have shared allows all banned[1] traffic 
to/through https_port. For the problematic test case #5:

All these http_access rules do _not_ match:

> http_access allow localnet whitelist
> http_access deny localnet whitelist_https !https_port
> http_access deny localnet whitelist_transparent_https !https_port


And then this next rule matches and allows traffic through:

> http_access allow https_port


This last http_access rule is not reached:

> http_access deny all


N.B. The above analysis assumes that your https_port ACL is explicitly 
defined in your squid.conf to match all traffic received at https_port. 
If you do not have such an ACL defined, then you need to fix that 
problem as well. I recommend naming ACLs differently from directive 
names (e.g., "toHttpsPort" rather than "https_port").


Please note that Squid v4 is not supported by the Squid Project and is 
very buggy. I recommend using Squid v6 or later.


HTH,

Alex.
[1] Here, "banned" means "_not_ matching whitelist ACL".


> ■Configuration Details
> 〇squid-transparent.conf(Excerpts)
> #Whitelist
> acl whitelist dstdomain "/etc/squid/whitelist"
> acl whitelist dstdomain "/etc/squid/whitelist_transparent"
> acl whitelist_https dstdomain "/etc/squid/whitelist_https"
> acl whitelist_transparent_https dstdomain
> "/etc/squid/whitelist_transparent_https"
> 
> proxy_protocol_access allow localnet
> proxy_protocol_access deny all
> http_access allow localnet whitelist
> http_access deny localnet whitelist_https !https_port
> http_access deny localnet whitelist_transparent_https !https_port
> 
> # Handling HTTP requests
> http_port 3129 intercept
> # Handling HTTPS requests
> https_port 3130 intercept tcpkeepalive=60,30,3 ssl-bump
> generate-host-certificates=on dynamic_cert_mem_cache_size=20MB
> tls-cert=/etc/squid/ssl/squid.crt tls-key=/etc/squid/ssl/squid.key
> cipher=HIGH:MEDIUM:!LOW:!RC4:!SEED:!IDEA:!3DES:!MD5:!EXP:!PSK:!DSS
> options=NO_TLSv1,NO_SSLv3,SINGLE_DH_USE,SINGLE_ECDH_USE
> tls-dh=prime256v1:/etc/squid/ssl/bump_dhparam.pem
> # Start up for squid process
> http_port 3131
> http_access allow https_port
> acl allowed_https_sites ssl::server_name "/etc/squid/whitelist"
> acl allowed_https_sites ssl::server_name "/etc/squid/whitelist_transparent"
> acl allowed_https_sites ssl::server_name "/etc/squid/whitelist_https"
> acl allowed_https_sites ssl::server_name
> "/etc/squid/whitelist_transparent_https"
> 
> http_access deny all
> 
> # strict setting
> host_verify_strict on
> 
> # SSL_BUMP
> sslcrtd_program /usr/lib64/squid/security_file_certgen -s
> /var/lib/squid/ssl_db -M 20MB
> acl step1 at_step SslBump1
> acl step2 at_step SslBump2
> acl step3 at_step SslBump3
> 
> ssl_bump bump all


> ■Verification of Settings
> I ran the curl command from each of the client environments that use Squid.
> 1. if SNI, Destination IP, and HeaderHost are correct, the user should
> be able to connect to pypi.org
> Command:
> date;curl https://pypi.org/ -v --cacert squid_2.crt -k
> Result: OK
> 
> 2. rejection of communication to pypi.org if SNI is correct but
> destination IP and HeaderHost are incorrect
> Command:
> date;curl https://pypi.org/ --resolve pypi.org:443:182.22.24.252 -H
> "Host: www.yahoo.co.jp"  -v --cacert squid_2.crt -k
> Result: OK (409 Conflict is returned)
> 
> 3. rejection of communication to pypi.org if SNI and destination IP
> are correct and HeaderHost is incorrect
> Command:
> date;curl https://pypi.org/ -H "Host: www.yahoo.co.jp" -v --cacert
> squid_2.crt -k
> Result: OK (409 Confilic returned)
> 
> 4. rejection of communication to pypi.org if SNI and HeaderHost are
> correct but destination IP is incorrect
> Command:
> date;curl https://pypi.org/ --resolve pypi.org:443:182.22.24.252 -v
> --cacert squid_2.crt -k
> Result: OK (409 Confilic returned)
> 
> 5. if SNI, destination IP, and HeaderHost are all invalid (yahoo.co.jp
> not registered in whitelist), communication will be rejected
> Command:
> date;curl https://yahoo.co.jp/ -v --cacert squid_2.crt -k
> Result: NG (301 Moved Permanently is returned, but it appears that the
> communication is reaching yahoo.co.jp)

More information about the squid-users mailing list