Hi. I'm jon.404, a Unix/Linux/Database/Openstack/Kubernetes Administrator, AWS/GCP/Azure Engineer, mathematics enthusiast, and amateur philosopher. This is where I rant about that which upsets me, laugh about that which amuses me, and jabber about that which holds my interest most: *nix.
Layer 7 filtering with relayd
My wife and I homeschool our children with an online school. Our eldest is soon to be a teenager; coupled with her "easily distracted" personality, we've gotten to the point where we have to monitor her during school hours to ensure she isn't getting off track with online games, youtube, etc...
So my wife tasked me with filtering traffic. My initial instinct would be to simply drop web traffic and smile about it, but given that they have online courses I couldn't sledgehammer this one. I'd used relayd in the past as a load balancer and tls terminator, but I'd never used it as a proxy. Time to read up on some man pages!
Ok, so relayd is a really neat piece of software that is written by the OpenBSD team (you knew the reference was coming, if you've read my blog before). One of the core failings of some proxy systems is that they cannot proxy https traffic (which makes sense, as the proxy does not know the private key of each site that is visited). Given that my pre-teen is likely smart enough to find that hole, I had to figure out a way to prevent it.
You could, in theory, have relayd perform upstream certificate validation and just leave it at that, but then my daughter would get certificate warnings any time she visited an https site. After a bit more reading of the man page, it occurred to me that I simply have to provide a certificate on the relayd box that the browsers see as valid, then configure relayd to act as a TLS MITM. This involves generating a self-signed certificate on the relayd box and exporting the certificate, transferring it to the desired machine, and importing it as a trusted CA certificate. This obviously has some security implications, so don't take my word for it...weigh your options and decide for yourself if it fits your network requirements!
I tested on my desktop, then decided to try it out on her machine. A few pf redirects to relayd is all it took to configure a url whitelist proxy. Here is the configuration I'm using:
The url filter files contain an entry of each domain and sub-domain I want to whitelist (relayd will allow a sub-domain of a whitelisted domain, but not a sub-domain of a sub-domain of a whitelisted domain. In other words, if "google.com" is whitelisted, "first.google.com" and "second.google.com" are allowed, but "third.first.google.com" and "fourth.second.google.com" is not). Google is perhaps a bad example here, as most of their services are singular sub-domains of their primary domain (along with supporting secondary domains, such as gstatic.com and googleusercontent.com). Microsoft has a much more complexly nested domain hierarchy, so perhaps I should have used them as an example? I digress.
To switch to a blacklist, simply reverse the "pass" and "block" keywords, and put urls you want to blacklist in the files.
Simple.
So my wife tasked me with filtering traffic. My initial instinct would be to simply drop web traffic and smile about it, but given that they have online courses I couldn't sledgehammer this one. I'd used relayd in the past as a load balancer and tls terminator, but I'd never used it as a proxy. Time to read up on some man pages!
Ok, so relayd is a really neat piece of software that is written by the OpenBSD team (you knew the reference was coming, if you've read my blog before). One of the core failings of some proxy systems is that they cannot proxy https traffic (which makes sense, as the proxy does not know the private key of each site that is visited). Given that my pre-teen is likely smart enough to find that hole, I had to figure out a way to prevent it.
You could, in theory, have relayd perform upstream certificate validation and just leave it at that, but then my daughter would get certificate warnings any time she visited an https site. After a bit more reading of the man page, it occurred to me that I simply have to provide a certificate on the relayd box that the browsers see as valid, then configure relayd to act as a TLS MITM. This involves generating a self-signed certificate on the relayd box and exporting the certificate, transferring it to the desired machine, and importing it as a trusted CA certificate. This obviously has some security implications, so don't take my word for it...weigh your options and decide for yourself if it fits your network requirements!
