Download your favorite Linux distribution at LQ ISO.
Go Back > Forums > Linux Forums > Linux - Networking
User Name
Linux - Networking This forum is for any issue related to networks or networking.
Routing, network cards, OSI, etc. Anything is fair game.


  Search this Thread
Old 10-27-2016, 09:25 AM   #1
LQ Newbie
Registered: Oct 2016
Posts: 2

Rep: Reputation: Disabled
Squid+ C-ICAP Partial Solution to HTTPS blocked pages without denied reason

So íve been researching this problem for a week now and I stumbled on the Diladele ICAP Server project, Rafael from it seen to have found the solution.

But lets talk about the problem and setup first

IN a non-transparent proxy deployment when users try to go to a https web site that´s been blocked (i.e they see an Unable to connect or similar message instead of the Squid regular denied page, in a network with a lotta users this can be quite a problem since you will start getting calls from users who think their internet access is down instead of blocked.

And the solution:

If your browser is set up to use proxy explicitly, and user goes to a blocked site (for example Facebook, the following sequence of events occur:

1-Browser establishes regular HTTP connection to the proxy server and sends the CONNECT request to setup the secure tunnel to Facebook.
2-Squid intercepts this request and redirects it to Diladele Web Safety ICAP server.
3-ICAP server sees the Facebook domain is blocked and returns “403 Blocked” HTTPS message to Squid.
4-Squid forwards this “403 Blocked” message back to the browser.
5-Browser expects to get the SSL handshake from Facebook back and instead sees some flow of unexpected bytes (the 403 Blocked response) and displays a standard “Cannot connect to site using HTTPS” message to the user instead of the expected 403 Blocked message.

This is a known limitation of all browsers.

The solution

The latest build of Diladele Web Safety Virtual Appliance 4.4+ for Squid fixes this issue by first letting the CONNECT tunnel succeed and later blocking first request on this tunnel. Now users are able to see Blocked Page in HTTPS request too!

I´ve Asked Rafael from Diladele if the solution was really just the extra acls he added to squid and he said yes, bellow you can check then and my current squid (a clean one without the rules)
acl qlproxy_ssl_force_bump req_header X-SSL-Bump -i force
ssl_bump server-first qlproxy_ssl_force_bump
# bump all others by default
ssl_bump server-first all

shutdown_lifetime 1 seconds
icp_port 0

workers 1

# direct access - acls
acl to_proxy_port           port 8080 18080 18081
# proxy interfaces - acls
acl to_orange_interface    dst
acl to_green_interface    dst

acl from_orange          src "/etc/squid/acls/orange_subnets.acl"
acl to_orange            dst "/etc/squid/acls/orange_subnets.acl"
acl from_green          src "/etc/squid/acls/green_subnets.acl"
acl to_green            dst "/etc/squid/acls/green_subnets.acl"

tcp_outgoing_mark 0x20000000
tcp_preserve_outgoing_mark_mask 0x3fff8

#=== ORANGE zone setting ===
#=== ORANGE IP ===

#=== GREEN zone setting ===
#=== GREEN IP ===

nontransparent_spoof_client_ip allow all

dns_v4_first on

cache_effective_user squid

pid_filename /var/run/

cache_mem 40 MB

cache_dir rock /var/spool/squid 500 max-size=32768

error_directory /usr/share/squid/errors/en

icon_directory /usr/share/squid/icons

max_filedesc 54140

server_persistent_connections off
half_closed_clients off
buffered_logs on

cache_log /var/log/squid/cache.log
cache_store_log none

strip_query_terms off

log_mime_hdrs off

forwarded_for delete

# windows logon name for auth
auth_param ntlm program /usr/bin/ntlm_auth --helper-protocol=squid-2.5-ntlmssp --configfile=/etc/samba/winbind.conf
auth_param ntlm children 45
auth_param ntlm keep_alive off
# domain user or auth
auth_param basic program /usr/bin/ntlm_auth --helper-protocol=squid-2.5-basic --configfile=/etc/samba/winbind.conf
auth_param basic children 45
auth_param basic realm geekzilla.geek
auth_param negotiate program /usr/lib/squid/negotiate_wrapper_auth --ntlm /usr/bin/ntlm_auth --helper-protocol=squid-2.5-ntlmssp --configfile=/etc/samba/winbind.conf --kerberos /usr/lib/squid/negotiate_kerberos_auth
auth_param negotiate children 45
auth_param negotiate keep_alive off

external_acl_type NT_global_group children-max=45 ttl=300 ipv4 %LOGIN /usr/lib/squid/
acl for_auth_rule0 external NT_global_group "/etc/squid/groups/rule0"
acl for_auth_rule1 external NT_global_group "/etc/squid/groups/rule1"
acl for_auth_rule2 external NT_global_group "/etc/squid/groups/rule2"

acl for_auth_users proxy_auth REQUIRED

# network - acls
acl from_all                src all
acl to_all                  dst all

acl from_localhost          src
acl to_localhost            dst
acl CONNECT                 method CONNECT

acl to_http_port            port 80
acl to_https_port           port 10443

# allowed ports - acls
acl allowed_ports       port "/etc/squid/acls/ports.acl"
acl allowed_sslports    port "/etc/squid/acls/sslports.acl"

