> No need to compile and build it for AWS: > I already built it for both AWS 1 and 2: > http://ngtech.co.il/repo/amzn/ > > Can be downloaded and is tested to work very well on both OS. > > Eliezer
Thanks, looks really good ! I guess those Amazon Linux 1 packages come from there : http://gogs.ngtech.co.il/NgTech-LTD/squid-amzn1-squid4-rpms ? > The closest you are going to get to the above is with: > * bump everything[1], and > * use http_access to check the https:// URLs for your policy > * use "deny_info TCP_RESET" [2] on the blocked requests. > > [1] some things literally cannot be bumped. So a decision needs to be > made about what to do then. All right, good point. I guess adding this second line will terminate those un-bumpable requests ? # -- ssl_bump bump all ssl_bump terminate all # -- > [2] a regular deny error page will work fine. This TCP_RESET is just > closest to the "ssl_bump terminate" behaviour. > > Amos This is perfect, thanks a lot. I leave my complete config for other users : # -- # General cache_effective_user squid cache_effective_group squid shutdown_lifetime 1 seconds visible_hostname squid-something.unique # Hide some reavealing stuffs forwarded_for delete httpd_suppress_version_string off reply_header_access X-Cache deny all reply_header_access X-Cache-Lookup deny all via off global_internal_static off cache deny all # Tuning max_filedesc 10000 # Security http_access deny manager host_verify_strict on ignore_unknown_nameservers on snmp_port 0 snmp_access deny all icp_port 0 icp_access deny all htcp_port 0 htcp_access deny all http_port localhost:3128 # Squid default port # Handling HTTPS requests # Ciphers from https://wiki.mozilla.org/Security/Server_Side_TLS https_port 8080 act-as-origin ssl-bump generate-host-certificates=on dynamic_cert_mem_cache_size=4MB cert=/etc/squid/ssl/squid.pem cipher=ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256 options=NO_SSLv3,NO_TLSv1,NO_TLSv1_1,SINGLE_DH_USE,SINGLE_ECDH_USE intercept sslcrtd_program /usr/lib/squid/security_file_certgen -s /var/cache/squid/ssl_db -M 4MB sslcrtd_children 8 startup=1 idle=1 # tls_outgoing_options cipher=ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256 min-version=1.2 options=NO_SSLv3,SINGLE_DH_USE acl TO_SSL port 443 acl LAN src 172.16.0.0/24 acl whitelist-regex url_regex -i ^https://thirdparty\.com/upload/stuff/$ acl CONNECT method CONNECT deny_info TCP_RESET all http_access allow LAN TO_SSL CONNECT http_access allow LAN TO_SSL whitelist-regex http_access deny all # SSL bump ssl_bump bump all ssl_bump terminate all # -- ---- On Thu, 07 Feb 2019 01:46:23 +0100 Amos Jeffries <squ...@treenet.co.nz> wrote ---- > On 7/02/19 3:52 am, Paul Doignon wrote: > > Thanks, I appreciate your detailed answer. > > > > > > I'm struggling a lot to configure Squid. To improve the security of > > my app in my AWS private subnet, > > > > > > If it is indeed *your* app; then please alter it not to require the > > > interception we see below. Ability to connect to a TLS explicit proxy or > > > just sending regular proxy CONNECT tunnel is a leap up in security. > > > > I wish I could too ! Unfortunately, we use some third party libraries that > > do not support proxies (or not well). What a shame : ( > > > > > > # Hide some reavealing or useless headers > > > > forwarded_for delete > > > > httpd_suppress_version_string off > > > > reply_header_access X-Cache deny all > > > > reply_header_access X-Cache-Lookup deny all > > > > via off > > > > > > > > # Tuning > > > > max_filedesc 10000 > > > > > > > > # Disable access to manager > > > > http_access deny manager > > > > > > 2) you are missing the security protections from the default > > squid.conf... > > > > I have not hardened Squid yet, but you mean default `acl localnet src > > [...]` rules ? I'm not sure about this. > > > > The defaults that come with a new build or installation: > > " > http_access deny !Safe_ports > http_access deny CONNECT !SSL_ports > http_access allow localhost manager > http_access deny manager > > ... your rules go here ... > > http_access deny all > " > > > > > Please see <https://wiki.squid-cache.org/Features/SslPeekAndSplice> for > > > details on the TLS handshake process and what SSL-Bump does during that. > > > > Another read was indeed interesting, I think I corrected ssl_bump > > directives. However I still can't make it work. > > Just for the record, I would like to block everything but some HTTPS > > websites for particular URLs. The ssl::server_name acl is not enough for > > me, I would like to use url_regex or similar. > > Ant that's where it gets wrong, I can't make Squid make the link between > > `ssl_bump bump` and url_regex. > > > That is because ssl_bump is the access control governing the TLS > handshake process. TLS message/frames do not contain URLs. Even when a > client CONNECT request is being processed it only has an authority-URI > (not a full URL). > > The http_access rules are the first point you get access to URL. The > https:// URLs start *after* the ssl_bump finishes with a successful > 'bump' action. > > > The closest you are going to get to the above is with: > * bump everything[1], and > * use http_access to check the https:// URLs for your policy > * use "deny_info TCP_RESET" [2] on the blocked requests. > > [1] some things literally cannot be bumped. So a decision needs to be > made about what to do then. > > [2] a regular deny error page will work fine. This TCP_RESET is just > closest to the "ssl_bump terminate" behaviour. > > > Amos > _______________________________________________ > squid-users mailing list > squid-users@lists.squid-cache.org > http://lists.squid-cache.org/listinfo/squid-users > _______________________________________________ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