I tested on my desktop, then decided to try it out on her machine. A few pf redirects to relayd is all it took to configure a url whitelist proxy. Here is the configuration I'm using:
Code:
prefork 10
http protocol httpfilter-whitelist {
return error
pass quick url filter file "/etc/relayd.d/common-whitelist"
pass quick url filter file "/etc/relayd.d/school-whitelist"
pass quick url filter file "/etc/relayd.d/gov-whitelist"
block
block label "Blocked by relayd whitelist!<p><img src='http://www.openbsd.org/art/puffy/puflogv100X65.gif'/>"
}
relay httpinspect-whitelist {
listen on 127.0.0.1 port 8080
protocol httpfilter-whitelist
forward to destination
}
http protocol httpsfilter-whitelist {
return error
pass quick url filter file "/etc/relayd.d/common-whitelist"
pass quick url filter file "/etc/relayd.d/school-whitelist"
pass quick url filter file "/etc/relayd.d/gov-whitelist"
block
block label "<h2>Blocked by relayd whitelist!</h2><p><img src='http://www.openbsd.org/art/puffy/puflogv100X65.gif'/>"
# New configuration directives for SSL/TLS Interception
tls ca key "/etc/ssl/private/relayd.my.domain.key" password ""
tls ca cert "/etc/ssl/relayd.my.domain.crt"
tls { tlsv1, no sslv3, ciphers "HIGH" }
}
relay tlsinspect-whitelist {
listen on 127.0.0.1 port 8443 tls
protocol httpsfilter-whitelist
forward with tls to destination
}
To switch to a blacklist, simply reverse the "pass" and "block" keywords, and put urls you want to blacklist in the files.
Simple.
Total Comments 5
Comments
-
Hey, my man!
Even though what you're describing is a bit "out of my league," it reminds me of the system I use as a public access station (running Windows XP) for the residents where I live.
I use K9 Web Protection and a Firefox add-on that I can't remember the name of to handle the content filtering on the PC, to keep out pornography and other undesirable content. I also use a utility to keep the desktop locked down pretty tight, plus I've disabled CMD, safe mode and the ability to "restore" the OS. All residents use the limited users account that has no administrative privileges.
Unfortunately, last summer, I had someone who wanted to access this kind of content so badly that he/she:
1. Tried to access/change my password for K9. I've since removed access to K9's administrative settings (which can only be accessed by using my password) in the residents account. I got a notice in my email that attempt had been made to change the password, which was blocked.
2. Reinstalled Firefox by accessing Firefox's safe mode. However, this ultimately failed since it didn't affect K9 or the restrictions I set. But I still had to spend some time getting all the individual settings back that I had in place.
3. Spent some time trying to find the loopholes around K9's restrictions, which they were able to find one that took me a little bit to figure how they were doing it. There's a setting in K9 that deals with blocking sites or sections of sites that exclusively contain only images (I forgot what the technical term is.) Once I checked the block to block those sites, problem solved.
By that time, the problem was resolved because I had a little talk with the person who was a suspect and all attempts to access the content ceased after that day.
For a while, though, it really felt like a "cat and mouse" game but one thing I gained from the experience was how to more effectively use content filters and what to look out for.
Regards...Posted 03-31-2016 at 09:05 PM by ardvark71 
-
Hiya ardvark!
One of my goals was to have the filtering take place upstream of the client machine. Obviously that wouldn't work in your case, as the machine itself served as the shared point, but in my case I have a bit of flexibility to provide services (and deny services) on my network. I attempted to go with a blacklist config at first, putting around 14k known malware-distributing urls in the blacklist file, but my hardware just wasn't fast enough for that amount of scanning. The whitelist group is currently ~100 entries, so that is considerably faster =)
I had a few hiccups with getting blackboard's collaborate suite working with the whitelist, but that ended up being operator error (typo in the whitelist, doh!). Now that all of the school stuff is perfectly operational, I'll be adding in time-slots for games/social stuff.
