Re: [squid-users] About SSL peek-n-splice/bump configurations
I reply to myself due to a bounce and I have to re-enable the membership to list at least 3 times at month. Maybe a problem with Yahoo. >>> Alex: After a splice rule is applied, SslBump is over. No more rules are >>> checked. No more loops are iterated. Squid simply "exits" the SslBump >>> feature (and becomes a TCP tunnel). OK, that is what makes me a noise, and therefore I asked about what you said. >> What about the meaning of the ACL's at step1 when splice? > >* If the splice rule ACLs match, the splice rule is applied. In that >case you can consult my statement above. > >* If the splice rule ACLs do not match, then the splice rule is not >applied. My statement above explicitly does not cover this case -- it >starts with "after a splice rule is APPLIED". > > >> e.g.: >> There only these two rules for ssl_bump statements: >> >> ssl_bump splice sitesAB >> ssl_bump splice SitesCD > >> I guess that here, Squid has to do 2 loops at outer/main loop to >> evaluate step1 twice, due to rules differs (sitesAB and sitesCD ACL) >> and see if both match to splice. I think that I made a mistake in above sentence. I have should said "(..) Squid has to do 2 loops at inner while he is at the main loop (at SslBump1)" >I do not know why you are guessing instead of carefully applying the >already documented procedure, but you guessed wrong. At any step, the >first matching rule is applied. For example, if sitesAB matches, then >Squid splices without checking the second (i.e. SitesCD) rule. Well, I am guessing because many things are not completely clear to me and/or easy to understand, at all. I am new in TLS filtering. For example I never would think that in the given example, the second rule (sitesCD) will not never be checked later. I asked or write that example with the inner loop in mind; I'm sorry. >> Are You (perhaps) talking about the examples in the thread and not what >> happens "in general"? > >My statements above are general except the "For example..." sentence >that refers to your specific example. Its good to know. >> In which case the "noBumpSites" ACL could have not match? I mean if I >> tell a Squid: "splice at step1 this.site.net" How that matches can >> fail? > >Roughly speaking, the server_name ACL matches at step1 when the real or >fake CONNECT Host information match one of the configured server names. > >For example, if you are intercepting or if the real CONNECT request >contains an IP address (rather than a host name), then the server_name >ACL matches if the reverse DNS lookup for that IP address is successful >and matches at least one of the configured server names. In other cases, >the ACL does not match during step1. > >The reality is more complex than the above rough summary because domain >name comparison is a complex algorithm. Consult the latest Squid >documentation for details. Also, please do not forget that step2 >matching adds checking TLS client SNI name, and step3 matching adds >checking certificate Subject names. It gets really complex... > >For example, the Host header of a CONNECT request may not be the same as >the TLS client-supplied SNI name, and/or the server certificate subject >name may. These differences (and other random factors like DNS >inconsistencies) may result in the server_name ACL match result changes >across the steps. > >Modern Squids have additional server_name options that control some of >the matching nuances discussed above. That's what I imagined you meant (and worried too) -without any kind of knowledge-. And now you have just confirmed it. So things become a little more delicate. And *now* I understand why you have done so much emphasis saying: "If the rule match..." >Alex. Thank You. ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
Re: [squid-users] About SSL peek-n-splice/bump configurations
