Re: [squid-users] Newbie question, How to fully disable/disallow https?
On 6/22/21 5:33 PM, Arctic5824 wrote: > I am now using: https://paste.gg/p/anonymous/e7d5080091bc400e8a75e8285b3dea77 > instead of "http_access allow all" i replaced that line with "http_access > allow all !CONNECT" > > and it seems to be working, atleast in my browser, yet i still see some users > using https, > 359 5.253.19.75 TCP_MISS/502 4957 GET https://search.yahoo.com/search? - > HIER_DIRECT/212.82.100.137 text/html > Im not sure how they are doing this, I'd like to prevent this It looks like they are sending plain text "GET https://...; requests to your Squid. Popular browsers would not do that, but many other clients can. As I mentioned earlier, you also need to deny such requests. I am not sure what the best way to do that is, but you can try something like this: acl usesHttpsScheme url_regex -i ^https: ... http_access deny CONNECT http_access deny usesHttpsScheme ... Or you can be even more strict and only allow http: scheme: acl usesHttpScheme url_regex -i ^http: ... http_access deny CONNECT http_access deny !usesHttpScheme ... None of the above configuration snippets were tested by me. Be careful with the order of your http_access rules. HTH, Alex. ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
Re: [squid-users] Newbie question, How to fully disable/disallow https?
hey sorry i accidently directly sent it again, instead of the email list: On Tuesday, June 22nd, 2021 at 3:50 PM, Antony Stone wrote: > You might want to be aware that this is illegal in many countries, and a > number of Internet Service Providers have been sued and/or fined for > manipulating the content of websites as they pass through their systems. Thanks for the warning, I dont think this will really be a problem for me though. 1. What makes you believe that sites have an HTTP version? I dont see why they wouldnt, like sure they would prefer https but why would http not work if forced 2. What do you think should happen when sites do have an HTTP version, and that consists solely of a 301 Permanent Redirect to the HTTPS version I didnt think of this, this would be a problem i guess, but I dont think it would be too common. Maybe squid isnt the right software for this? Thanks, - Arctic ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
Re: [squid-users] Newbie question, How to fully disable/disallow https?
On Tuesday, June 22nd, 2021 at 3:37 PM, Antony Stone wrote: > On Wednesday 23 June 2021 at 00:06:21, Coenraad Loubser wrote: > > > I'm sure there are many other ways to do this too... again, what's your > > > > real use case here? > > My guess now that I know Arctic 5824 is deliberately running an open web > > proxy on the Internet (with co-operation from the hosting provider or not) is > > that the objective is to convert all HTTPS connections into HTTP so that the > > content can be cached / scraped / captured on the way past, and the > > "interesting bits" used later, perhaps by some of Artic5824's "customers" > > without the people who chose to browse the Internet through an open proxy > > realising that this is even possible. > > It's possibly even being advertised / promoted / sold as an "anonymising > > service", where people can browse the sort of websites they would prefer not > > to do directly through their own connectivity providers, comfortable in the > > knowledge that the IP address hitting those sites is not theirs, but not > > realising that the HTTP traffic they are then using can be intercepted and > > examined not only by Artic5824 but also by their connectivity provider's > > transparent interception proxy. > > I'd be happy to entertain any less dubious explanation of what the real > > purpose in setting up such a system might be. > > Antony. > > continuation from my last message: im not advertizing it at all, im relying on port scanners and sites like proxyscrape that post open proxys they scanned ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
Re: [squid-users] Newbie question, How to fully disable/disallow https?
On Tuesday, June 22nd, 2021 at 3:37 PM, Antony Stone wrote: > On Wednesday 23 June 2021 at 00:06:21, Coenraad Loubser wrote: > > > I'm sure there are many other ways to do this too... again, what's your > > > > real use case here? > > My guess now that I know Arctic 5824 is deliberately running an open web > > proxy on the Internet (with co-operation from the hosting provider or not) is > > that the objective is to convert all HTTPS connections into HTTP so that the > > content can be cached / scraped / captured on the way past, and the > > "interesting bits" used later, perhaps by some of Artic5824's "customers" > > without the people who chose to browse the Internet through an open proxy > > realising that this is even possible. > > It's possibly even being advertised / promoted / sold as an "anonymising > > service", where people can browse the sort of websites they would prefer not > > to do directly through their own connectivity providers, comfortable in the > > knowledge that the IP address hitting those sites is not theirs, but not > > realising that the HTTP traffic they are then using can be intercepted and > > examined not only by Artic5824 but also by their connectivity provider's > > transparent interception proxy. > > I'd be happy to entertain any less dubious explanation of what the real > > purpose in setting up such a system might be. > > Antony. Antony, bro im not evil, i want to run an open proxy and replace google adverts w/my adverts i already have a perl script for url_rewrite_program thing ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
Re: [squid-users] Newbie question, How to fully disable/disallow https?
