First an introduction in blocking HTTPS:
HTTPS is a protocol that is designed to be non-interceptable, and if it is
intercepted, the browser will notify the user about this interception.
This is very different from HTTP which can easily be intercepted and the
interceptor can redirect a browser using a defined HTTP code for redirection.
So blocking HTTP sites is easy since the HTTP protocol supports redirection and because of the redirection feature, a blocked URL can be redirected to a human readable web page saying "site X is
blocked since you have no access rights".
Blocking HTTPS by redirecting a browser request is not possible since HTTPS is
encrypted.
To block such request, squidGuard and ufdbGuard can only instruct Squid to
replace the HTTPS URL with another HTTPS URL.
squidGuard, which development stopped in 2010, does not support a HTTPS
redirection URL and instead, sends the redirection URL for HTTP.
ufdbGuard uses 2 redirection URLs: one for HTTP and one for HTTPS, so the
blocked HTTPS-based URL is redirected to another HTTPS-based URL.
But the browser notes this and display a warning. Most likely that the
certificate is wrong.
After accepting the warning, a human-readable message about access being
denied, is displayed.
Squids ssl-dump feature, if configured, changes the above.
ssl-bump intercepts HTTPS traffic but the browser detects this and warns about
it.
To get rid of the warning permanently, one installs the certificate that Squid
uses in the browser's certificate store.
Blocking HTTPS, however, remains a difficult issue.
For HTTPS websites, Squid sends to ufdbGuard/squidGuard first a CONNECT-URL and
after that a GET-URL or POST-URL.
The CONNECT is not blockable in a sense that it can happen without browser warnings, so for a forbidden HTTPS site, the URL redirector must PASS the CONNECT-URL and wait for the GET/POST which it can
block later.
This strategy works for regular HTTPS sites, where the site uses SSL-wrapped
HTTP.
However, this strategy fails for all other sites that use different protocols,
for example: chat, VPN, remote access software and SSH.
So for SSH, Squid only sends a CONNECT-URL to the URL redirector and it must
decide whether to pass or allow on the CONNECT since there are no future
GET/POST URLs that it may block.
This complicates things a lot.
The next version of ufdbGuard will have new features to attempt to get around
these issues.
On 07/20/2015 06:36 PM, Stanford Prescott wrote:
This probably more rightly belongs in the ufdbGuard mailing list, but SF has
been down for several days and I cannot post there. There is a bit of overlap
with ssl_bump and ufdGuard with one of the
issues I am having. Maybe someone here who uses ufdbGuard or squidGuard could
help me?
SF works now...
I am trying to replace our implementation of the old squidGuard with ufdbGuard
on Smoothwall Express v3.1 firewall distro. I have gotten ufdbGuard running and
filtering with Squid 3.5.5 using
ssl_bump.My questions:
1. With ssl_bump and squidGuard I was able to use the urlfilter to block https sites
like facebook.com <http://facebook.com>. Allowed https sites would load in my
browser without errors with ssl_bump
and squidGuard active. With ssl_bump and ufdbGuard it is a lot more
complicated, it seems.
Are you saying that blocking https://www.example.com with ufdbGuard and
ssl-bumps works ?
What is the redirection URL ?
-Squid+ssl_bump and ufdbGuard running I can access all HTTP sites without errors. I
cannot access any HTTPS sites at all. I get "Untrusted connection" errors when
trying to load any HTTPS site.
"*any* HTTPS site" ??
Awkward at least. Can you send me your entire ufdbguardd.log and squid.conf ?
NOT on this list.
-If I restart squid without ssl_bump and ufdbGuard still running, I can then
access all HTTP and HTTPS sites and categories that I have blocked do get
blocked, but only HTTP.sites. All HTTPS sites
will load, but none get blocked that are supposed to be.
Again, awkward. I have a suspicion that something is wrong in your
configuration.
-If I then restart squid+ssl_bump (and ufdbGuard still running) I can now
access all HTTP and HTTPS sites. Also, all HTTP and HTTPS sites that are
supposed to be blocked by category, like porn for
instance, do get blocked like they are supposed to be. Except for domains in
the alwaysdeny category (but that will be a question for another time).
Again, awkward...
-When ufdbGuard and squid+ssl_bump are started (in that order) I see processes
running for squid, ssl_crtd, and ufdbguardd. I do not see any processes for
squid_redirect and ufdbgclient. If I enter
and load a website and then check the processes running I then see
squid_redirect and ufdbgclient. Is that supposed to happen like that?
Squid starts processes when it needs to and its behaviour is also controlled by
the url_rewrite_children parameter.
If you have "url_rewrite_children 30 startup=3 idle=2 concurrency=2" you should
see 3 processes after a fresh start.
I do not know "squid_redirect" processes.
What do you have configured for squid_redirect ?
2. I am using the Shalla blacklists for testing. I haven't been able to sign up for a
URLfilterDB free trial because I only use yahoo.com <http://yahoo.com> and gmail.com
<http://gmail.com> for my
email. Plus, I don't want to pay for a subscription until I know I have this
working. When I convert the Shalla blacklists to ufdb format using
ufdbConvertDB, only the domains are converted to the
ufdb format (domains.ufdb). The urls files are not converted, even when using the
"-u urls" switch.
A trial is free. You do not pay if the trial was unsatisfactory.
ufdbConvertDB converts the files 'domains' and the optional file 'urls' into
'domains.ufdb'. A 'urls.ufdb' file never exists since everything is in
'domains.ufdb'.
I think that almost all items are releated to ufdbGuard, so you can email the
support desk of ufdbguard directly for assistance.
The support desk answers also those who use ufdbguard with a free database.
Marcus
My current ufdbGuard.conf file is attached..
_______________________________________________
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users