On 09/19/2018 10:23 AM, Julian Perconti wrote: >> Alex: After a splice rule is applied, SslBump is over. No more rules are >> checked. No more loops are iterated. Squid simply "exits" the SslBump >> feature (and becomes a TCP tunnel). > What about the meaning of the ACL's at step1 when splice? * If the splice rule ACLs match, the splice rule is applied. In that case you can consult my statement above. * If the splice rule ACLs do not match, then the splice rule is not applied. My statement above explicitly does not cover this case -- it starts with "after a splice rule is APPLIED". > e.g.: > There only these two rules for ssl_bump statements: > > ssl_bump splice sitesAB > ssl_bump splice SitesCD > I guess that here, Squid has to do 2 loops at outer/main loop to > evaluate step1 twice, due to rules differs (sitesAB and sitesCD ACL) > and see if both match to splice. I do not know why you are guessing instead of carefully applying the already documented procedure, but you guessed wrong. At any step, the first matching rule is applied. For example, if sitesAB matches, then Squid splices without checking the second (i.e. SitesCD) rule. N.B. I removed the (misplaced) "step1" ACLs from the above example. That ACL does not affect the above discussion. > Are You (perhaps) talking about the examples in the thread and not what > happens "in general"? My statements above are general except the "For example..." sentence that refers to your specific example. > In which case the "noBumpSites" ACL could have not match? I mean if I > tell a Squid: "splice at step1 this.site.net" How that matches can > fail? Roughly speaking, the server_name ACL matches at step1 when the real or fake CONNECT Host information match one of the configured server names. For example, if you are intercepting or if the real CONNECT request contains an IP address (rather than a host name), then the server_name ACL matches if the reverse DNS lookup for that IP address is successful and matches at least one of the configured server names. In other cases, the ACL does not match during step1. The reality is more complex than the above rough summary because domain name comparison is a complex algorithm. Consult the latest Squid documentation for details. Also, please do not forget that step2 matching adds checking TLS client SNI name, and step3 matching adds checking certificate Subject names. It gets really complex... For example, the Host header of a CONNECT request may not be the same as the TLS client-supplied SNI name, and/or the server certificate subject name may. These differences (and other random factors like DNS inconsistencies) may result in the server_name ACL match result changes across the steps. Modern Squids have additional server_name options that control some of the matching nuances discussed above. Alex. ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
[squid-users] Any suggestions or comments about my configuration? squid 3.5.20
Dear Ones, the more I use Squid the more I realize how powerful it is. And like all powerful software it can be complex at first. I would like to share my settings and if possible listen (read actually) your comments and suggestions. My goals of using squid: - Transparent authentication of my AD users (2012R2) - Internet access rules based on users belonging to AD groups. - Non-authenticated clients (Win PCs) cannot navigate through the proxy. - That the clients (Win PCs) not belonging to an AD group allowed in squid, cannot navigate through the proxy. My test scenario: - A VM CentOS 7 Core over VirtualBox 5.2, 1 NIC. - My VM is attached to my domain W2012R2 (following this post https://www.rootusers.com/how-to-join-centos-linux-to-an-active-directory-domain/) to achieve kerberos authentication transparent to the user. SElinux disabled. Owner permissions to user squid in all folders/files involved. - squid 3.5.20 installed and working great with kerberos, NTLM and basic authentication. squid.conf ### negotiate kerberos & ntlm authentication auth_param negotiate program /usr/sbin/negotiate_wrapper --ntlm /usr/bin/ntlm_auth --helper-protocol=squid-2.5-ntlmssp --kerberos /usr/lib64/squid/negotiate_kerberos_auth -r -i -s GSS_C_NO_NAME auth_param negotiate children 10 auth_param negotiate keep_alive on ### standard allowed ports acl SSL_ports port 443 acl Safe_ports port 80 # http acl Safe_ports port 21 # ftp acl Safe_ports port 443 # https acl Safe_ports port 70 # gopher acl Safe_ports port 210 # wais acl Safe_ports port 1025-65535 # unregistered ports acl Safe_ports port 280 # http-mgmt acl Safe_ports port 488 # gss-http acl Safe_ports port 591 # filemaker acl Safe_ports port 777 # multiling http acl CONNECT method CONNECT ### destination domains to be blocked in a HTTP access control acl LS_malicius dstdomain -i "/etc/squid/DBL/malicius/malicius.txt" acl LS_remotecontrol dstdomain -i "/etc/squid/DBL/remotecontrol/remotecontrol.txt" ### LDAP group membership sources # WEB_ACCESS_1 external_acl_type AD_WEB_ACCESS_1 %LOGIN /usr/lib64/squid/ext_ldap_group_acl -P -R -b OU=USERS,DC=netgol,DC=local -D ldap -W "/etc/squid/ldap_pass.txt" -f (&(sAMAccountName=%u)(memberOf=cn=WEB_ACCESS_1,OU=INTERNET,OU=PERMISOS,OU=NETGOL,DC=netgol,DC=local)) -h s-dc1.netgol.local -p 3268 acl WEB_ACCESS_1 external AD_WEB_ACCESS_1 web-access-1 # WEB_ACCESS_2 external_acl_type AD_WEB_ACCESS_2 %LOGIN /usr/lib64/squid/ext_ldap_group_acl -P -R -b OU=USERS,DC=netgol,DC=local -D ldap -W "/etc/squid/ldap_pass.txt" -f (&(sAMAccountName=%u)(memberOf=cn=WEB_ACCESS_2,OU=INTERNET,OU=PERMISOS,OU=NETGOL,DC=netgol,DC=local)) -h s-dc1.netgol.local -p 3268 acl WEB_ACCESS_2 external AD_WEB_ACCESS_2 web-access-2 # WEB_ACCESS_3 external_acl_type AD_WEB_ACCESS_3 %LOGIN /usr/lib64/squid/ext_ldap_group_acl -P -R -b OU=USERS,DC=netgol,DC=local -D ldap -W "/etc/squid/ldap_pass.txt" -f (&(sAMAccountName=%u)(memberOf=cn=WEB_ACCESS_3,OU=INTERNET,OU=PERMISOS,OU=NETGOL,DC=netgol,DC=local)) -h s-dc1.netgol.local -p 3268 acl WEB_ACCESS_3 external AD_WEB_ACCESS_3 web-access-3 ### HTTP access control policies http_access deny !Safe_ports http_access deny CONNECT !SSL_ports http_access allow localhost manager http_access deny manager http_access deny WEB_ACCESS_1 LS_malicius http_access deny WEB_ACCESS_2 LS_malicius http_access deny WEB_ACCESS_3 LS_malicius http_access deny WEB_ACCESS_1 LS_remotecontrol http_access deny WEB_ACCESS_2 LS_remotecontrol http_access allow WEB_ACCESS_1 http_access allow WEB_ACCESS_2 http_access allow WEB_ACCESS_3 http_access allow localhost http_access deny all ### personalization ### http_port 8080 coredump_dir /var/spool/squid refresh_pattern ^ftp: 1440 20% 10080 refresh_pattern ^gopher: 1440 0% 1440 refresh_pattern -i (/cgi-bin/|\?) 0 0% 0 refresh_pattern . 0 20% 4320 quick_abort_min 0 KB quick_abort_max 0 KB read_timeout 5 minutes request_timeout 3 minutes half_closed_clients off shutdown_lifetime 15 seconds log_icp_queries off dns_v4_first on ipcache_size 2048 ipcache_low 90 fqdncache_size 4096 forwarded_for off cache_mgr sys...@netgol.net visible_hostname proxy.netgol.local httpd_suppress_version_string on uri_whitespace strip logfile_rotate 7 debug_options rotate=7 Any suggestion or comment will be very useful to me and I thank you in advance. Best regards Gabriel ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
Re: [squid-users] Help: squid restarts and squidGuard die
Amos, So instead of using squidguard are you saying you should use something like the following? acl ads dstdomain -i "/etc/squid/squid-ads.acl" acl adult dstdomain -i "/etc/squid/squid-adult.acl" http_access deny ads http_access deny adult Do the lists need to be sorted in alphabetical order? Don > -Original Message- > From: squid-users On Behalf > Of Amos Jeffries > Sent: Tuesday, September 18, 2018 10:04 PM > To: squid-users@lists.squid-cache.org > Subject: Re: [squid-users] Help: squid restarts and squidGuard die > > On 19/09/18 1:54 AM, neok wrote: > > Thank you very much Amos for putting me in the right direction. > > I successfully carried out the modifications you indicated to me. > > Regarding ufdbGuard, if I understood correctly, what you recommend is > > to use the ufdbConvertDB tool to convert my blacklists in plain text > > to the ufdbGuard database format? And then use that/those databases in > > normal squid ACL's? > > No, ufdbguard is a fork of SquidGuard that can be used as a drop-in > replacement which works better while you improve your config. > > You should work towards less complexity. Squid / squid.conf is where HTTP > access control takes place. The helper is about re-writing the URL > (only) - which is a complex and destructive process. > > Amos > ___ > squid-users mailing list > squid-users@lists.squid-cache.org > http://lists.squid-cache.org/listinfo/squid-users ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
Re: [squid-users] Help: squid restarts and squidGuard die