On Tuesday, June 22nd, 2021 at 2:15 PM, Antony Stone wrote: > > > > What!? > > > > That is not even one of your listed IP addresses. > > > > Are you really running an open proxy on the Internet!? > > > > Please turn it off now until you understand the advice Alex and I are Hey Antony, I appreciate your concern but I have already confirmed with my VPS provider (that I am hosting this proxy on) that they will not termante me for this, they have also clarified this in their TOS, may it be tor relays or any other form of dodgy traffic. > No, please send us only the lines relating to a single request which you > think should have been blocked. My bad, here are a few > 1624395604.354 2430 73.189.239.235 TCP_TUNNEL/200 5162 CONNECT > accounts.google.com:443 - HIER_DIRECT/2a00:1450:4001:80e::200d - > 3070 73.189.239.235 TCP_TUNNEL/200 6778 CONNECT www.reddit.com:443 - > HIER_DIRECT/151.101.129.140 - according to Alex: "All the http_access rules below "allow all" do not matter because the first matching rule wins -- Squid would not even try to evaluate the rest of the rules. Thus, your "http_access deny CONNECT" rule has no effect." so I am now using: https://paste.gg/p/anonymous/e7d5080091bc400e8a75e8285b3dea77 instead of "http_access allow all" i replaced that line with "http_access allow all !CONNECT" and it seems to be working, atleast in my browser, yet i still see some users using https, >359 5.253.19.75 TCP_MISS/502 4957 GET https://search.yahoo.com/search? - > HIER_DIRECT/212.82.100.137 text/html > 0 5.188.211.10 TCP_DENIED/403 3718 CONNECT www.google.com:443 - HIER_NONE/- > text/html Im not sure how they are doing this, I'd like to prevent this without everyone being forced to install custom (SSL?) cirts into their browser and stuff, thanks -Arctic ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
Re: [squid-users] Newbie question, How to fully disable/disallow https?
On Tuesday, June 22nd, 2021 at 1:56 PM, Antony Stone wrote: > On Tuesday 22 June 2021 at 22:53:08, Arctic5824 wrote: > > > Hey, yes this is actually the case, for testing instead of > > > > > http_access allow localhost > > > > im running with > > > > > http_access allow all > > Please do not test and report problems with one configuration, and then tell > us > > you have a different one. > > Please post the actual configuration file (without comments) which you are > > using, show us the log entry which occurs when you can successfully do > > something which you expected to be blocked, and please tell us the IP address > > of the client machine you performed the test from. > > Antony. Sorry, I shouldnt have done that. my config(but the only change is allowing all instead of localhost): https://paste.gg/p/anonymous/e660bab698224e1aa1fd320b1bf22081 here is a snippet (as the file is very large due,i can send full if you would like) of the acces log when I was doing testing: https://termbin.com/vj7t the ip i tested from was 73.189.239.235 ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
Re: [squid-users] Newbie question, How to fully disable/disallow https?
