[squid-users] Validation of IP address for SSL spliced connections

Rik Theys Rik.Theys at esat.kuleuven.be
Wed May 29 09:01:31 UTC 2024


Hi,

I'm configuring squid as a transparent proxy where local outbound 
traffic is redirect to a local squid process using tproxy.

I would like to limit the domains the host can contact by having an 
allow list. I have the following config file:

------

acl allowed_clients src "/etc/squid/allowed_clients"

acl allowed_domains dstdomain "/etc/squid/allowed_domains"

acl SSL_ports port 443
acl Safe_ports port 80
acl Safe_ports port 443
acl CONNECT method CONNECT

acl step1 at_step SslBump1
acl step2 at_step SslBump2
acl step3 at_step SslBump3

# Additional access control lists
acl https_domains ssl::server_name "/etc/squid/allowed_domains"

# Deny requests to certain unsafe ports
http_access deny !Safe_ports

# Deny CONNECT to other than secure SSL ports
http_access deny CONNECT !SSL_ports

# Only allow cachemgr access from localhost
http_access allow localhost manager
http_access deny manager

# We strongly recommend the following be uncommented to protect innocent
# web applications running on the proxy server who think the only
# one who can access services on "localhost" is a local user
http_access deny to_localhost

#
# INSERT YOUR OWN RULE(S) HERE TO ALLOW ACCESS FROM YOUR CLIENTS
#
http_access allow allowed_clients allowed_domains
http_access allow allowed_clients CONNECT

# Example rule allowing access from your local networks.
# Adapt localnet in the ACL section to list your (internal) IP networks
# from where browsing should be allowed
#http_access allow localnet
#http_access allow localhost

# And finally deny all other access to this proxy
http_access deny all

# Squid normally listens to port 3128
http_port 3128
http_port 3129 tproxy
https_port 3130 tproxy ssl-bump cert=/etc/squid/cert/local_ca.pem

# SSL bump configuration
ssl_bump peek step1
ssl_bump peek step2 https_domains
ssl_bump splice step3 https_domains
ssl_bump terminate all

------

When the Host header in an intercepted request matches a domain on the 
allowed_domains list, the request is allowed. Otherwise it's denied as 
expected.

But squid doesn't seem to validate that the IP address we're connecting 
to is valid for the specified name in the SNI header?

For example, if I add "wordpress.org" to my allowed_domains list, the 
following request is allowed:

curl -v https://wordpress.org --connect-to wordpress.org:443:8.8.8.8:443

8.8.8.8 is not a valid IP address for wordpress.org. This could be used 
to bypass the restrictions.

Is there an option in squid to make it perform a forward DNS lookup for 
the domain from the SNI information from step1 to validate that the IP 
address we're trying to connect to is actually valid for that host? In 
the example above, a DNS lookup for wordpress.org would return 
198.143.164.252 as the IP address. This is not the IP address we're 
trying to connect to, so squid should block the request.

Similar question for the server certificate: I've configured the 
'ssl_bump peek step2 https_domains' line so squid can peek at the server 
certificate. Is there a way to configure squid to validate that the 
server certificate is valid for the host specified in the SNI header?


Regards,

Rik
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.squid-cache.org/pipermail/squid-users/attachments/20240529/b843ca1b/attachment.htm>


More information about the squid-users mailing list