[squid-users] Questions about Squid configuration
にば
taku0919.taku at gmail.com
Fri Aug 30 02:28:11 UTC 2024
Alex, people in the Suquid community
I really appreciate your cooperation.
I am continuing to verify this based on the responses I have received.
With the newly reviewed configuration in the attachment,
I was able to confirm that any one of the SNI, IP, or Host in the
request is incorrect (not whitelist allowed)
and Squid will correctly check and return a 409 Conflict.
However, I found the following statement in the following official document
https://www.squid-cache.org/Doc/config/host_verify_strict/
> * The host names (domain or IP) must be identical,
> but valueless or missing Host header disables all checks.
> For the two host names to match, both must be either IP
> or FQDN.
So I ran an additional validation with an empty Host value, and the
request succeeded for a domain that was not in the whitelist.
The curl command for verification is below, and as before, only
.pypi.org is allowed in the whitelist.
date;curl https://www.yahoo.co.jp/ -H "Host:" -v --cacert squid.crt -k
Is it possible for Squid to prevent such requests as well?
Are there other patterns of requests that cannot be prevented by the
current setup?
Please advise if you have any information.
2024年8月8日(木) 21:33 Alex Rousskov <rousskov at measurement-factory.com>:
>
> On 2024-08-06 20:59, にば wrote:
>
> > When using Squid transparently, is it possible to control the
> > whitelist of the domain to connect to and inspect the Host field in
> > the request header together?
>
> Short answer: Yes.
>
>
> > According to the verification results, the Host field can be inspected
> > by "host_verify_strict on" in squid-transparent.conf, but it seems
> > that the whitelist is not controlled.
>
> AFAICT, the configuration you have shared allows all banned[1] traffic
> to/through https_port. For the problematic test case #5:
>
> All these http_access rules do _not_ match:
>
> > http_access allow localnet whitelist
> > http_access deny localnet whitelist_https !https_port
> > http_access deny localnet whitelist_transparent_https !https_port
>
>
> And then this next rule matches and allows traffic through:
>
> > http_access allow https_port
>
>
> This last http_access rule is not reached:
>
> > http_access deny all
>
>
> N.B. The above analysis assumes that your https_port ACL is explicitly
> defined in your squid.conf to match all traffic received at https_port.
> If you do not have such an ACL defined, then you need to fix that
> problem as well. I recommend naming ACLs differently from directive
> names (e.g., "toHttpsPort" rather than "https_port").
>
>
> Please note that Squid v4 is not supported by the Squid Project and is
> very buggy. I recommend using Squid v6 or later.
>
>
> HTH,
>
> Alex.
> [1] Here, "banned" means "_not_ matching whitelist ACL".
>
>
> > ■Configuration Details
> > 〇squid-transparent.conf(Excerpts)
> > #Whitelist
> > acl whitelist dstdomain "/etc/squid/whitelist"
> > acl whitelist dstdomain "/etc/squid/whitelist_transparent"
> > acl whitelist_https dstdomain "/etc/squid/whitelist_https"
> > acl whitelist_transparent_https dstdomain
> > "/etc/squid/whitelist_transparent_https"
> >
> > proxy_protocol_access allow localnet
> > proxy_protocol_access deny all
> > http_access allow localnet whitelist
> > http_access deny localnet whitelist_https !https_port
> > http_access deny localnet whitelist_transparent_https !https_port
> >
> > # Handling HTTP requests
> > http_port 3129 intercept
> > # Handling HTTPS requests
> > https_port 3130 intercept tcpkeepalive=60,30,3 ssl-bump
> > generate-host-certificates=on dynamic_cert_mem_cache_size=20MB
> > tls-cert=/etc/squid/ssl/squid.crt tls-key=/etc/squid/ssl/squid.key
> > cipher=HIGH:MEDIUM:!LOW:!RC4:!SEED:!IDEA:!3DES:!MD5:!EXP:!PSK:!DSS
> > options=NO_TLSv1,NO_SSLv3,SINGLE_DH_USE,SINGLE_ECDH_USE
> > tls-dh=prime256v1:/etc/squid/ssl/bump_dhparam.pem
> > # Start up for squid process
> > http_port 3131
> > http_access allow https_port
> > acl allowed_https_sites ssl::server_name "/etc/squid/whitelist"
> > acl allowed_https_sites ssl::server_name "/etc/squid/whitelist_transparent"
> > acl allowed_https_sites ssl::server_name "/etc/squid/whitelist_https"
> > acl allowed_https_sites ssl::server_name
> > "/etc/squid/whitelist_transparent_https"
> >
> > http_access deny all
> >
> > # strict setting
> > host_verify_strict on
> >
> > # SSL_BUMP
> > sslcrtd_program /usr/lib64/squid/security_file_certgen -s
> > /var/lib/squid/ssl_db -M 20MB
> > acl step1 at_step SslBump1
> > acl step2 at_step SslBump2
> > acl step3 at_step SslBump3
> >
> > ssl_bump bump all
>
>
> > ■Verification of Settings
> > I ran the curl command from each of the client environments that use Squid.
> > 1. if SNI, Destination IP, and HeaderHost are correct, the user should
> > be able to connect to pypi.org
> > Command:
> > date;curl https://pypi.org/ -v --cacert squid_2.crt -k
> > Result: OK
> >
> > 2. rejection of communication to pypi.org if SNI is correct but
> > destination IP and HeaderHost are incorrect
> > Command:
> > date;curl https://pypi.org/ --resolve pypi.org:443:182.22.24.252 -H
> > "Host: www.yahoo.co.jp" -v --cacert squid_2.crt -k
> > Result: OK (409 Conflict is returned)
> >
> > 3. rejection of communication to pypi.org if SNI and destination IP
> > are correct and HeaderHost is incorrect
> > Command:
> > date;curl https://pypi.org/ -H "Host: www.yahoo.co.jp" -v --cacert
> > squid_2.crt -k
> > Result: OK (409 Confilic returned)
> >
> > 4. rejection of communication to pypi.org if SNI and HeaderHost are
> > correct but destination IP is incorrect
> > Command:
> > date;curl https://pypi.org/ --resolve pypi.org:443:182.22.24.252 -v
> > --cacert squid_2.crt -k
> > Result: OK (409 Confilic returned)
> >
> > 5. if SNI, destination IP, and HeaderHost are all invalid (yahoo.co.jp
> > not registered in whitelist), communication will be rejected
> > Command:
> > date;curl https://yahoo.co.jp/ -v --cacert squid_2.crt -k
> > Result: NG (301 Moved Permanently is returned, but it appears that the
> > communication is reaching yahoo.co.jp)
>
>
>
>
> _______________________________________________
> squid-users mailing list
> squid-users at lists.squid-cache.org
> https://lists.squid-cache.org/listinfo/squid-users
-------------- next part --------------
A non-text attachment was scrubbed...
Name: squid-transparent.conf
Type: application/octet-stream
Size: 3409 bytes
Desc: not available
URL: <http://lists.squid-cache.org/pipermail/squid-users/attachments/20240830/dbd8641e/attachment-0001.obj>
More information about the squid-users
mailing list