On Tuesday, June 22nd, 2021 at 1:44 PM, Antony Stone wrote: > On Tuesday 22 June 2021 at 22:37:16, Alex Rousskov wrote: > > > On 6/22/21 4:28 PM, Arctic5824 wrote: > > > > > Hey! thanks for the info, I just tried that but it seems https is still > > > > > > being allowed, and I can see it in the logs as well "TCP_TUNNEL/200 717 > > > > > > CONNECT s.youtube.com:443 -" > > > > > > my config is https://pastebin.com/8txzkEnG > > > > > > and a version of the config without comments: > > > > > > https://pastebin.com/zuJYQpXW > > > Squid bugs notwithstanding, either your Squid is not running with the > > > > configuration that you have shared with us OR that logged request comes > > > > from localhost. If you are not sure, I suggest shutting down Squid, > > > > making sure that nobody listens on port 3128 and then restarting Squid. > > > > Due to the first http_access rule, the test request must not come from > > > > the same machine Squid runs on. > > I would also comment on: > > #http_access deny !Safe_ports > > Has that been consciously and deliberately commented-out? > > #http_access allow localnet > > http_access allow localhost > > Is that a typo? Did you mean to allow access from your local networks, rather > > than just from localhost? > > #http_access deny all > > Has that been consciously and deliberately commented-out? > > Antony. Hey, all of those where deliberately done, although I have only been using this program for a short amount of time, so they might be incorrect/dumb, I am not sure, -Arctic ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
Re: [squid-users] Newbie question, How to fully disable/disallow https?
On Tuesday, June 22nd, 2021 at 1:37 PM, Alex Rousskov wrote: > Squid bugs notwithstanding, either your Squid is not running with the > configuration that you have shared with us OR... Hey, yes this is actually the case, for testing instead of > http_access allow localhost im running with > http_access allow all to make sure this isnt a configuration issue on my side, and that other users also can use https (I know this probably wont bring good traffic but i have confirmed with my vps provider that they allow this type of stuff/traffic) ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
Re: [squid-users] Newbie question, How to fully disable/disallow https?
On 2021-06-23 11:20, Arctic5824 wrote: hey sorry i accidently directly sent it again, instead of the email list: On Tuesday, June 22nd, 2021 at 3:50 PM, Antony Stone wrote: You might want to be aware that this is illegal in many countries, and a number of Internet Service Providers have been sued and/or fined for manipulating the content of websites as they pass through their systems. Thanks for the warning, I dont think this will really be a problem for me though. 1. What makes you believe that sites have an HTTP version? I dont see why they wouldnt, like sure they would prefer https but why would http not work if forced Because this idea you have about changing advert content is not a new thing. It has been done and tried so many times in the past by others for http:// traffic that the major content providers whose income depended on those ads got together and started a project to get rid of http:// completely. They have had much success with the support of privacy and security advocate groups. 2. What do you think should happen when sites do have an HTTP version, and that consists solely of a 301 Permanent Redirect to the HTTPS version I didnt think of this, this would be a problem i guess, but I dont think it would be too common. Reality is that today the vast majority of websites still offering http:// versions at all, do exactly that. Maybe squid isnt the right software for this? Squid is fine for the content adaptation part of what you are wanting. What is not going to work is the HTTP->HTTP conversion part. That is because of protocol and Browser features. No intermediary software can get around those without the SSL-Bump (or similar) mechanism - as others already mentioned that too has its limits. TLS is specifically designed to prevent intermediaries touching the content - the only reliable action a proxy can do is terminate unwanted TLS connections. Amos ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
Re: [squid-users] Newbie question, How to fully disable/disallow https?
sorry, i accidentally sent email to you instead of the email list (Im new to mailing lists) so im re-sending it but to the list On Tuesday, June 22nd, 2021 at 12:41 PM, Antony Stone wrote: > To disable HTTPS access through the proxy, simply deny all CONNECT > > requests using http_access rules. Hey! thanks for the info, I just tried that but it seems https is still being allowed, and I can see it in the logs as well "TCP_TUNNEL/200 717 CONNECT s.youtube.com:443 -" my config is https://pastebin.com/8txzkEnG and a version of the config without comments: https://pastebin.com/zuJYQpXW thanks, any help will be appreciated - Arctic ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
[squid-users] Newbie question, How to fully disable/disallow https?
Hello, Recently I setup my first squid proxy, I want it when users try to acces a website via https, they get redirected to the http version, I tried disabling https by reading the comments in the config, the squid docs, and online forums, but I am unable to figure this out, I also tried blocking port 443 using ufw but it just resulted in users timing out. Please rest assured I understand the security and other risks this brings, thanks. To reiterate as this email is a bit long, I'd like to know how to dis-allow https and redirect users to http versions of websites when they try to use https___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
Re: [squid-users] Newbie question, How to fully disable/disallow https?
