whitelist specific domains on https traffic in Squid

seg_fault · 12-26-2021, 01:38 PM

Problem Statement : I have a squid server running and I want my users to only access few domains like www.abc.com and www.abc1.com. All these domains are accessible only over https, hence the whole http traffic is blocked.

Now since its https, I am performing packet inspection using ssl-bump and can basically get the whole request in clear text. Using this, I should be able to get the target domain and allow specfic domain websites.

Current Squid config:

Quote:

#

acl localnet src 0.0.0.1-0.255.255.255 # RFC 1122 "this" network (LAN)
acl localnet src 10.0.0.0/8 # RFC 1918 local private network (LAN)
acl localnet src 100.64.0.0/10 # RFC 6598 shared address space (CGN)
acl localnet src 169.254.0.0/16 # RFC 3927 link-local (directly plugged) machines
acl localnet src 172.16.0.0/12 # RFC 1918 local private network (LAN)
acl localnet src 192.168.0.0/16 # RFC 1918 local private network (LAN)
acl localnet src fc00::/7 # RFC 4193 local private network range
acl localnet src fe80::/10 # RFC 4291 link-local (directly plugged) machines

acl SSL_ports port 443
acl Safe_ports port 80 # http
acl Safe_ports port 21 # ftp
acl Safe_ports port 443 # https
acl Safe_ports port 70 # gopher
acl Safe_ports port 210 # wais
acl Safe_ports port 1025-65535 # unregistered ports
acl Safe_ports port 280 # http-mgmt
acl Safe_ports port 488 # gss-http
acl Safe_ports port 591 # filemaker
acl Safe_ports port 777 # multiling http

http_access deny CONNECT !SSL_ports

http_access allow localhost manager
http_access deny manager

acl whitelist dstdomain .abc.com
http_access allow whitelist
http_access deny !Safe_ports

http_access allow localhost

http_port 3128 ssl-bump generate-host-certificates=on dynamic_cert_mem_cache_size=4MB cert=/usr/local/squid/etc/squidCA.pem

coredump_dir /usr/local/squid/var/cache/squid

refresh_pattern ^ftp: 1440 20% 10080
refresh_pattern ^gopher: 1440 0% 1440
refresh_pattern -i (/cgi-bin/|\?) 0 0% 0
refresh_pattern . 0 20% 4320

sslcrtd_program /usr/local/squid/libexec/security_file_certgen -s /var/lib/squid/ssl_db -M 4MB
sslcrtd_children 5
acl BrokenButTrustedServers dstdomain .abc.com
sslproxy_cert_error allow BrokenButTrustedServers
ssl_bump server-first BrokenButTrustedServers
sslproxy_cert_error deny all

http_access deny all

logformat mine %>a %[ui %[un [%tl] "%rm %ru HTTP/%rv" %ssl::>sni %>Hs %<st %Ss:%Sh %ssl::bump_mode
access_log syslog:daemon.info mine
debug_options ALL,1 11,2

Would like your help to understand where did this go wrong? In order to use the above proxy, in another terminal I am doing export https_proxy=https://IP:3128 and then making a curl to google.com which shows error

Quote:

curl: (35) error:1400410B:SSL routines:CONNECT_CR_SRVR_HELLO:wrong version number

.

Specifics : Ubuntu 20, Squid version 6.0.0-VSC (I compiled it with source with those ssl flags)

TB0ne · 12-26-2021, 01:52 PM

Quote:

Originally Posted by seg_fault

Problem Statement : I have a squid server running and I want my users to only access few domains like www.abc.com and www.abc1.com. All these domains are accessible only over https, hence the whole http traffic is blocked. Now since its https, I am performing packet inspection using ssl-bump and can basically get the whole request in clear text. Using this, I should be able to get the target domain and allow specfic domain websites.

Would like your help to understand where did this go wrong? In order to use the above proxy, in another terminal I am doing export https_proxy=https://IP:3128 and then making a curl to google.com which shows error . Specifics : Ubuntu 20, Squid version 6.0.0-VSC (I compiled it with source with those ssl flags)

Why wouldn't you just follow the very simple instructions to let Squid use a simple whitelist? Takes one line in the config and a simple text file with the allowed domains:
https://myshittycode.com/2021/04/21/...telisted-urls/

seg_fault · 12-26-2021, 01:55 PM

So the solution you mentioned works well for http requests. I have first tried the whole setup for http domains and it works perfectly fine. The problem start with https since those are encrypted packets. I am using ssl-bump for that only.

