Re: [squid-users] Intercepting BITS_POST

[Saravanan Coimbatore]

Hi Amos,

MSFT uses a handshake mechanism to sync files between enterprise and Cloud. We 
use squid with icap plugins to analyze data.

The handshake is BITS_POST which is based on HTTP 1.1. When we enabled the icap 
plugin, the request was not going through. We were getting OTHER_METHOD 
response. We debugged this and fixed it where we added BITS_POST as a valid 
method/verb in Squid. We will be submitting this change for review to squid 
team.

Thanks,
Saravanan

On Jan 9, 2016 11:15 PM, Amos Jeffries  wrote:
On 6/01/2016 2:33 p.m., Saravanan Coimbatore wrote:
> All,
>
> I would like to use Squid Proxy combined with C-ICAP or any other
> mechanism to intercept and analyze files uploaded using BITS_POST in
> OneDrive for MSFT. Is it possible?

What is this "BITS_POST" thing you speak of?

Amos

___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] Intercepting BITS_POST

[Amos Jeffries]

On 6/01/2016 2:33 p.m., Saravanan Coimbatore wrote:
> All,
> 
> I would like to use Squid Proxy combined with C-ICAP or any other
> mechanism to intercept and analyze files uploaded using BITS_POST in
> OneDrive for MSFT. Is it possible?

What is this "BITS_POST" thing you speak of?

Amos

___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

[squid-users] [squid-announce] Squid 3.5.13 is available

[Amos Jeffries]

The Squid HTTP Proxy team is very pleased to announce the availability
of the Squid-3.5.13 release!


This release is a bug fix release resolving issues found in the prior
Squid releases and hardening security.


  Please note the TLS feature backport is an exceptional situation.
  The Squid Project policy is (and remains) not to backport feature
  changes affecting squid.conf within a stable/production release.


The major changes to be aware of:


* Support Ephemeral Elliptic Curve Diffie-Hellman (EECDH) key exchange

The Squid-4 functionality supporting Elliptic Curve cryptography has
been backported to this release to better suit community needs.


* Complete certificate chains using external intermediate certificates

Many origin servers do not send complete certificate chains. Many
browsers use certificate extensions in the server certificate to
download the missing intermediate certificates automatically from the
Internet. Squid-3 does not do that.

This backported Squid-4 feature allows an admin to supply a file with
intermediate certificates that Squid may use to complete certificate
chains. These intermediate certificates are _not_ treated as trusted
root certificates.


* SSL-Bump: Avoid memory overuse with X.509 certificate validator

SSL-Bump TLS contexts are created dynamically and potentially in large
numbers. When certificate validator was used the validator response was
causing the context to be leaked.

Note: There are other known (and some unknown) memory issues related to
certificate validation which remain to be solved.


* Fix connection retry and fallback after failed server TLS connections

Previous Squid-3.4 and 3.5 releases would attempt only one server
connection when forwarding a bumped https:// and if that failed would
produce an error. This release will now retry with other servers as done
with http:// requests.



 All users of Squid are urged to upgrade to this release as soon as
possible.


 See the ChangeLog for the full list of changes in this and earlier
 releases.

Please refer to the release notes at
http://www.squid-cache.org/Versions/v3/3.5/RELEASENOTES.html
when you are ready to make the switch to Squid-3.5

Upgrade tip:
  "squid -k parse" is starting to display even more
   useful hints about squid.conf changes.

This new release can be downloaded from our HTTP or FTP servers

 http://www.squid-cache.org/Versions/v3/3.5/
 ftp://ftp.squid-cache.org/pub/squid/
 ftp://ftp.squid-cache.org/pub/archive/3.5/

or the mirrors. For a list of mirror sites see

 http://www.squid-cache.org/Download/http-mirrors.html
 http://www.squid-cache.org/Download/mirrors.html

If you encounter any issues with this release please file a bug report.
http://bugs.squid-cache.org/


Amos Jeffries
___
squid-announce mailing list
squid-annou...@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-announce
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

[squid-users] [squid-announce] Squid-4.0.4 beta is available

[Amos Jeffries]

The Squid HTTP Proxy team is very pleased to announce the availability
of the Squid-4.0.4 release!


This release is a beta release resolving some issues found in the prior
Squid releases.