On Wednesday 23 June 2021 at 00:44:44, Arctic5824 wrote: > I want to run an open proxy and replace google adverts w/my adverts. You might want to be aware that this is illegal in many countries, and a number of Internet Service Providers have been sued and/or fined for manipulating the content of websites as they pass through their systems. Anyway, just for the sake of technical discussion, let me repeat my original questions: On Tuesday 22 June 2021 at 21:41:22, Antony Stone wrote: > On Tuesday 22 June 2021 at 21:32:10, Arctic5824 wrote: > > Hello, Recently I setup my first squid proxy, > > > > I want it when users try to acces a website via https, they get > > redirected to the http version > > 1. What makes you believe that sites *have* an HTTP version? > > 2. What do you think should happen when sites *do* have an HTTP version, > and that consists solely of a 301 Permanent Redirect to the HTTPS version, > which contains the content? > > (In other words, the actual web server is never going to provide the > content you want to see if you only speak HTTP to it.) > > > Antony. -- This email was created using 100% recycled electrons. Please reply to the list; please *don't* CC me. ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
Re: [squid-users] Newbie question, How to fully disable/disallow https?
Just like for every regulation there is an equal and opposite loophole, there are many legitimate uses for something like this... be it archival, ease of access, or making things simpler to access or available for offline use... And ... when I think of all the potentially nefarious uses... I like to think of the inevitable heat death of the universe, in the same breath. If someone really can't think of something better to do with their time or life, sigh who are we to judge. Maybe they're bringing "balance to the force" :-D On Wed, 23 Jun 2021 at 00:38, Antony Stone < antony.st...@squid.open.source.it> wrote: > On Wednesday 23 June 2021 at 00:06:21, Coenraad Loubser wrote: > > > I'm sure there are many other ways to do this too... again, what's your > > real use case here? > > My _guess_ now that I know Arctic 5824 is deliberately running an open web > proxy on the Internet (with co-operation from the hosting provider or not) > is > that the objective is to convert all HTTPS connections into HTTP so that > the > content can be cached / scraped / captured on the way past, and the > "interesting bits" used later, perhaps by some of Artic5824's "customers" > without the people who chose to browse the Internet through an open proxy > realising that this is even possible. > > It's possibly even being advertised / promoted / sold as an "anonymising > service", where people can browse the sort of websites they would prefer > not > to do directly through their own connectivity providers, comfortable in > the > knowledge that the IP address hitting those sites is not theirs, but not > realising that the HTTP traffic they are then using can be intercepted and > examined not only by Artic5824 but also by their connectivity provider's > transparent interception proxy. > > I'd be happy to entertain any less dubious explanation of what the real > purpose in setting up such a system might be. > > > Antony. > > -- > There's a good theatrical performance about puns on in the West End. It's > a > play on words. > >Please reply to the > list; > please *don't* CC > me. > ___ > squid-users mailing list > squid-users@lists.squid-cache.org > http://lists.squid-cache.org/listinfo/squid-users > ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
Re: [squid-users] Newbie question, How to fully disable/disallow https?
On Wednesday 23 June 2021 at 00:06:21, Coenraad Loubser wrote: > I'm sure there are many other ways to do this too... again, what's your > real use case here? My _guess_ now that I know Arctic 5824 is deliberately running an open web proxy on the Internet (with co-operation from the hosting provider or not) is that the objective is to convert all HTTPS connections into HTTP so that the content can be cached / scraped / captured on the way past, and the "interesting bits" used later, perhaps by some of Artic5824's "customers" without the people who chose to browse the Internet through an open proxy realising that this is even possible. It's possibly even being advertised / promoted / sold as an "anonymising service", where people can browse the sort of websites they would prefer not to do directly through their own connectivity providers, comfortable in the knowledge that the IP address hitting those sites is not theirs, but not realising that the HTTP traffic they are then using can be intercepted and examined not only by Artic5824 but also by their connectivity provider's transparent interception proxy. I'd be happy to entertain any less dubious explanation of what the real purpose in setting up such a system might be. Antony. -- There's a good theatrical performance about puns on in the West End. It's a play on words. Please reply to the list; please *don't* CC me. ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
Re: [squid-users] Newbie question, How to fully disable/disallow https?
