Squid security

Net_Spy · 02-23-2012, 09:02 AM

Hello,

I observe a strange with my squid since I can manage to block 80 port but unable to stop 443. My squid is config on transparent mode.

What I mean is I was testing my server from an other location, in console I use following cmd with my server public IP.

Code:

HTTP_PROXY=x.x.x.8:3128 elinks

and enter website like https://www.paypal.com I was surprise to see it does browse the page.

Which it should not do that.

Any idea to block this .

Regards
Net_Spy

TB0ne · 02-23-2012, 09:19 AM

Quote:

Originally Posted by Net_Spy

Hello,
I observe a strange with my squid since I can manage to block 80 port but unable to stop 443. My squid is config on transparent mode. What I mean is I was testing my server from an other location, in console I use following cmd with my server public IP.

Code:

HTTP_PROXY=x.x.x.8:3128 elinks

and enter website like https://www.paypal.com I was surprise to see it does browse the page. Which it should not do that.

Any idea to block this .

Same question you asked (and marked SOLVED) before:
http://www.linuxquestions.org/questi...621/page3.html

Again, as you were told in that thread, https blocking doesn't work with transparent mode, and not just because of that. Squid is an http proxy...it CAN route https traffic, if you compiled that option in. If you followed any of the suggestions on your old thread, or tried looking on the Squid wiki/website, (or even bothered to try Google), you'd find out how to do it:
http://squid-web-proxy-cache.1019090...td3537941.html
http://www.cyberciti.biz/tips/linux-...uid-howto.html

There are MANY more options, but try to think about what you're asking. Https is http SECURE...that means, it's designed to stop man-in-the-middle attacks...which is what Squid is, in this context. You can use iptables to redirect things to another port, or block it, but squid won't do it. Try checking the documentation first.

Net_Spy · 02-28-2012, 06:30 AM

Dear you did not get my point here. What I mean is , people are using my proxy server as open proxy when I test my server with above cmd to test. Ive no issue blocking ssl supported website for my internal clients.

Just curious to know how to prevent outside to use my proxy server.

Regards
Net_Spy

Noway2 · 02-28-2012, 08:26 AM

A properly configured proxy should deny traffic and access from outside of your LAN. My understanding is that this is the default behavior of Squid. You have likely modified the ACL in a manner that is allowing this activity. What have you changed in the ACL rules?

TB0ne · 02-28-2012, 09:18 AM

Quote:

Originally Posted by Net_Spy

Dear you did not get my point here. What I mean is , people are using my proxy server as open proxy when I test my server with above cmd to test. Ive no issue blocking ssl supported website for my internal clients.

Just curious to know how to prevent outside to use my proxy server.

I didn't get your point, because that's NOT what you asked in your original question. Blocking SSL is a far cry from having external users able to use your proxy server.

As Noway2 said...you must have put rules in to allow this.

Net_Spy · 03-01-2012, 01:40 AM

Hello,

Well I've gone through the config it does block . when I use HTTP_PORXY=202.x.x.x:3128 elinks . and I normaly browse http://www.yahoo.com it denied that but when I use with like https://www.paypal.com it bypass , this is really strange anyway thanks for hint I'm gonna have review of config file.

Regards
Net_Spy

TB0ne · 03-01-2012, 10:16 AM

Quote:

Originally Posted by Net_Spy

Hello,
Well I've gone through the config it does block . when I use HTTP_PORXY=202.x.x.x:3128 elinks . and I normaly browse http://www.yahoo.com it denied that but when I use with like https://www.paypal.com it bypass , this is really strange anyway thanks for hint I'm gonna have review of config file.

Right....which is what's been explained to you before. HTTP blocking is DIFFERENT than HTTPS blocking. Squid DOES NOT block http, nor does it proxy it, because of what https IS.

Once again: if you want to block https, try looking at the links/information you've been provided several times, and checking Google. This is a VERY common question, with VERY easily found answers:
http://squid-web-proxy-cache.1019090...td3537941.html
http://www.cyberciti.biz/tips/linux-...uid-howto.html

Re-reading your replies, you either have a proxy server that's totally open from the outside (see noway2's reply on that), or you can't block https (see mine and other replies in this thread and your other). Which is it?

win32sux · 03-04-2012, 03:58 PM

Quote:

Originally Posted by Net_Spy

Just curious to know how to prevent outside to use my proxy server.

Typically, this is done on two layers. The first would be your firewall (iptables rules), and the second would be your Squid configuration (ACLs, listening interface/IP, etc). If you want us to help you get things squared away, post the output of the following commands (run on the Squid box) so that we may understand your current situation:

Code:

iptables -nvL

Code:

netstat -an --inet | grep LISTEN

Code:

/sbin/ifconfig

Code:

cat /etc/squid/squid.conf | grep -v ^# | grep -v ^$

Jambaz · 03-05-2012, 06:31 AM

Maybe you can try this:

http://wiki.squid-cache.org/ConfigEx...cept/LinuxDnat

note: in the link there is the word "Intercept" , don't burn me for this....lol

Code:

# your proxy IP
SQUIDIP=192.168.0.2

# your proxy listening port
SQUIDPORT=3129


iptables -t nat -A PREROUTING -s $SQUIDIP -p tcp --dport 80 -j ACCEPT
iptables -t nat -A PREROUTING -p tcp --dport 80 -j DNAT --to-destination $SQUIDIP:$SQUIDPORT
iptables -t nat -A POSTROUTING -j MASQUERADE
iptables -t mangle -A PREROUTING -p tcp --dport $SQUIDPORT -j DROP

# Controls IP packet forwarding
net.ipv4.ip_forward = 1

# Controls source route verification
net.ipv4.conf.default.rp_filter = 0

# Do not accept source routing
net.ipv4.conf.default.accept_source_route = 0

http_port 3129 transparent

    /!\ In Squid 3.1+ the transparent option has been split. Use 'intercept to catch DNAT packets. 

http_port 3129 intercept

or

Code:

 iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 443 -j REDIRECT
> --to-port 3128
> iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 443 -j DNAT --to
> xx.yy.zz.ii:3128

or try to create in your hosts fle a fake 127.0.0.1 .domain.com , the dot before the domain is important

Regards

TB0ne · 03-05-2012, 08:27 AM

Quote:

Originally Posted by Jambaz

Maybe you can try this:
http://wiki.squid-cache.org/ConfigEx...cept/LinuxDnat

note: in the link there is the word "Intercept" , don't burn me for this....lol or try to create in your hosts fle a fake 127.0.0.1 .domain.com , the dot before the domain is important

Right...that's why the OP was directed to those solutions early on.

win32sux · 03-05-2012, 07:58 PM

At this point, I ask everyone to withhold further replies until the OP posts the requested output.

hhhrrrzzzzzzzzz · 01-18-2016, 12:18 PM

How does Adblock do it?
Kaspersky can also block some Ads and how the do it?

TB0ne · 01-18-2016, 01:23 PM

Quote:

Originally Posted by hhhrrrzzzzzzzzz

How does Adblock do it?
Kaspersky can also block some Ads and how the do it?

Again, as you were told in the OTHER thread you posted, you CANNOT do this with squid. If you want to know how other, close-source programs do things, then you should ASK THEM, as we don't know.

AGAIN, as you were told before, you can block HTTPS with an IP tables rule, but NOT for just some sites, unless they have static IP addresses. Stop re-opening old threads, if you're not going to be bothered reading what's IN them.