Re: [squid-users] Squid 3.5.10 SSL Bump whitelist domains

[luizcasey]

Here is the config I am currently using based on your suggestion earlier. 
However it does not start. I have also added some questions to each for 
verification purposes to make sure I am understanding what is actually going on.

https_port 4827 intercept ssl-bump generate-host-certificates=on 
dynamic_cert_mem_cache_size=4MB cert=/etc/squid/certs/squid.crt 
key=/etc/squid/certs/squid.key
http_port 3401 intercept

logformat squid %tl.%03tu %6tr %>a %Ss/%03Hs % On Oct 21, 2015, at 8:16 PM, luizca...@gmail.com wrote:
> 
> Alex,
> So what do you recommend to do here ? I just need a simple whitelist file for 
> both http/https. I have a config that works on 3.4 but would like to upgrade 
> to 3.5 and the current config we have won't cut it. Just need a simple if you 
> are in this list allow if not deny. No need for any ssl validation or 
> anything.
> 
>> On Oct 21, 2015, at 6:49 PM, Alex Rousskov 
>>  wrote:
>> 
>>> On 10/21/2015 02:49 PM, Yuri Voinov wrote:
>>> 
>>> Working config snippet for 3.5.x looks like this:
>>> 
>>> ssl_bump peek get_sni_at_step1
>>> ssl_bump splice spliced_hosts
>>> ssl_bump bump net_bump
>> 
>> 
>> The above config leaves the following question unanswered:
>> 
>> Q: What happens if neither spliced_hosts nor net_bump match at bumping
>> step #2?
>> 
>> 
>> Leaving questions unanswered is a bad idea for ssl_bump rules because
>> defaults are complex (and used to be broken). To answer that question
>> (instead of forcing Squid to guess the answer), add a forth catch-all
>> rule. For example, this is how the latest Squids would guess:
>> 
>> ssl_bump peek step1
>> ssl_bump splice spliced_hosts
>> ssl_bump bump net_bump
>> ssl_bump splice all
>> 
>> 
>> If spliced_hosts ACL negation works reliably, then the above is
>> equivalent to:
>> 
>> ssl_bump peek step1
>> ssl_bump bump !spliced_hosts net_bump
>> ssl_bump splice all
>> 
>> but I recommend avoiding ACL negation in the actual rules.
>> 
>> 
>> Finally, please make sure your http_access rules correctly handle
>> CONNECT requests (real for forwarded connections and fake ones for
>> intercepted connections). This may be difficult to do right now due to
>> bug 4340: http://bugs.squid-cache.org/show_bug.cgi?id=4340
>> 
>> 
>> HTH,
>> 
>> Alex.
>> P.S. I renamed get_sni_at_step1 to step1 in the above examples because
>> that ACL itself does not know anything about SNI and does not force
>> Squid to get SNI.

___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] Squid 3.5.10 SSL Bump whitelist domains

[luizcasey]

I answered your questions below. However https traffic is still always being 
denied even though the site is on the allowed_list via nobumpSites.
I want to control http/https traffic using the “allowed_domains” list. This 
current configuration works for HTTP but not HTTPS traffic.

If there is an easier way to do this I am open for suggestion. This 
configuration minus the peek/splice part works fine in 3.4.2. Not sure what 
changed in
3.5 that causes this to fail.


> Date: Thu, 22 Oct 2015 00:59:36 +0600
> From: Yuri Voinov 
> To: squid-users@lists.squid-cache.org
> Subject: Re: [squid-users] Squid 3.5.10 SSL Bump whitelist domains
>   issue
> Message-ID: <5627e098.1000...@gmail.com>
> Content-Type: text/plain; charset="utf-8"
> 
> 
> -BEGIN PGP SIGNED MESSAGE-
> Hash: SHA256
> 
> First, you should put in order configurations.
> 
> 22.10.15 0:31, luizca...@gmail.com пишет:
>> Hello, 
>> So what I am trying to accomplish here is to basically have a
> whitelist of domains that is allowed via http/https. If the UID is
> squid,apache, or root then basically you will bypass squid and anything
> is allowed. This was working well on 3.4.2 however once I moved to
> 3.5.10 it no longer works properly. I also noticed that there are “new”
> features peek,slice etc which is probably my issue since I was not using
> it. I have tried several combination and have only gotten it to work for
> http traffic. All https traffic is currently being blocked by the
> configuration. Below are my configurations.  I don’t need to "inspect"
> any of the traffic just want to have a whitelist of allowed domains if
> you are not UID squid,apache, or root via http/https. Any help would be
> appreciated !!
>> 
>> 
>> # Squid.conf
>> 
>> sslproxy_cert_error allow all
> This setting is DANGER. Don't use it in production. Completely.
> http://wiki.squid-cache.org/ConfigExamples/Intercept/SslBumpExplicit
>> 
>> sslproxy_flags DONT_VERIFY_PEER
>> sslcrtd_program /usr/lib64/squid/ssl_crtd -s /home/squid/ssl_db -M 4MB
>> sslcrtd_children 50
>> 
>> https_port 4827 intercept ssl-bump generate-host-certificates=on
> dynamic_cert_mem_cache_size=4MB cert=/etc/squid/certs/squid.aarp.org.crt
> key=/etc/squid/certs/squid.key
>> # HTTPS forward port
>> https_port 127.0.0.1:6887 cert=/etc/squid/certs/squid.crt
> key=/etc/squid/certs/squid.key
> HTTPS forward port: this is SSL Bumped port, or what? Where, in this
> case, ssl-bump directive? On the other hand, you don't need use cert/key
> for tunneling connections. This is enabled by default long, long time.
>> 
>> 
>> http_port 3401 transparent
> Here must be "intercept" against transparent.
>> 
>> 
>> always_direct allow all
> ^^It's too much.
>> 
>> cache deny all
> You really sure you want completely disable all caching?
>> 
>> cache_dir ufs /home/squid/cache 100 16 256
> Why, in this case, you define on-disk cache?
Removed
>> 
>> 
>> acl step2 at_step SslBump2
>> acl step3 at_step SslBump3
> This is completely unnecessary. You don't use it below.
Removed
>> 
>> 
>> acl http proto http
>> acl https proto https
> Why is it here?
To only allow http and https proto 
>> 
>> 
>> acl port_80 port 80
>> acl port_443 port 443
> Why is it here?
To only allow port 80 and 443 
>> 
>> 
>> http_access allow http port_80 nobumpSites
>> http_access allow https port_443 nobumpSites
> Why is it here?
To only allow access to nobumpSites on port 80 and 443 
>> 
>> 
>> http_access deny all
>> 
>> # allowed_domains
>> .cnn.com 
>> .google.com 
>> .facebook.com 
>> ….etc
> ACL and, more, access rules order is important. As by as in firewalls.
> What do you mean with "allowed_domains" and why it here?
>> 
>> 
>>  squid log
>> TAG_NONE/403 350 HEAD https://www.facebook.com/
>  - HIER_NONE/- text/html
>> TCP_MISS/200 593 GET http://www.cnn.com/ 
>> 
>> 
>> ___
>> squid-users mailing list
>> squid-users@lists.squid-cache.org
>> http://lists.squid-cache.org/listinfo/squid-users
> 
> -BEGIN PGP SIGNATURE-
> Version: GnuPG v2
> 
> iQEcBAEBCAAGBQJWJ+CYAAoJENNXIZxhPexGZFEIAMBVhb1S3qScrRDYobIF3F85
> qwslUiWPNW+D6KB3nqPmI7/mcBttn0Oi3kEJhymXPVIU/uBy6JkubT/HvfGL/w5U
> BU6aA/6B+vm3HZ2PQ8jU7pZ5SwoswUkWXCZsapMypCEtUKswS7ohboBo0Rfga3Gg
> ABg34HuGoCHVjoKCfFQwz1lmKY64VcCbjuMY+CpzGcR5bmyRuaWhAIcQLePsQFbV
> MR4KfHP/5aSaDBR8zbsm74+RG4wyodA4WGQfNlBTY/bcH3RKeIX7e3b5oZeBRYhL
> 67NYBSFXtqaJsNZfUJwcWl6ZsnqQRtk/US2iO7DOCLVm1kXTjaaJWTB659xv+8M=
> =Q/qX
> -END PGP SIGNATURE-

___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] Squid 3.5.10 SSL Bump whitelist domains

[luizcasey]

Could you suggest a configuration that you think should be working ? I would 
like both HTTP/HTTPS domains whitelisted via file all other domains blocked. 
What am I missing ? My assumption here is the acl nobumpSites ssl::server_name 
"/etc/squid/git_allowed_domains/allowed_domains” part is not working for https 
but does work for http.

 LOG
21/Oct/2015:16:24:45 -0400.062 28 X.X.X.X TCP_MISS/200 907 HEAD 
http://www.cnn.com/ - ORIGINAL_DST/23.235.39.73 text/html
21/Oct/2015:16:25:12 -0400.515  0 X.X.X.X TAG_NONE/403 350 HEAD 
https://www.facebook.com/ - HIER_NONE/- text/html

 etc/squid/git_allowed_domains/allowed_domains"
.facebook.com
.cnn.com

 Squid.con
sslproxy_flags DONT_VERIFY_PEER
sslcrtd_program /usr/lib64/squid/ssl_crtd -s /home/squid/ssl_db -M 4MB
sslcrtd_children 50

https_port 4827 intercept ssl-bump generate-host-certificates=on 
dynamic_cert_mem_cache_size=4MB cert=/etc/squid/certs/squid.crt 
key=/etc/squid/certs/squid.key
http_port 3401 intercept

logformat squid %tl.%03tu %6tr %>a %Ss/%03Hs %https://www.facebook.com/ - HIER_NONE/- text/html

ssl_bump peek step1 all
ssl_bump splice nobumpSites
ssl_bump bump

acl http proto http
acl https proto https
acl port_80 port 80
acl port_443 port 443

http_access allow http port_80 nobumpSites
http_access allow https port_443 nobumpSites

http_access deny all

___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] Squid 3.5.10 SSL Bump whitelist domains

[luizcasey]

There really isn’t anything in there right now since I am testing.