Of course you could always just run your own web-based proxy such as these: https://www.google.com/search?q=web+based+proxies - that would fetch the https site if necessary, and render it as http - but it will rarely be a perfect copy. I'm sure there are many other ways to do this too... again, what's your real use case here? On Wed, 23 Jun 2021 at 00:01, Coenraad Loubser wrote: > This seems all good and well if you're just proxying traffic to your own > servers... but if you want to run an actual proxy this doesn't really make > sense any more. > > You can block HTTPS through Squid, and even do some redirection with your > firewall too - but when it comes to whether it will work, your problem is > with the browsers - and everyone else on the internet: as a start, you > might want to read up on > https://en.wikipedia.org/wiki/HTTP_Strict_Transport_Security - and > browser implementations. The only way to force HTTP, or to redirect to it, > is to compile and ship your own browsers too - and that would be a terrible > idea as anyone (on the planet) who found out that you have people using > such modified browsers, would be able to impersonate the sites they visited > and steal their credentials, in many cases without them knowing. This is > the actual problem that HTTPS and HSTS helps prevent. > > You can install your own certificates and follow > https://wiki.squid-cache.org/Features/SslBump and then redirect to a > non-HTTPS page, but even so no up to date browser will obey the redirect if > HSTS is enabled for the site. > > If it's caching you want to do, there was a time that you could cache > almost everything and emulate a 1Gbps connection on a 256kbps ADSL line... > but that time ended around 2010... we're now in 2021... it is now cheaper > and easier (esp. if you consider the cost of your time) than ever to just > build fast connections to the internet than ever before. Get yourself a > Starlink modem and share the connection - and costs - with your street, if > you're trying to save on bandwidth. I understand all about wanting to cache > things and run things offline and not having connectivity... > > If you want to cache content the proper way today, you will need to make > deals with the content providers you're trying to cache, and then set up > the infrastructure to host their content on your own server, and either get > them to issue you with SSL Certificates or point their DNS to you... or > easier, just connect to people who have already done this and already has > servers in a regional data center near you. > > Alternatively, I guess you could mirror or spider some sites, and then > just host them on your non-HTTPS mirror. Likely against the wishes and > terms of those sites... but no proxy needed. But if you started messing > with a proxy and DNS in front of it, it would just break on all browsers > today. > > A better way to do it would be to write a browser addon that modifies the > URL to a custom url much like > https://web.archive.org/http://web.archive.org does it by just having the > whole URL as the actual URL path... but why not just browse the Web Archive > directly then... bonus,* they run a Non-SSL version of the whole archive*! > No need to mess with anything. > > If it's just a package repository you want to cache... it almost certainly > still has http support if you dig deeper... but you might want to enable > whatever hash checking mechanisms it has to save yourself some grey hairs. > > Perhaps if you shared your actual use case we could help you come up with > a better (and more responsible and sustainable) solution? > > On Tue, 22 Jun 2021 at 21:32, Arctic5824 > wrote: > >> Hello, Recently I setup my first squid proxy, >> >> I want it when users try to acces a website via https, they get >> redirected to the http version, I tried disabling https by reading the >> comments in the config, the squid docs, and online forums, but I am unable >> to figure this out, I also tried blocking port 443 using ufw but it just >> resulted in users timing out. >> >> Please rest assured I understand the security and other risks this >> brings, thanks. >> To reiterate as this email is a bit long, I'd like to know how to >> dis-allow https and redirect users to http versions of websites when they >> try to use https >> >> ___ >> squid-users mailing list >> squid-users@lists.squid-cache.org >> http://lists.squid-cache.org/listinfo/squid-users >> > > > ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
Re: [squid-users] Newbie question, How to fully disable/disallow https?