The major changes to be aware of:


* Several regression bugs fixed

 - Bug 4393: compile fails on OS X
 - Bug 4392: assertion CbcPointer.h:159: 'c' via tunnelServerClosed or
tunnelClientClosed


* Some minor squid.conf additions

 - cache_peer support for Kerberos credentials cache instead of keytab
 - Support logging of TLS Cryptography Parameters
 - Support substring matching in Note ACL


 All users of Squid are encouraged to test this release out and plan for
upgrades where possible.


 See the ChangeLog for the full list of changes in this and earlier
 releases.

Please refer to the release notes at
http://www.squid-cache.org/Versions/v4/RELEASENOTES.html
when you are ready to make the switch to Squid-4

This new release can be downloaded from our HTTP or FTP servers

 http://www.squid-cache.org/Versions/v4/
 ftp://ftp.squid-cache.org/pub/squid/
 ftp://ftp.squid-cache.org/pub/archive/4/

or the mirrors. For a list of mirror sites see

 http://www.squid-cache.org/Download/http-mirrors.html
 http://www.squid-cache.org/Download/mirrors.html

If you encounter any issues with this release please file a bug report.
http://bugs.squid-cache.org/


Amos Jeffries

___
squid-announce mailing list
squid-annou...@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-announce
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] Running configuration

[Amos Jeffries]

On 10/01/2016 2:29 p.m., Roman Gelfand wrote:
> I accidentally deleted the squid.conf while squid has been running.  The
> squid is still running.  Is there a way to retrieve a running configuration?
> 

If you can remember the cachemgr passwrd:

  squidclient mgr:config


NP: there may be some output bugs in the dumper and it produces a config
with a lot of default values explicitly set. So you definitely want to
clean it up manually afterwards.

Amos
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] squid 4.0.3 - sslflags not working?

[Amos Jeffries]

On 9/01/2016 10:06 a.m., Florian Stamer wrote:
> Hi,
> 
> testet the latest Snapshot and the 4.0.4
> 
> Still the same.

Thanks for the quick feedback. Not sure what to look at this point, the
context creation logic in Squid all seems to be checking the right flags.

Hopefully Christos might have an idea what I'm overlooking, so cc'ing
just in case he has not seen this yet.

Amos

> -Ursprüngliche Nachricht-
> Von: Amos Jeffries
> 
> On 4/01/2016 8:58 a.m., Florian Stamer wrote:
>> Hi I,m currently testing Squid 4.0.3 in Reverse Proxy Mode.
>>
>> It seems that the sslflags directives "DONT_VERIFY_PEER" and 
>> "DONT_VERIFY_DOMAIN" do not work.
>>
> 
> Should be. They are planned for removal, but nothing towards that has ot 
> happened yet.
> 
>> Here is the relevant config:
>>
>> https_port 443 accel cert=/etc/squid/ssl/wildcard.cer
>> key=/etc/squid/ssl/wildcard.key defaultsite=externeURL
>> cipher=HIGH:!aNULL options=SINGLE_DH_USE,NO_SSLv3
>> dhparams=/etc/squid/ssl/dhparams.pem

>> cache_peer localserver parent 443 0 proxy-only no-query no-digest
>> front-end-https=on originserver login=PASS ssl ssloptions=NO_SSLv3
>> sslflags=DONT_VERIFY_PEER,DONT_VERIFY_DOMAIN name=ExchangeCAS
>>
>> It perfectly workes in my production System based on Ubuntu LTS 14.04.3, 
>> Squid 3.3.8.
>>
>> Everytime i try to access the site i get an error:
>>
>> The system returned:
>> (71) Protocol error (TLS code: SQUID_X509_V_ERR_DOMAIN_MISMATCH)
>> Certificate does not match domainname
>>
>> I'm using a SAN Certificate...
>>
>> I can workaround this using the directive "sslproxy_cert_error allow all". 
>> But that is not what i want...
>>
>> Are there any issues known?
>> Is something wrong with my config?
> 
> Nothing obvious.
> 
> It might be related to one of the issues fixed since 4.0.3 was packaged.
> Are you able to try the latest 4.x snapshot ?
> 
> Amos


___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] ssl_ctrd aborts in 3.5.13

[Amos Jeffries]

On 10/01/2016 8:42 a.m., Eliezer Croitoru wrote:
> On 09/01/2016 04:03, xxiao8 wrote:
>> Hi,
>>
>> I'm seeing the below errors, 25 bytes are the string of "'Initialization
>> SSL db..." itself, anyone else experienced this?
>>
>> This is a typical https-transparent case.
> 
> 
> Was 3.5.13 release announced somewhere?? I do not see any mailing list
> mail about it.