One thing I've been pondering is how to solve the issue of a problem on a whitelisted site, such as when yahoo ads was distributing malware some years back. I haven't decided on an approach for that yet.Posted 04-01-2016 at 12:32 PM by rocket357
-
Hi...Quote:Originally Posted by rocket357
One of my goals was to have the filtering take place upstream of the client machine. Obviously that wouldn't work in your case, as the machine itself served as the shared point, but in my case I have a bit of flexibility to provide services (and deny services) on my network.
Out of curiosity, what is that upstream point? A particular server? I'm guessing a part of your goal is to keep any kind ability to make settings adjustments (or file changes) away from your daughter's system. But if the file (or code) you mentioned (in your first post) is on her system, how do you keep her from making changes to it? Please bear with me, my understanding of networking is very poor. I'm mostly a hardware guy.
I have very little understanding of what's being said but I found some sites that deal with the relayd and layer 7, although they're not directly related to what you're doing...
http://bsd.plumbing/
http://www.slideshare.net/GiovanniBe...er-for-openbsd
https://calomel.org/relayd.html
http://www.mouedine.net/relayd/
Regards...Posted 04-01-2016 at 04:09 PM by ardvark71
Updated 04-01-2016 at 04:10 PM by ardvark71 (Correction.) -
Here's my network layout:
Internet <- Cable Modem <- OpenBSD Firewall <- Cisco 3560 <- Daughter's Machine
Each of the windows machines on my network is split (via vlans on the 3560 and firewall) into its own /29 (i.e. each one only has access to the IP space of the firewall (which has several IPs across several vlans) and the IP space of my Cisco 2801 (used just for IPSec and BGP). In short, internet access is via the OpenBSD firewall, and the vlans are denied access to each other, and then the 2801 allows access to private VPCs at Amazon. The Windows machines are not allowed to access anything else on the network (oh, we do have a network attached printer...that traffic is allowed).
Ok, the relayd instance runs on the OpenBSD firewall, so each Windows vlan has port 80 and port 443 traffic re-routed to relayd, which checks URLs against a whitelist and sends back an http 403 (access denied) for anything not on the whitelist. It goes without saying that my daughter does not have access to the firewall configuration =)
I originally had each Windows machine on its own /30 (i.e. 4 addresses: network, gateway, host, and broadcast), but then I wanted to add the 2801 without tons of traffic logic on the firewall, so I remapped that portion of the network to be /29's (8 addresses: network, gateway, 2801, host, 3x unused, and broadcast), which gives me room for expansion later, should I choose to do so.
Really, all relayd does here is TLS validation and checking URLs against a whitelist, which is something I've been meaning to add for a while now.Posted 04-01-2016 at 04:36 PM by rocket357
-
Ahhh, ok, gotcha! Thank you for explaining that. If you would, please report back later and let us know how it goes.Quote:Originally Posted by rocket357
Here's my network layout:
Internet <- Cable Modem <- OpenBSD Firewall <- Cisco 3560 <- Daughter's Machine
Each of the windows machines on my network is split (via vlans on the 3560 and firewall) into its own /29 (i.e. each one only has access to the IP space of the firewall (which has several IPs across several vlans) and the IP space of my Cisco 2801 (used just for IPSec and BGP). In short, internet access is via the OpenBSD firewall, and the vlans are denied access to each other, and then the 2801 allows access to private VPCs at Amazon. The Windows machines are not allowed to access anything else on the network (oh, we do have a network attached printer...that traffic is allowed).
Ok, the relayd instance runs on the OpenBSD firewall, so each Windows vlan has port 80 and port 443 traffic re-routed to relayd, which checks URLs against a whitelist and sends back an http 403 (access denied) for anything not on the whitelist. It goes without saying that my daughter does not have access to the firewall configuration =)
Regards...Posted 04-01-2016 at 08:33 PM by ardvark71
Updated 04-01-2016 at 08:34 PM by ardvark71 (Added wordage.)