This seems all good and well if you're just proxying traffic to your own servers... but if you want to run an actual proxy this doesn't really make sense any more. You can block HTTPS through Squid, and even do some redirection with your firewall too - but when it comes to whether it will work, your problem is with the browsers - and everyone else on the internet: as a start, you might want to read up on https://en.wikipedia.org/wiki/HTTP_Strict_Transport_Security - and browser implementations. The only way to force HTTP, or to redirect to it, is to compile and ship your own browsers too - and that would be a terrible idea as anyone (on the planet) who found out that you have people using such modified browsers, would be able to impersonate the sites they visited and steal their credentials, in many cases without them knowing. This is the actual problem that HTTPS and HSTS helps prevent. You can install your own certificates and follow https://wiki.squid-cache.org/Features/SslBump and then redirect to a non-HTTPS page, but even so no up to date browser will obey the redirect if HSTS is enabled for the site. If it's caching you want to do, there was a time that you could cache almost everything and emulate a 1Gbps connection on a 256kbps ADSL line... but that time ended around 2010... we're now in 2021... it is now cheaper and easier (esp. if you consider the cost of your time) than ever to just build fast connections to the internet than ever before. Get yourself a Starlink modem and share the connection - and costs - with your street, if you're trying to save on bandwidth. I understand all about wanting to cache things and run things offline and not having connectivity... If you want to cache content the proper way today, you will need to make deals with the content providers you're trying to cache, and then set up the infrastructure to host their content on your own server, and either get them to issue you with SSL Certificates or point their DNS to you... or easier, just connect to people who have already done this and already has servers in a regional data center near you. Alternatively, I guess you could mirror or spider some sites, and then just host them on your non-HTTPS mirror. Likely against the wishes and terms of those sites... but no proxy needed. But if you started messing with a proxy and DNS in front of it, it would just break on all browsers today. A better way to do it would be to write a browser addon that modifies the URL to a custom url much like https://web.archive.org/http://web.archive.org does it by just having the whole URL as the actual URL path... but why not just browse the Web Archive directly then... bonus,* they run a Non-SSL version of the whole archive*! No need to mess with anything. If it's just a package repository you want to cache... it almost certainly still has http support if you dig deeper... but you might want to enable whatever hash checking mechanisms it has to save yourself some grey hairs. Perhaps if you shared your actual use case we could help you come up with a better (and more responsible and sustainable) solution? On Tue, 22 Jun 2021 at 21:32, Arctic5824 wrote: > Hello, Recently I setup my first squid proxy, > > I want it when users try to acces a website via https, they get redirected > to the http version, I tried disabling https by reading the comments in the > config, the squid docs, and online forums, but I am unable to figure this > out, I also tried blocking port 443 using ufw but it just resulted in users > timing out. > > Please rest assured I understand the security and other risks this brings, > thanks. > To reiterate as this email is a bit long, I'd like to know how to > dis-allow https and redirect users to http versions of websites when they > try to use https > > ___ > squid-users mailing list > squid-users@lists.squid-cache.org > http://lists.squid-cache.org/listinfo/squid-users > ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
Re: [squid-users] Newbie question, How to fully disable/disallow https?
On Tuesday 22 June 2021 at 23:13:19, Antony Stone wrote: > On Tuesday 22 June 2021 at 23:05:20, Arctic5824 wrote: > > On Tuesday, June 22nd, 2021 at 1:56 PM, Antony Stone wrote: > > > Please do not test and report problems with one configuration, and then > > > tell us you have a different one. > > > > Sorry, I shouldnt have done that. > > my config(but the only change is allowing all instead of localhost): > > https://paste.gg/p/anonymous/e660bab698224e1aa1fd320b1bf22081 > > So, as Alex already said, the lines: > > http_access allow all > http_access deny CONNECT > > mean that anyone, from anyway, can connect. That's it. Correction: "anyone, from anywhere". That means anywhere on the planet. Please turn this off now. > I recommend you turn this off now and hope your ISP doesn't block you for > running an open proxy. > > > here is a snippet (as the file is very large due,i can send full if you > > would like) of the acces log when I was doing testing: > > https://termbin.com/vj7t > > No, please send us *only* the lines relating to a _single_ request which > you think should have been blocked. > > > the ip i tested from was 73.189.239.235 > > What!? > > That is not even one of your listed IP addresses. > > Are you *really* running an open proxy on the Internet!? > > Please turn it off _now_ until you understand the advice Alex and I are > giving you, and you understand the default settings in the standard Squid > configuration file, some of which you have changed. > > > Antony. -- Perfection in design is achieved not when there is nothing left to add, but rather when there is nothing left to take away. - Antoine de Saint-Exupery Please reply to the list; please *don't* CC me. ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
Re: [squid-users] Newbie question, How to fully disable/disallow https?
On Tuesday 22 June 2021 at 23:05:20, Arctic5824 wrote: > On Tuesday, June 22nd, 2021 at 1:56 PM, Antony Stone wrote: > > > > Please do not test and report problems with one configuration, and then > > tell us you have a different one. > > Sorry, I shouldnt have done that. > my config(but the only change is allowing all instead of localhost): > https://paste.gg/p/anonymous/e660bab698224e1aa1fd320b1bf22081 So, as Alex already said, the lines: http_access allow all http_access deny CONNECT mean that anyone, from anyway, can connect. That's it. I recommend you turn this off now and hope your ISP doesn't block you for running an open proxy. > here is a snippet (as the file is very large due,i can send full if you > would like) of the acces log when I was doing testing: > https://termbin.com/vj7t No, please send us *only* the lines relating to a _single_ request which you think should have been blocked. > the ip i tested from was 73.189.239.235 What!? That is not even one of your listed IP addresses. Are you *really* running an open proxy on the Internet!? Please turn it off _now_ until you understand the advice Alex and I are giving you, and you understand the default settings in the standard Squid configuration file, some of which you have changed. Antony. -- The Magic Words are Squeamish Ossifrage. Please reply to the list; please *don't* CC me. ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
Re: [squid-users] Newbie question, How to fully disable/disallow https?
On Tuesday 22 June 2021 at 22:53:08, Arctic5824 wrote: > Hey, yes this is actually the case, for testing instead of > > > http_access allow localhost > > im running with > > > http_access allow all Please do not test and report problems with one configuration, and then tell us you have a different one. Please post the actual configuration file (without comments) which you are using, show us the log entry which occurs when you can successfully do something which you expected to be blocked, and please tell us the IP address of the client machine you performed the test from. Antony. -- Late in 1972 President Richard Nixon announced that the rate of increase of inflation was decreasing. This was the first time a sitting president used a third derivative to advance his case for re-election. - Hugo Rossi, Notices of the American Mathematical Society Please reply to the list; please *don't* CC me. ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
Re: [squid-users] Newbie question, How to fully disable/disallow https?
On Tuesday 22 June 2021 at 22:54:42, Arctic5824 wrote: > On Tuesday, June 22nd, 2021 at 1:44 PM, Antony Stone wrote: > > > > #http_access deny !Safe_ports > > > > Has that been consciously and deliberately commented-out? > > > > #http_access allow localnet > > > > http_access allow localhost > > > > Is that a typo? Did you mean to allow access from your local networks, > > rather than just from localhost? > > > > #http_access deny all > > > > Has that been consciously and deliberately commented-out? > > Hey, all of those where deliberately done, although I have only been using > this program for a short amount of time, so they might be incorrect/dumb, > I am not sure, I would strongly advise *against* commenting out: http_access deny !Safe_ports http_access deny all Also, since you do not have (at least in the configuration file you showed us) http_access allow localnet I do not see how you expect any machine other than the one Squid is running on to be able to connect. However, as in my last posting, please show us the configuration you are actually using to carry out these tests. Antony. -- People say that nothing is impossible, so I try to do the impossible every day. Please reply to the list; please *don't* CC me. ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
Re: [squid-users] Newbie question, How to fully disable/disallow https?
On 6/22/21 4:53 PM, Arctic5824 wrote: > On Tuesday, June 22nd, 2021 at 1:37 PM, Alex Rousskov > wrote: >> Squid bugs notwithstanding, either your Squid is not running with the >> configuration that you have shared with us OR... > > Hey, yes this is actually the case, for testing instead of >> http_access allow localhost > im running with >> http_access allow all All the http_access rules below "allow all" do not matter because the first matching rule wins -- Squid would not even try to evaluate the rest of the rules. Thus, your "http_access deny CONNECT" rule has no effect. Alex. ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
Re: [squid-users] Newbie question, How to fully disable/disallow https?