acl within_timeframe_rule0 time MTWHFAS 00:00-24:00
acl using_mimetype_rule0 rep_mime_type "/etc/squid/acls/mimetypes_rule0.acl"
acl with_browser_rule0 browser (AOL)|(avantbrowser)|(Chrome)|(Firefox)|(FrontPage)|(Gecko)|(GetRight)|(Go!Zilla)|(Google\sToolbar)|(Iceweasel)|(Java)|(Konqueror)|(Lynx)|(MSIE.*[)]$)|(^Mozilla\/4.[7|8])|(Netscape)|(Opera)|(Safari)|(wget)|(Industry\sUpdate\sControl)|(Windows\sUpdate)|(Service\sPack\sSetup)|(Progressive\sDownload)|(Windows-Update-Agent)|(Windows\sUpdate\sAgent)|(APT-HTTP/1\.3)|(urlgrabber)
acl within_timeframe_rule1 time MTWHFAS 00:00-24:00
acl within_timeframe_rule2 time MTWHFAS 00:00-24:00

# caching settings
refresh_pattern -i (/cgi-bin/|\?) 0 0% 0
refresh_pattern .            0 20% 4320

cache deny      from_localhost
cache deny      CONNECT
cache allow     from_all

# http access to cachemanager
acl cachemanageracl proto cache_object
http_access allow cachemanageracl from_localhost
http_access deny cachemanageracl

# snmp access settings
snmp_port 3401
acl snmppublic snmp_community public
snmp_access allow snmppublic from_localhost
snmp_access deny from_all

# http access to squid
http_access deny    to_localhost
http_access allow   from_localhost
http_access allow   from_green to_green_interface to_http_port
http_access allow   from_green to_green_interface to_https_port
http_access allow   CONNECT from_green to_green_interface to_https_port
http_access deny    to_orange_interface to_https_port
http_access deny    to_orange_interface to_proxy_port
http_access deny    to_green_interface to_https_port
http_access deny    to_green_interface to_proxy_port

http_access deny    !allowed_ports !allowed_sslports
http_access deny    CONNECT !allowed_sslports

http_access deny   within_timeframe_rule0 for_auth_rule0 with_browser_rule0 using_mimetype_rule0 
http_access allow   within_timeframe_rule1 for_auth_rule1   
http_access allow   within_timeframe_rule2 for_auth_rule2   
http_access deny    from_all

# http reply access rules
http_reply_access allow from_localhost
http_reply_access deny   within_timeframe_rule0 for_auth_rule0 with_browser_rule0 using_mimetype_rule0 
http_reply_access allow   within_timeframe_rule1 for_auth_rule1   
http_reply_access allow   within_timeframe_rule2 for_auth_rule2   
http_reply_access deny from_all

# max/min object size
maximum_object_size 1024 KB
minimum_object_size 0 KB

reply_body_max_size 300000 KB from_all

visible_hostname proxy01.geekzilla.rdc

icap_enable on
icap_service_revival_delay 30
icap_service_failure_limit -1
icap_preview_enable on
icap_preview_size    128
icap_send_client_ip  on
icap_send_client_username  on

include /etc/squid/squid.conf.d/*.conf

adaptation_access service_cf_req deny cachemanageracl

# icap contentfilter access control
# rule 0 - 
adaptation_access service_cf_req deny   within_timeframe_rule0 for_auth_rule0 with_browser_rule0 using_mimetype_rule0
# rule 1 - adminsrede
adaptation_access service_cf_req allow   within_timeframe_rule1 for_auth_rule1  
adaptation_meta X-Profile profileadminsrede   within_timeframe_rule1 for_auth_rule1  
# rule 2 - domain_users
adaptation_access service_cf_req allow   within_timeframe_rule2 for_auth_rule2  
adaptation_meta X-Profile profiledomain_users   within_timeframe_rule2 for_auth_rule2  
# default deny - only allow defined traffic
adaptation_access service_cf_req deny all
Old 11-16-2017, 01:50 PM   #2
LQ Newbie
Registered: Nov 2017
Posts: 1

Rep: Reputation: Disabled
GeekZilla thanks for your post, i'm facing this same problem with Endian EFW 3.2.4, I tried do apply this workaround but I didn't had sucess, has any place specific in the squid.conf to place the code?

acl qlproxy_ssl_force_bump req_header X-SSL-Bump -i force
ssl_bump server-first qlproxy_ssl_force_bump
# bump all others by default
ssl_bump server-first all

Thanks again.


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off

Similar Threads
Thread Thread Starter Forum Replies Last Post
http access denied and https not work in squid in debian... alirezaimi Linux - Networking 2 05-01-2013 01:38 PM
Squid: transparent proxy + ssl_bump causing problem in accessing https pages auny87 Linux - Server 0 04-11-2012 08:08 AM
squid https denied DennisC31 Linux - Server 1 09-12-2008 09:27 AM
A unknown error accesing https pages... Would be the squid.conf guilty?? mnfjzog Linux - General 1 11-14-2003 05:01 PM > Forums > Linux Forums > Linux - Networking

All times are GMT -5. The time now is 10:55 PM.

Main Menu
Write for LQ is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration