On Mon, Apr 4, 2016 at 6:23 PM, Amos Jeffries <squ...@treenet.co.nz> wrote:
> >>>
> >>> If i remove *all* the http_access lines, then the behavior appears
> >> correct
> >>> (from a "splicing/bumping" standpoint).
> >>>
> >>
> >> Strange. Squid without any http_access lines should be denying traffic
> >> 100%.
> >>
> >>
> > I do not see this behavior. Traffic appears to be allowed, and bumped
> > (though with the wrong certificate, depending on the config, as explained
> > before).
> >
> >
>
> >
> > my apologies for trying to show only the relevant parts. Find below the
> > current config.
> > It appears to be bumping everything rather than splicing any of the
> config
> > (which may be due to the limitations documented on the wiki)
> >
> > acl Safe_ports port 80 # http
> > acl Safe_ports port 443 # https
> > acl SSL_ports port 443
> > acl CONNECT method CONNECT
> > http_port 3129 intercept
> > https_port 8443 intercept ssl-bump generate-host-certificates=on
> > dynamic_cert_mem_cache_size=64MB \
> > cert=/etc/squid/ssl/proxy.pem \
> > key=/etc/squid/ssl/proxy.key \
> > cafile=/etc/squid/ssl/proxy.pem
> > always_direct allow all
>
> always_direct has not been necessary with SSL-Bump sice 3.1 series. You
> should remove it.
>
> > acl step1 at_step SslBump1
> > acl step2 at_step SslBump2
> > acl step3 at_step SslBump3
> > acl SniBypass ssl::server_name_regex \.slashdot\.org
> > acl SniBypass ssl::server_name_regex \.fsdn\.com
>
I have moved those "SniBypass" acl into a separate files and replaced this
with an include, as that list will end up growing.
> > acl http_bypass dstdomain .slashdot.org
> > acl http_bypass dstdomain .fsdn.com
and similarly here, replaced by an include...
>
> > acl https_bypass all-of CONNECT SniBypass
>
> This https_bypass ACL definition is a bit weird. It requires a single
> message to match both TLS and HTTP properties simultaneously.
> As you might imagine it is difficult for a TLS messages to match HTTP
> properties, and vice versa. So it wont ever match.
>
>
I don't understand. SniBypass is based on ssl::server_name_regex which
shouldn't apply to http at all...
Would that not be coming from the (client|server)Hello?
> Note: SNI is *not* equivalent to Host or URL domain name. They can
> contain very different values. The only thing they have in common is
> that they both are supposed to point at the IP of the server being
> contacted.
>
>
> > acl http_ok all-of http_bypass Safe_ports
> > ssl_bump peek step1
> > ssl_bump splice SniBypass step2
>
> This splice will work if (and only if) the client sends TLS SNI values
> to Squid. It will ignore the server cert details.
>
> For clients which do not send SNI or for all connections where the SNI
> does not match your ACL the bump rule below will do client-first bumping
> (without the server cert).
>
> > ssl_bump bump all
>
> I suggets you try these ssl_bump rules instead:
> [snip]
OK
> [snip]
> Okay. That sort of matches your policy. Except that you are missing the
> security defaults. Those lines are carefully tuned for the specific
> behaviour to protect against security attacks:
>
> http_access deny !Safe_ports
> http_access deny CONNECT !SSL_ports
>
> .. and should be above your custom rules.
>
I added those at the top as requested...
> cache allow all
> cache deny all
>
> ... pick one.
>
>
done - the deny one is the one left in there now.
>
> > shutdown_lifetime 3 seconds
>
for clarification, I also moved the two sets of ACLs into separate files,
as those will eventually be maintained externally (SniBypass and
http_bypass).
The config file is now:
acl SSL_ports port 443
acl Safe_ports port 80 # http
acl Safe_ports port 21 # ftp
acl Safe_ports port 443 # https
acl Safe_ports port 70 # gopher
acl Safe_ports port 210 # wais
acl Safe_ports port 1025-65535 # unregistered ports
acl Safe_ports port 280 # http-mgmt
acl Safe_ports port 488 # gss-http
acl Safe_ports port 591 # filemaker
acl Safe_ports port 777 # multiling http
acl CONNECT method CONNECT
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
http_port 3128
http_port 3129 intercept
https_port 8443 intercept ssl-bump generate-host-certificates=on
dynamic_cert_mem_cache_size=64MB \
cert=/etc/squid/ssl/proxy.pem \
key=/etc/squid/ssl/proxy.key \
cafile=/etc/squid/ssl/proxy.pem
workers 6
always_direct allow all
acl step1 at_step SslBump1
acl step2 at_step SslBump2
acl step3 at_step SslBump3
include "/etc/squid/snibypass.acl"
include "/etc/squid/dstbypass.acl"
acl https_ok all-of CONNECT SniBypass
acl http_ok all-of http_bypass Safe_ports
ssl_bump splice SniBypass
ssl_bump peek step1
ssl_bump stare step2
ssl_bump bump all
sslproxy_options NO_SSLv2,NO_SSLv3,SINGLE_ECDH_USE
sslproxy_cert_sign_hash sha256
sslcrtd_program /usr/lib/squid/ssl_crtd -s /var/lib/ssl_db -M 4MB
sslcrtd_children 8 startup=1 idle=1
http_access allow http_ok
http_access allow https_ok
http_access deny all
cache deny all
shutdown_lifetime 3 seconds
Note that with that config, the http_access deny all (couple lines before
the end) appears to deny the TLS/SSL connection before the ssl_bump steps
have a chance to match, so i get certs that are not mimic'ed (they have
CN=<ip>). If i remove all 3 http_access at the end, then the
splicing/bumping behavior appears to work as expected, but then i'm not
denying anything...
that seems to confirm my suspicion that the access control (http_access)
apply too early for me to match anything related to the ssl::server_name or
ssl::server_name_regex.
I keep thinking that what i'm missing is that the http_access applies too
early. I played with "terminate" instead of "bump" at the last ssl_bump
command, but i really need the error message. I keep wanting to have
something like this:
ssl_bump splice SniBypass
ssl_bump peek step1
ssl_bump stare step2
ssl_bump deny all
where the last one would effectively bump the connection, and provide the
ERR_ACCESS_DENIED page.
Thank you so much for your help.
Jok
_______________________________________________
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users
