Answer the question
In order to leave comments, you need to log in
D
D
Denis Sechin2017-08-23 17:23:49
Denis Sechin, 2017-08-23 17:23:49
How to still block google, youtube etc?
Raised a transparent caching squid 3.5.26 with ssl-bump support on ubuntu16.04 without replacing certificates. In principle, everything works, but when the time came to block https resources, and specifically google, gmail, youtube, it came to a standstill. those. in the squid config there is the following command:
acl blocked ssl::server_name "/etc/squid/blocked_https.txt"
in the file I prescribe the domains of blocked resources: .google.com .www.youtube.com .toster.ru. As a result, only toster is blocked (it was blocked for example - a good site) and for some reason it is facebook that is blocked, although its blocking does not appear anywhere. Help me to understand. I set up a squid according to the articles on Habré. Here is the squid config:
acl local src 10.10.1.0/24
http_port 10.10.1.254:3128 intercept options=NO_SSLv3:NO_SSLv2
https_port 10.10.1.254:3129 intercept ssl-bump options=ALL:NO_SSLv3:NO_SSLv2 connection-auth=off cert=/etc/squid/squidCA .pem
always_direct allow all
sslproxy_cert_error allow all
sslproxy_flags DONT_VERIFY_PEER
acl blocked ssl::server_name "/etc/squid/blocked_https.txt"
acl step1 at_step SslBump1
ssl_bump peek step1
ssl_bump terminate blocked
ssl_bump splice all
sslcrtd_slprogram /usr/lib/squid -s /var/lib/ssl_db -M 4MB
coredump_dir /var/spool/squid
acl SSL_ports port 443
acl Safe_ports port 80 # http
acl Safe_ports port 21 # ftp
acl Safe_ports port 443 # https
acl Safe_ports port 70 # gopher
acl Safe_ports port 210 # wais
acl Safe_ports port 1025-65535 # unregistered ports
acl Safe_ports port 280 # http-mgmt
acl Safe_ports port 488 # gss-http
acl Safe_ports port 591 # filemaker
acl Safe_ports port 777 # multiling http
acl CONNECT method CONNECT
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
http_access allow localhost manager
http_access allow local
http_access deny manager
http_access allow localhost
http_access deny all
http_port 3128
coredump_dir /var/spool/squid
refresh_pattern ^ftp: 1440 20% 10080
refresh_pattern ^gopher: 1440 0% 1440
refresh_pattern -i (/cgi-bin/|\?) 0 0% 0
refresh_pattern (Release|Packages(.gz )*)$ 0 20% 2880
refresh_pattern . 0 20% 4320
cache_dir aufs /var/spool/squid 20000 49 256
maximum_object_size 61440 KB
minimum_object_size 3 KB
cache_swap_low 90
cache_swap_high 95
maximum_object_size_in_memory 512 KB
memory_replacement_policy lru
logfile_rotate 4
1 answer(s)
@tamogavk
Prohibited domains, in this case porn sites, are entered into the porno.url file. in the file noporno.acl - logins in the [email protected] format. Sites that should not be bumped are in the ssl_nobump.url file. Sites that have a certificate error associated with the admin's laziness and the fact that the certificate was issued to a different name - in the domain_mismatch.url file
JFYI: Do not disable certificate error handling. If you catch a real MitM, then nothing will save you with disabled processing.
C
CityCat4, 2017-08-23 @tamogavk
When the issue with a new proxy with bumping, statistics, (blackjack and girls with outstanding ... virtues) was being resolved, I decided not to terminate the connection at the bump step, but to issue the old familiar access denied, since users are accustomed to recognize this particular phrase :D
Therefore manage access as usual, write only exceptions for banks in the bumping rules
I will omit most of the config with the description of access groups - they are of the same type
acl full_acl proxy_auth -i "/etc/squid/policy/full.acl"
acl noporno_acl proxy_auth -i "/etc/squid/policy/noporno.acl"
acl porno url_regex -i "/etc/squid/policy/porno.url"
http_access allow full_acl
http_access deny noporno_acl porno
http_access allow noporno_acl
http_port 10.1.1.1:8080 ssl-bump generate-host-certificates=on dynamic_cert_mem_cache_size=4MB cert=/etc/pki
/tls/certs/logsrv_subca-sha256.crt key=/etc/pki/tls/private/logsrv_subca-sha256.key cafile=/etc/
pki/tls/certs/squid-cafile.pem capath=/etc/ssl/certs cipher=kEECDH+AES:kEDH+AES:kRSA+AES:!aNULL:!DSS:!SSLv2 op
tions=NO_SSLv2,NO_SSLv3,SINGLE_DH_USE,SINGLE_ECDH_USE dhparams=/etc/pki/tls/private/dhparams.pem tls-dh=prime256v1:/etc/pki/tls/private/dhparams.pem
sslproxy_client_certificate /etc/pki/tls/certs/logsrv_client-sha256.crt
sslproxy_client_key /etc/pki/tls/private/logsrv_client-sha256.key
sslproxy_options NO_SSLv2,NO_SSLv3,SINGLE_DH_USE
sslproxy_cipher kEECDH+AES:kEDH+AES:kRSA+AES:!aNULL:!DSS:!SSLv2
sslproxy_cafile /etc/pki/tls/certs/squid-cafile.pem
sslproxy_capath /etc/ssl/certs
acl step1 at_step SslBump1
acl step2 at_step SslBump2
acl step3 at_step SslBump3
acl nobumpSites ssl::server_name "/etc/squid/policy/ssl_nobump.url"
ssl_bump peek step1 all
ssl_bump peek step2 nobumpSites
ssl_bump splice step3 nobumpSites
ssl_bump bump all
acl domainMismatchList dstdom_regex -i "/etc/squid/policy/domain_mismatch.url"
acl certMismatch all-of domainMismatchList ssl::certDomainMismatch
sslproxy_cert_error allow certMismatch
sslproxy_cert_error deny all
sslcrtd_program /usr/lib64/squid/ssl_crtd -s /var/lib/ssl_db -M 4MB
sslcrtd_children 32 startup=5 idle=1Prohibited domains, in this case porn sites, are entered into the porno.url file. in the file noporno.acl - logins in the [email protected] format. Sites that should not be bumped are in the ssl_nobump.url file. Sites that have a certificate error associated with the admin's laziness and the fact that the certificate was issued to a different name - in the domain_mismatch.url file
JFYI: Do not disable certificate error handling. If you catch a real MitM, then nothing will save you with disabled processing.
Similar questions
R
A
S
C
Didn't find what you were looking for?
Ask your questionAsk a Question
731 491 924 answers to any question