 /etc/squid/git_allowed_domains/allowed_domains"
.facebook.com
.cnn.com
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

[squid-users] Squid 3.5.10 SSL Bump whitelist domains issue

[luizcasey]

Hello, 
So what I am trying to accomplish here is to basically have a whitelist of 
domains that is allowed via http/https. If the UID is squid,apache, or root 
then basically you will bypass squid and anything is allowed. This was working 
well on 3.4.2 however once I moved to 3.5.10 it no longer works properly. I 
also noticed that there are “new” features peek,slice etc which is probably my 
issue since I was not using it. I have tried several combination and have only 
gotten it to work for http traffic. All https traffic is currently being 
blocked by the configuration. Below are my configurations.  I don’t need to 
"inspect" any of the traffic just want to have a whitelist of allowed domains 
if you are not UID squid,apache, or root via http/https. Any help would be 
appreciated !!


# IPTABLES
$iptables -L -t nat
Chain PREROUTING (policy ACCEPT)
target prot opt source   destination

Chain POSTROUTING (policy ACCEPT)
target prot opt source   destination

Chain OUTPUT (policy ACCEPT)
target prot opt source   destination
natoutlogaccept  tcp  --  anywhere anywheremultiport 
dports http,https owner UID match squid
natoutlogaccept  tcp  --  anywhere anywheremultiport 
dports http,https owner UID match apache
natoutlogaccept  tcp  --  anywhere anywheremultiport 
dports http,https owner UID match root
REDIRECT   tcp  --  anywhere anywheretcp dpt:http redir 
ports 3401
REDIRECT   tcp  --  anywhere anywheretcp dpt:https 
redir ports 4827

Chain natoutlogaccept (3 references)
target prot opt source   destination
LOGall  --  anywhere anywhereLOG level debug 
prefix `nat out iptables accept '
ACCEPT all  --  anywhere anywhere


# Squid.conf

sslproxy_cert_error allow all
sslproxy_flags DONT_VERIFY_PEER
sslcrtd_program /usr/lib64/squid/ssl_crtd -s /home/squid/ssl_db -M 4MB
sslcrtd_children 50

https_port 4827 intercept ssl-bump generate-host-certificates=on 
dynamic_cert_mem_cache_size=4MB cert=/etc/squid/certs/squid.aarp.org.crt 
key=/etc/squid/certs/squid.key
# HTTPS forward port
https_port 127.0.0.1:6887 cert=/etc/squid/certs/squid.crt 
key=/etc/squid/certs/squid.key

http_port 3401 transparent
# HTTP forward port
http_port 127.0.0.1:6886

logformat squid %tl.%03tu %6tr %>a %Ss/%03Hs %http://cnn.com/>
.google.com 
.facebook.com 
….etc 

 squid log
TAG_NONE/403 350 HEAD https://www.facebook.com/  - 
HIER_NONE/- text/html
TCP_MISS/200 593 GET http://www.cnn.com/ ___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] Squid 3.5.10 SSL Bump whitelist domains

[luizcasey]

Alex,
So what do you recommend to do here ? I just need a simple whitelist file for 
both http/https. I have a config that works on 3.4 but would like to upgrade to 
3.5 and the current config we have won't cut it. Just need a simple if you are 
in this list allow if not deny. No need for any ssl validation or anything.

> On Oct 21, 2015, at 6:49 PM, Alex Rousskov  
> wrote:
> 
>> On 10/21/2015 02:49 PM, Yuri Voinov wrote:
>> 
>> Working config snippet for 3.5.x looks like this:
>> 
>> ssl_bump peek get_sni_at_step1
>> ssl_bump splice spliced_hosts
>> ssl_bump bump net_bump
> 
> 
> The above config leaves the following question unanswered:
> 
> Q: What happens if neither spliced_hosts nor net_bump match at bumping
> step #2?
> 
> 
> Leaving questions unanswered is a bad idea for ssl_bump rules because
> defaults are complex (and used to be broken). To answer that question
> (instead of forcing Squid to guess the answer), add a forth catch-all
> rule. For example, this is how the latest Squids would guess:
> 
>  ssl_bump peek step1
>  ssl_bump splice spliced_hosts
>  ssl_bump bump net_bump
>  ssl_bump splice all
> 
> 
> If spliced_hosts ACL negation works reliably, then the above is
> equivalent to:
> 
>  ssl_bump peek step1
>  ssl_bump bump !spliced_hosts net_bump
>  ssl_bump splice all
> 
> but I recommend avoiding ACL negation in the actual rules.
> 
> 
> Finally, please make sure your http_access rules correctly handle
> CONNECT requests (real for forwarded connections and fake ones for
> intercepted connections). This may be difficult to do right now due to
> bug 4340: http://bugs.squid-cache.org/show_bug.cgi?id=4340
> 
> 
> HTH,
> 
> Alex.
> P.S. I renamed get_sni_at_step1 to step1 in the above examples because
> that ACL itself does not know anything about SNI and does not force
> Squid to get SNI.
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users