Not formally yet. Thanks for the reminder.

Amos

___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] Questions about tcp_outgoing_address

[Amos Jeffries]

On 9/01/2016 4:54 p.m., Verónica Ovando wrote:
> Hi!
> 
> I have a some specific questions about the directive
> /tcp_outgoing_address/. I need to know if it could works for my deployment:
> 
> My Squid 34.8 runs over Debian Jessie. I have a multiwan environment
> with dual internet connection.
> 
> There are some clients that visit web pages that only allow certain
> public IPs to access them. Only one of my two public IPs is allowed to
> access those services. I red some examples about /tcp_outgoing_address/
> from de Squid docs and other resources and they are all like this one:
>
> acl abc src 10.0.0.0/24
> acl xyz 10.0.2.0/24
> tcp_outgoing_address 10.1.0.1 abc
> tcp_outgoing_address 10.1.0.2 xyz
> tcp_outgoing_address 10.1.0.3
> 
> I am not sure (this is the reason of my question) if I can use the
> directive in this way:
> 
> acl pages url_regex -i "/path/to/restricted_access_pages"
> tcp_outgoing_address my_gateway_ip abc
> 

You can. The directive ACLs have access to anything in the HTTP request
message, TCP client connection state, and the destination server IP but
no other server details than IP.

Just be aware that order is important, the first line to match for any
connection will be applied and the remainder ignored.


> Also, in multiwan environments frequent disconnect issues are common.
> Can Squid handle the problem with /tcp_outgoing_address/, for example
> when users need to access to email, for avoid those disconnection
> problems? (I don't have load balancing, so the http requests use both
> ADSL connections) Example:
> 
> acl email url_regex -i "/path/to/email_pages"
> tcp_outgoing_address my_gateway_ip email
>  

No. All it does is select which IP to set on the TCP packets when
opening a new outbound TCP connection. That in turn hints to the OS
about which routing needs to be applied, but no more than that.

It is also restricted in that the rules will only affect traffic of the
same IP version as the address wanting to be set. A line with IPv4
address will have no effect on IPv6 outbound connections, and vice versa.

PS / FYI: there is no good reason for a multi-WAN environment to
encounter disconnection issues. If you are seeing such, then something
is broken in your network routing or traffic management software. That
is off topic here, but hopefully will head you in the right direction
for a useful fix.

Amos
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] ssl-bump and accel

[Amos Jeffries]

On 9/01/2016 7:48 a.m., Nir Krakowski wrote:
> This is what needs to be done to get it to work in squid >3.5 in function
> ClientRequestContext::hostHeaderIpVerify(const ipcache_addrs* ia, const
> Dns::LookupDetails &dns):
> 

Hell NO

clientConn is the state data about the TCP connection the message
arrived on. HTTP and SSL-Bump in no way alter the reality of what
src/dst IPs those TCP packets contain.

There may be a bug needing a fix, but it absolutely is not that patch.


By applying that patch you are allowing a remote sender to both bypass
all your Squid protections, and any network firewall security you may
have external to Squid. While simultaneously recording in your Squid
logs any value of its choosing for the destination IPs of its attack
traffic.

Amos

___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] Digest LDAP authentication

[Amos Jeffries]

On 9/01/2016 3:50 a.m., Olivier Desport wrote:
> Hello,
> 
> I'm trying to implement digest LDAP authentication with digest_ldap_auth
> on Squid 3.4.
> 
> When I try to connect with command line, It succeeds :
> 
> echo '"":""' | /usr/lib/squid3/digest_ldap_auth -b
> ou= -u uid -A l -W /etc/digestreader_cred -e -v 3  
> OK ha1="..."
> 
> In squid.conf
> 
> auth_param digest program /usr/lib/squid3/digest_ldap_auth -b
> 'ou=' -u uid -A l -W /etc/digestreader_cred -e -v 3 -h 
> auth_param digest children 5
> auth_param digest realm ""
> auth_param digest casesensitive off
> 
> When I test with a browser, the authentication popup with username and
> password appears. But I don't know what credentials to give. I've tried
> with "":"" for username and the clear password but It
> doesn't work. The popup appears again and nothing is written in access.log.
> 
> Could you help me ?
> 