And to answer your question, no it will not work and I have already tried this. If you look closely to the conf file, you will notice that line is already added.

TB0ne · 12-26-2021, 02:03 PM

Quote:

Originally Posted by seg_fault

So the solution you mentioned works well for http requests. I have first tried the whole setup for http domains and it works perfectly fine. The problem start with https since those are encrypted packets. I am using ssl-bump for that only.

And to answer your question, no it will not work and I have already tried this. If you look closely to the conf file, you will notice that line is already added.

Yep, sure is...have you looked at the Squid documentation?

This thread has the exact same question, and 95%+ of the exact Squid configuration you posted, along with a solution. You are essentially performing a MITM on your own network; expect problems.
https://community.spiceworks.com/top...-https-traffic

seg_fault · 12-26-2021, 02:24 PM

For me following his exact same wrong config which rejects the traffic for him doesnt work. I keep on getting this error on curl

Quote:

curl: (35) error:1400410B:SSL routines:CONNECT_CR_SRVR_HELLO:wrong version number

Is this due to some mistake I did during building squid? No one seems to be getting this error
Config :

Quote:

http_port 3128 ssl-bump generate-host-certificates=on dynamic_cert_mem_cache_size=4MB cert=/usr/local/squid/etc/squidCA.pem
sslcrtd_program /usr/local/squid/libexec/security_file_certgen -s /var/lib/squid/ssl_db -M 4MB
#
# Recommended minimum configuration:
#

# Example rule allowing access from your local networks.
# Adapt to list your (internal) IP networks from where browsing
# should be allowed
acl localnet src 0.0.0.1-0.255.255.255 # RFC 1122 "this" network (LAN)
acl localnet src 10.0.0.0/8 # RFC 1918 local private network (LAN)
acl localnet src 100.64.0.0/10 # RFC 6598 shared address space (CGN)
acl localnet src 169.254.0.0/16 # RFC 3927 link-local (directly plugged) machines
acl localnet src 172.16.0.0/12 # RFC 1918 local private network (LAN)
acl localnet src 192.168.0.0/16 # RFC 1918 local private network (LAN)
acl localnet src fc00::/7 # RFC 4193 local private network range
acl localnet src fe80::/10 # RFC 4291 link-local (directly plugged) machines

acl SSL_ports port 443
acl Safe_ports port 80 # http
acl Safe_ports port 21 # ftp
acl Safe_ports port 443 # https
acl Safe_ports port 70 # gopher
acl Safe_ports port 210 # wais
acl Safe_ports port 1025-65535 # unregistered ports
acl Safe_ports port 280 # http-mgmt
acl Safe_ports port 488 # gss-http
acl Safe_ports port 591 # filemaker
acl Safe_ports port 777 # multiling http

acl CONNECT method CONNECT

acl whitelist ssl::server_name .google.com
ssl_bump bump whitelist
#http_access allow whitelist
http_access deny all
#
# Deny CONNECT to other than secure SSL ports
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports

# Only allow cachemgr access from localhost
http_access allow localhost manager
http_access deny manager

http_access allow localnet
http_access allow localhost

# Uncomment and adjust the following to add a disk cache directory.
#cache_dir ufs /usr/local/squid/var/cache/squid 100 16 256

# Leave coredumps in the first cache dir
coredump_dir /usr/local/squid/var/cache/squid

#
# Add any of your own refresh_pattern entries above these.
#
refresh_pattern ^ftp: 1440 20% 10080
refresh_pattern ^gopher: 1440 0% 1440
refresh_pattern -i (/cgi-bin/|\?) 0 0% 0
refresh_pattern . 0 20% 4320

logformat mine %>a %[ui %[un [%tl] "%rm %ru HTTP/%rv" %ssl::>sni %>Hs %<st %Ss:%Sh %ssl::bump_mode
access_log syslog:daemon.info mine

#logformat squid-cs %{%Y-%m-%d %H:%M:%S}tl %3tr %>a %Ss/%03>Hs %<st %rm %>ru %un %Sh/%<a %mt "%{User-Agent}>h" "SQUID-CS" %>st %note
debug_options ALL,1 11,2

TB0ne · 12-26-2021, 05:15 PM

Quote:

Originally Posted by seg_fault

For me following his exact same wrong config which rejects the traffic for him doesnt work. I keep on getting this error on curl

Is this due to some mistake I did during building squid? No one seems to be getting this error

Re-posting the same config doesn't give anyone new information. And again, you're getting errors on the pages, because you are doing a MITM on your web traffic; have you actually put an address into a browser, rather than using curl??