On 18/09/18 23:03, Amos Jeffries wrote: On 19/09/18 1:54 AM, neok wrote: Thank you very much Amos for putting me in the right direction. I successfully carried out the modifications you indicated to me. Regarding ufdbGuard, if I understood correctly, what you recommend is to use the ufdbConvertDB tool to convert my blacklists in plain text to the ufdbGuard database format? And then use that/those databases in normal squid ACL's? No, ufdbguard is a fork of SquidGuard that can be used as a drop-in replacement which works better while you improve your config. You should work towards less complexity. Squid / squid.conf is where HTTP access control takes place. The helper is about re-writing the URL (only) - which is a complex and destructive process. ufdbGuard is a simple tool that has the same syntax in its configuration file as squidGuard has. It is far from complex, has a great Reference Manual, exmaple config file and a responsive support desk. Amos, I have never seen you calling a URL writer being a complex and destructive process. What do you mean? URL rewriters have been used for decades for HTTP access control but you state "squid.conf is where HTTP access control takes place". Are you saying that you want it is the _only_ place for HTTP access control? Marcus Amos ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
Re: [squid-users] About SSL peek-n-splice/bump configurations
>After a splice rule is applied, SslBump is over. No more rules are >checked. No more loops are iterated. Squid simply "exits" the SslBump >feature (and becomes a TCP tunnel). How is that? What about the meaning of the ACL's at step1 when splice? e.g.: There only these two rules for ssl_bump statements: ssl_bump step1 splice sitesAB ssl_bump step1 splice SitesCD I guess that here, Squid has to do 2 loops at outer/main loop to evaluate step1 twice, due to rules differs (sitesAB and sitesCD ACL) and see if both match to splice. Probably this example does not make sense: "Why don't use just 1 ACL instead 2"? But it is an example to understand and fix ideas. Are You (perhaps) talking about the examples in the thread and not what happens "in general"? > If noBumpSites matches at step2, then, yes, Squid will splice at step3 > by default. Otherwise, no; Squid will bump at step3 by default. [... ] You mentioned that explanation two times. The question (maybe obvious) is: In which case the "noBumpSites" ACL could have not match? I mean if I tell a Squid: "splice at step1 this.site.net" How that matches can fail? Maybe you refered in the case that a site is just not listed in the ACL. > > ssl_bump splice noBumpSites # This line reachs a splice rule at step1 > > ssl_bump stare > > > Squid is telling to the client: "I will not touch any TLS byte. > > [...] I will do as many checks as possible then You will be connected..." > > The configuration above does not match your summary because the > configuration has a "stare" action that may run at (step1 and) step2 > (and, hence, a possibility of the bump action at step3). Staring at > step2 and bumping (at any step) modify TLS bytes, of course. > > Perhaps your summary only applies to the cases where noBumpSites > matches (either at step1 or at step2), but the summary did not make > that clear. Here borns more ore less the same doubt like above and the final one. > There is a big difference between explaining Squid actions for a > particular transaction and summarizing what a particular configuration > means (for all transactions). Unless noted otherwise, I am focusing on the > latter. > > AFAICT, the primary difference between > > ssl_bump peek noBumpSites > ssl_bump stare > > and > > ssl_bump splice noBumpSites > ssl_bump stare > > is that the former requires a noBumpSites match at step2 for the > connections to be spliced. Yes. The condition you say is mandatory but, again: Why that requirement could fail/no-match? Thank You for the patience ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
Re: [squid-users] Squid Cache Server