Perhapse it is that Squid has been told your realm string contains
quotation marks. I've always though is very strange that people would
have realms like:
  ""Foo""

Try with just:
  auth_param digest realm REALM


Amos

___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

[squid-users] Running configuration

[Roman Gelfand]

I accidentally deleted the squid.conf while squid has been running.  The
squid is still running.  Is there a way to retrieve a running configuration?
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] ssl_ctrd aborts in 3.5.13

[Yuri Voinov]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256
 


10.01.16 1:42, Eliezer Croitoru пишет:
> On 09/01/2016 04:03, xxiao8 wrote:
>> Hi,
>>
>> I'm seeing the below errors, 25 bytes are the string of "'Initialization
>> SSL db..." itself, anyone else experienced this?
>>
>> This is a typical https-transparent case.
>
>
> Was 3.5.13 release announced somewhere?? I do not see any mailing list
mail about it.
Who wanted to - he saw :)

>
> Eliezer
> ___
> squid-users mailing list
> squid-users@lists.squid-cache.org
> http://lists.squid-cache.org/listinfo/squid-users

-BEGIN PGP SIGNATURE-
Version: GnuPG v2
 
iQEcBAEBCAAGBQJWkWNHAAoJENNXIZxhPexGE5EIAM3OMuC2MasXt/URr4i9fUOD
ckZCUCjPOQSy3ioJaRtJB0KJuq7saeTQ8tjsVYleljC/Y0icX2uwxuOZ9kbAkwjD
gvM0Yd2MXygNAQyvGXdut6Olm5H8+LazQ1B85WpEH9pUO9hS/CLBaTYLrk3je3Wr
n5v7Uyp85rJnc3os2Z/49OSmsxp2N1KJ6ntwpKocLUVU6OPF9rZM1cQnXrdpZ8vX
qrdp45bs64x3l+LKgwogBVOFOtobFA3emUb9Gz20UQXMneVxnZImwn2A13QddLcq
ENcTszEVkMGZzPqFdF5knaMv3f7U2zA9W42erjoh3KED6ToVAgG3UNtdBeMiNU8=
=PPi1
-END PGP SIGNATURE-

___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] ssl_ctrd aborts in 3.5.13

[Eliezer Croitoru]

On 09/01/2016 04:03, xxiao8 wrote:

Hi,

I'm seeing the below errors, 25 bytes are the string of "'Initialization
SSL db..." itself, anyone else experienced this?

This is a typical https-transparent case.



Was 3.5.13 release announced somewhere?? I do not see any mailing list 
mail about it.


Eliezer
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] URL Rewrite for https via Squidguard

[Yuri Voinov]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256
 


10.01.16 1:36, Marcus Kool пишет:
>
>
> On 01/09/2016 09:49 AM, Darren wrote:
>> Hi
>>
>> Thanks Marcus
>>
>> I have been hacking my own branch of Squidguard so I can add support
for the SNI (I hope)
>>
>> How would I get the peek SNI output to the url_rewriter?
>
> using  url_rewrite_extras
>
>> I am a bit of a peek new comer.
>>
>> Sounds like there is some hope and a possible way forward.
This is not for new comer, Marcus ;)
>>
>> regards
>>
>> Darren B.
>>
>>
>>
>>
>>
>>
>> Sent from Mailbird

>>>
>>> On 9/01/2016 5:46:36 PM, Marcus Kool 
wrote:
>>>
>>>
>>>
>>> On 01/09/2016 05:07 AM, Darren wrote:
>>> > Hi
>>> >
>>> > I am trying to hack squidguard to allow me to redirect users
attempts to connect to blocked https enabled sites.
>>> >
>>> > Some sites are allowed and the bulk are not. Currently I can see
the Connect details being handed to SG for processing and if I change
this to return a redirect to make it point to a different server
>>> > it breaks and gives me an SSL error (as would be expected)
>>>
>>> indeed, "as expected"...
>>> The HTTP protocol supportly support redirection of URL by sending a
30x status code back to he browser.
>>> HTTPS, which is SSL+HTTP is "safe" encrypted channel where HTTP is
inside the channel and
>>> explicitly is designed not to be tampered with. So redirecting a
channel to an other website
>>> always will cause a certificate error, unless ...
>>> 1) one uses ssl-bump
>>> 2) installs the Squid fake CA certificate in all browsers
>>> 3) one has a policy for the other protocols (e.g. Skype) that use
CONNECT
>>>
>>> > Is there a way I can get this redirection call to squidguard
happened earlier in squid before it gets this far down the CONNECT
process? Or is there something that I can return from Squidguard that
>>> > would make this work? I notice that the connect attempts are
always just the IP address, so something earlier in the processing is
doing a reverse DNS lookup, is this the Browser of Squid and if so
>>> > can I get in earlier during the process?
>>>
>>> The above implies that you use Squid in interception mode where it
initially can only see the IP address of the server.
>>> In ssl-bump mode, Squid can peek in step1 and find the SNI of the
server (a.k.a the FQDN) and then the SNI/FQDN can be used in ACLs inside
Squid and any URL redirector that can cope with the SNI
>>> parameter. Squidguard cannot, the latest ufdbGuard 1.31 cannot, but
ufdbGuard 1.32 _can_ and will be released in February.
>>>
>>> Marcus
>>>
>>> >
>>> > I want to maintain the various lists in just squidguard and not
put in ACLs in squid.conf
>>> >
>>> > thanks
>>> >
>>> > Darren B.
>>> ___
>>> squid-users mailing list
>>> squid-users@lists.squid-cache.org
>>> http://lists.squid-cache.org/listinfo/squid-users
>>
>>
>> ___
>> squid-users mailing list
>> squid-users@lists.squid-cache.org
>> http://lists.squid-cache.org/listinfo/squid-users
>>
> ___
> squid-users mailing list
> squid-users@lists.squid-cache.org
> http://lists.squid-cache.org/listinfo/squid-users

-BEGIN PGP SIGNATURE-
Version: GnuPG v2
 
iQEcBAEBCAAGBQJWkWLkAAoJENNXIZxhPexGGFAIAI6V/xTDgjH2gYlcPR2+6eUH
rrmWh6Jd5ddF+qx5gdLY53PmHK6IoNCWkPXtu2ZQSLhBVmj+I1vzB1menVi2gEh7
7qtE1bKGmVcajxON+tbIpyHYrKXSl7ewP9hRaO/BbqGSy+LFpzkv9CbrwmmC5dE4
v5DFZVJEn6F3qQdoJKER6t4WKX42H1khFs8rXMn3sdY1R8PVbS18xpDNGv8emmCX
4aWvlGO72sGvpU/oTMa/bJ2EMXzHOqkgI2uTIkIpLK0SlgoPYVJP+jCDdwWWuSif
CNQS8pEmJsqrH4YxRoVhMkenBDw2W58yYWWQSx9HuAXTUp7H0lV3DNfNy10pAcc=
=1H+h
-END PGP SIGNATURE-

___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] URL Rewrite for https via Squidguard

[Marcus Kool]

On 01/09/2016 09:49 AM, Darren wrote:

Hi

Thanks Marcus

I have been hacking my own branch of Squidguard so I can add support for the 
SNI (I hope)

How would I get the peek SNI output to the url_rewriter?


using  url_rewrite_extras


I am a bit of a peek new comer.

Sounds like there is some hope and a possible way forward.

regards

Darren B.






Sent from Mailbird 



On 9/01/2016 5:46:36 PM, Marcus Kool  wrote:



On 01/09/2016 05:07 AM, Darren wrote:
> Hi
>
> I am trying to hack squidguard to allow me to redirect users attempts to 
connect to blocked https enabled sites.
>
> Some sites are allowed and the bulk are not. Currently I can see the Connect 
details being handed to SG for processing and if I change this to return a 
redirect to make it point to a different server
> it breaks and gives me an SSL error (as would be expected)

indeed, "as expected"...
The HTTP protocol supportly support redirection of URL by sending a 30x status 
code back to he browser.
HTTPS, which is SSL+HTTP is "safe" encrypted channel where HTTP is inside the 
channel and
explicitly is designed not to be tampered with. So redirecting a channel to an 
other website
always will cause a certificate error, unless ...
1) one uses ssl-bump
2) installs the Squid fake CA certificate in all browsers
3) one has a policy for the other protocols (e.g. Skype) that use CONNECT

> Is there a way I can get this redirection call to squidguard happened earlier 
in squid before it gets this far down the CONNECT process? Or is there something 
that I can return from Squidguard that
> would make this work? I notice that the connect attempts are always just the 
IP address, so something earlier in the processing is doing a reverse DNS lookup, 
is this the Browser of Squid and if so
> can I get in earlier during the process?

The above implies that you use Squid in interception mode where it initially 
can only see the IP address of the server.
In ssl-bump mode, Squid can peek in step1 and find the SNI of the server (a.k.a 
the FQDN) and then the SNI/FQDN can be used in ACLs inside Squid and any URL 
redirector that can cope with the SNI
parameter. Squidguard cannot, the latest ufdbGuard 1.31 cannot, but ufdbGuard 
1.32 _can_ and will be released in February.

Marcus

>
> I want to maintain the various lists in just squidguard and not put in ACLs 
in squid.conf
>
> thanks
>
> Darren B.
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users



___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users


___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] URL Rewrite for https via Squidguard

[Yuri Voinov]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256
 


09.01.16 15:45, Marcus Kool пишет:
>
>
> On 01/09/2016 05:07 AM, Darren wrote:
>> Hi
>>
>> I am trying to hack squidguard to allow me to redirect users attempts
to connect to blocked https enabled sites.
>>
>> Some sites are allowed and the bulk are not. Currently I can see the
Connect details being handed to SG for processing and if I change this
to return a redirect to make it point to a different server
>> it breaks and gives me an SSL error (as would be expected)
>
> indeed, "as expected"...
> The HTTP protocol supportly support redirection of URL by sending a
30x status code back to he browser.
> HTTPS, which is SSL+HTTP is "safe" encrypted channel where HTTP is
inside the channel and
> explicitly is designed not to be tampered with.  So redirecting a
channel to an other website
> always will cause a certificate error, unless ...
>1) one uses ssl-bump
>2) installs the Squid fake CA certificate in all browsers
>3) one has a policy for the other protocols (e.g. Skype) that use
CONNECT
>
>> Is there a way I can get this redirection call to squidguard happened
earlier in squid before it gets this far down the CONNECT process? Or is
there something that I can return from Squidguard that
>> would make this work? I notice that the connect attempts are always
just the IP address, so something earlier in the processing is doing a
reverse DNS lookup, is this the Browser of Squid and if so
>> can I get in earlier during the process?
>
> The above implies that you use Squid in interception mode where it
initially can only see the IP address of the server.
Note: Squid 3.5 only see IP initially. 3.4 knows full FQDN. Note this.
You deal not only 3.5 and above. But _many_ 3.4.x installations.
> In ssl-bump mode, Squid can peek in step1 and find the SNI of the server 
> (a.k.a the FQDN) and then
the SNI/FQDN can be used in ACLs inside Squid and any URL redirector
that can cope with the SNI parameter.  Squidguard cannot, the latest
ufdbGuard 1.31 cannot, but ufdbGuard 1.32 _can_ and will be released in
February.
>
> Marcus
>
>>
>> I want to maintain the various lists in just squidguard and not put
in ACLs in squid.conf
>>
>> thanks
>>
>> Darren B.
> ___
> squid-users mailing list
> squid-users@lists.squid-cache.org
> http://lists.squid-cache.org/listinfo/squid-users

-BEGIN PGP SIGNATURE-
Version: GnuPG v2
 
iQEcBAEBCAAGBQJWkVuXAAoJENNXIZxhPexG6OYIAI5tDWbOeSuzj6ppKSadE466
7b4YzxownSixeddyVL+diCBRFVPtBbHzvrOmy+jHo+fYgZrTqBg/hh0MKd4eJ+zq
JiY78WwNbYGDKat+UGXzT0F7eVePHJo5o/c1z3am1FfdqGtFdKCh+9VZ4E4TrAH5
mjgJtb+x0c7pi5Yen6PJVAQIjoB3MiJ3xoeVAyFUbJdrRAS8PgFgbEdMuqy9+UkH
3yp0KSgKnc3IE5NghWhITJfyHXsPcwnpIqOhTxQrE+DFPj9IREPcnfq3N4+v6tvz
17swFfGHe1FUwGGssfiAsLC+QeeZPkSLlPP0ytgk/WMxR8tfLTJy26b1QzVg/Ko=
=InjG
-END PGP SIGNATURE-

___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] URL Rewrite for https via Squidguard

[Darren]

Hi

Thanks Marcus

I have been hacking my own branch of Squidguard so I can add support for the 
SNI (I hope)

How would I get the peek SNI output to the url_rewriter?