On Tuesday 22 June 2021 at 22:37:16, Alex Rousskov wrote: > On 6/22/21 4:28 PM, Arctic5824 wrote: > > > > Hey! thanks for the info, I just tried that but it seems https is still > > being allowed, and I can see it in the logs as well "TCP_TUNNEL/200 717 > > CONNECT s.youtube.com:443 -" > > my config is https://pastebin.com/8txzkEnG > > and a version of the config without comments: > > https://pastebin.com/zuJYQpXW > Squid bugs notwithstanding, either your Squid is not running with the > configuration that you have shared with us OR that logged request comes > from localhost. If you are not sure, I suggest shutting down Squid, > making sure that nobody listens on port 3128 and then restarting Squid. > Due to the first http_access rule, the test request must not come from > the same machine Squid runs on. I would also comment on: #http_access deny !Safe_ports Has that been consciously and deliberately commented-out? #http_access allow localnet http_access allow localhost Is that a typo? Did you mean to allow access from your local networks, rather than just from localhost? #http_access deny all Has that been consciously and deliberately commented-out? Antony. -- Behind the counter a boy with a shaven head stared vacantly into space, a dozen spikes of microsoft protruding from the socket behind his ear. - William Gibson, Neuromancer (1984) Please reply to the list; please *don't* CC me. ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
Re: [squid-users] Newbie question, How to fully disable/disallow https?
On 6/22/21 4:28 PM, Arctic5824 wrote: >> To disable HTTPS access through the proxy, simply deny all CONNECT >> requests using http_access rules. > Hey! thanks for the info, I just tried that but it seems https is still being > allowed, and I can see it in the logs as well > "TCP_TUNNEL/200 717 CONNECT s.youtube.com:443 -" > my config is https://pastebin.com/8txzkEnG > and a version of the config without comments: https://pastebin.com/zuJYQpXW > acl CONNECT method CONNECT > http_access allow localhost > http_access deny CONNECT Squid bugs notwithstanding, either your Squid is not running with the configuration that you have shared with us OR that logged request comes from localhost. If you are not sure, I suggest shutting down Squid, making sure that nobody listens on port 3128 and then restarting Squid. Due to the first http_access rule, the test request must not come from the same machine Squid runs on. HTH, Alex. P.S. If you are worried about custom clients or scripts (not regular browsers) bypassing your controls, then you will also need to ban "GET https://...; requests, but let's figure out the above basics first. ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
Re: [squid-users] Newbie question, How to fully disable/disallow https?
On Tuesday 22 June 2021 at 21:32:10, Arctic5824 wrote: > Hello, Recently I setup my first squid proxy, > > I want it when users try to acces a website via https, they get redirected > to the http version 1. What makes you believe that sites *have* an HTTP version? 2. What do you think should happen when sites *do* have an HTTP version, and that consists solely of a 301 Permanent Redirect to the HTTPS version, which contains the content? (In other words, the actual web server is never going to provide the content you want to see if you only speak HTTP to it.) Antony. -- The words "e pluribus unum" on the Great Seal of the United States are from a poem by Virgil entitled "Moretum", which is about cheese and garlic salad dressing. Please reply to the list; please *don't* CC me. ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
Re: [squid-users] Newbie question, How to fully disable/disallow https?
On 6/22/21 3:32 PM, Arctic5824 wrote: > Hello, Recently I setup my first squid proxy, > > I want it when users try to acces a website via https, they get > redirected to the http version, I tried disabling https by reading the > comments in the config, the squid docs, and online forums, but I am > unable to figure this out, I also tried blocking port 443 using ufw but > it just resulted in users timing out. > > Please rest assured I understand the security and other risks this > brings, thanks. > To reiterate as this email is a bit long, I'd like to know how to > dis-allow https and redirect users to http versions of websites when > they try to use https To disable HTTPS access through the proxy, simply deny all CONNECT requests using http_access rules. Redirecting HTTPS attempts to HTTP is a lot harder and is unreliable. You will have to bump TLS connections and then deny all bumped requests with a redirection response (that many browsers may not even follow -- you should test this). This will not work in many cases because TLS is not supposed to be bumped -- many clients and origin servers will work hard to prevent you from bumping their connections. See ssl_bump and deny_info for starting points. HTH, Alex. ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