Hi Amos, thanks for your concern, as I informed you Iam looking to install Squid on Ubuntu Linux server for Caching purpose once I kickoff i will notify you to have your assistant. regards Mujtaba H, From: squid-users on behalf of Amos Jeffries Sent: Sunday, September 16, 2018 4:58:37 PM To: squid-users@lists.squid-cache.org Subject: Re: [squid-users] Squid Cache Server On 15/09/18 12:13 PM, Mujtaba Hassan Madani wrote: > Hi Amos, > >you did not get back to me about my below concern > I responded to your concern about copyright. I do not see anything else in your messages as expressing a concern to be responded to. Amos > > *From:* Mujtaba Hassan Madani > *Sent:* Thursday, September 13, 2018 5:36:48 PM > > > Hi Amos, > >Iam looking for building a Squid proxy server on Ubuntu for my LAN > serving up to 25 PC's I just want the maximum potential of the server > capability to enhance the network performance and gain better users > expectation of the service. > > > *From:* Amos Jeffries > *Sent:* Wednesday, September 12, 2018 2:54:37 PM > > On 13/09/18 2:16 AM, Mujtaba Hassan Madani wrote: >> Dear Squid Team, >> >> how does content provider prevent it from been cached while passing >> through squid proxy it's by a copy right law > > No. Contents which can be transferred through a proxy are implicitly > licensed for re-distribution. > > Legal issues are usually encountered only around interception or > modification of content. > > >> or some encryption is > > Sometimes. > >> implemented in the traffic ? > > and other features built into HTTP protocol. > > >> and where can I find the contents that been >> cached on my squid proxy ? >> > > Depends on your config. Usually in the machine RAM. > > What are you looking for exactly? and why? > ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
Re: [squid-users] Help: squid restarts and squidGuard die
Thank you for this information Amos! :) I had ufdbguard as possible replacement in my list, your info about it beeing a fork, is the reason that I will switch to it soon. Thanks :) Am 19. September 2018 04:03:39 MESZ schrieb Amos Jeffries : >On 19/09/18 1:54 AM, neok wrote: >> Thank you very much Amos for putting me in the right direction. >> I successfully carried out the modifications you indicated to me. >> Regarding ufdbGuard, if I understood correctly, what you recommend is >to use >> the ufdbConvertDB tool to convert my blacklists in plain text to the >> ufdbGuard database format? And then use that/those databases in >normal squid >> ACL's? > >No, ufdbguard is a fork of SquidGuard that can be used as a drop-in >replacement which works better while you improve your config. > >You should work towards less complexity. Squid / squid.conf is where >HTTP access control takes place. The helper is about re-writing the URL >(only) - which is a complex and destructive process. > >Amos >___ >squid-users mailing list >squid-users@lists.squid-cache.org >http://lists.squid-cache.org/listinfo/squid-users -- Diese Nachricht wurde von meinem Android-Gerät mit K-9 Mail gesendet.___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
Re: [squid-users] TCP_MISS/502 - audio stream - none default http ports
Am Mittwoch, den 19.09.2018, 14:38 +1200 schrieb Amos Jeffries: > This statement is false, and very bad security practice. Squid handles > HTTP-level access controls. Firewalls handle network-layer access > control. Either way multiple layers of security that work together are > better than one - in case that one is compromised. > > Like the other default rules this "deny all" serves multiple purposes - > along with the obvious access control to the network it is about denying > "legitimate" clients trying to make Squid do extremely resource > consuming things which are not permitted by your policy. Such as flood > the internal network with Tbps of traffic, or port-scan services they > are not normally allowed access to by the firewall. hey amos, thanks for your feedback, it's realy appreciated. i re-enabled deny all, even when i still don't see any benifit, because: without giving away to mutch internals, in my case allow all is still ok, only a very few subnets have a route to this system and the firewalls are working on a combination of layer 3 and 5-7 and also running ssl-inspection to this specific squid. but you are right, every layer counts. greetings, andy smime.p7s Description: S/MIME cryptographic signature ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