I am a bit of a peek new comer.

Sounds like there is some hope and a possible way forward.

regards

Darren B.






Sent from Mailbird 
[http://www.getmailbird.com/?utm_source=Mailbird&utm_medium=email&utm_campaign=sent-from-mailbird]
On 9/01/2016 5:46:36 PM, Marcus Kool  wrote:


On 01/09/2016 05:07 AM, Darren wrote:
> Hi
>
> I am trying to hack squidguard to allow me to redirect users attempts to 
> connect to blocked https enabled sites.
>
> Some sites are allowed and the bulk are not. Currently I can see the Connect 
> details being handed to SG for processing and if I change this to return a 
> redirect to make it point to a different server
> it breaks and gives me an SSL error (as would be expected)

indeed, "as expected"...
The HTTP protocol supportly support redirection of URL by sending a 30x status 
code back to he browser.
HTTPS, which is SSL+HTTP is "safe" encrypted channel where HTTP is inside the 
channel and
explicitly is designed not to be tampered with. So redirecting a channel to an 
other website
always will cause a certificate error, unless ...
1) one uses ssl-bump
2) installs the Squid fake CA certificate in all browsers
3) one has a policy for the other protocols (e.g. Skype) that use CONNECT

> Is there a way I can get this redirection call to squidguard happened earlier 
> in squid before it gets this far down the CONNECT process? Or is there 
> something that I can return from Squidguard that
> would make this work? I notice that the connect attempts are always just the 
> IP address, so something earlier in the processing is doing a reverse DNS 
> lookup, is this the Browser of Squid and if so
> can I get in earlier during the process?

The above implies that you use Squid in interception mode where it initially 
can only see the IP address of the server.
In ssl-bump mode, Squid can peek in step1 and find the SNI of the server (a.k.a 
the FQDN) and then the SNI/FQDN can be used in ACLs inside Squid and any URL 
redirector that can cope with the SNI
parameter. Squidguard cannot, the latest ufdbGuard 1.31 cannot, but ufdbGuard 
1.32 _can_ and will be released in February.

Marcus

>
> I want to maintain the various lists in just squidguard and not put in ACLs 
> in squid.conf
>
> thanks
>
> Darren B.
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] URL Rewrite for https via Squidguard

[Marcus Kool]

On 01/09/2016 05:07 AM, Darren wrote:

Hi

I am trying to hack squidguard to allow me to redirect users attempts to 
connect to blocked https enabled sites.

Some sites are allowed and the bulk are not. Currently I can see the Connect 
details being handed to SG for processing and if I change this to return a 
redirect to make it point to a different server
it breaks and gives me an SSL error (as would be expected)


indeed, "as expected"...
The HTTP protocol supportly support redirection of URL by sending a 30x status 
code back to he browser.
HTTPS, which is SSL+HTTP is "safe" encrypted channel where HTTP is inside the 
channel and
explicitly is designed not to be tampered with.  So redirecting a channel to an 
other website
always will cause a certificate error, unless ...
   1) one uses ssl-bump
   2) installs the Squid fake CA certificate in all browsers
   3) one has a policy for the other protocols (e.g. Skype) that use CONNECT


Is there a way I can get this redirection call to squidguard happened earlier 
in squid before it gets this far down the CONNECT process? Or is there 
something that I can return from Squidguard that
would make this work? I notice that the connect attempts are always just the IP 
address, so something earlier in the processing is doing a reverse DNS lookup, 
is this the Browser of Squid and if so
can I get in earlier during the process?


The above implies that you use Squid in interception mode where it initially 
can only see the IP address of the server.
In ssl-bump mode, Squid can peek in step1 and find the SNI of the server (a.k.a the FQDN) and then the SNI/FQDN can be used in ACLs inside Squid and any URL redirector that can cope with the SNI 
parameter.  Squidguard cannot, the latest ufdbGuard 1.31 cannot, but ufdbGuard 1.32 _can_ and will be released in February.


Marcus



I want to maintain the various lists in just squidguard and not put in ACLs in 
squid.conf

thanks

Darren B.

___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users