Re: [squid-users] blockVirgin Works for CONNECT but Custom Response does not work
Hi Alex,
I think I have found the reason that why the annotation from eCap
adapter NOT being passed to NoteData.cc. But I still need your
suggestion to fix this.
So here is my analysis:
1) In src/acl/NoteData.cc function ACLNoteData::match(HttpRequest *request)
if (request-notes != NULL matchNotes(request-notes.getRaw()))
(This is used when there is note directive in
squid.conf file)
return true;
if (ah != NULL ah-metaHeaders != NULL
matchNotes(ah-metaHeaders.getRaw())) (This is used
when there is adaptation_meta in squid.conf file)
return true;
2) In src/adaptation/ecap/XactionRep.cc function
Adaptation::Ecap::XactionRep::start()
if (ah != NULL) {
// retrying=false because ecap never retries transactions
adaptHistoryId = ah-recordXactStart(service().cfg().key,
current_time, false);
typedef Notes::iterator ACAMLI;
for (ACAMLI i = Adaptation::Config::metaHeaders.begin(); i !=
Adaptation::Config::metaHeaders.end(); ++i) {
const char *v = (*i)-match(request, reply);
if (v) {
if (ah-metaHeaders == NULL)
ah-metaHeaders = new NotePairs();
if (!ah-metaHeaders-hasPair((*i)-key.termedBuf(), v))
ah-metaHeaders-add((*i)-key.termedBuf(), v);
}
}
}
As per the above code ah-metaHeaders will only be populated if
adaptation_meta option is present in squid.conf file.
So in my case ah-metaHeaders is NULL (And when I added
adaptation_meta X-Virus-ID yes all in squid.conf then I could get a
match on my toBump acl and hence my CONNECT transaction was bumped.
But I want to achieve the same behavior using eCap adapter)
Also I changed the squid.conf file for access.log as below:
logformat with_note %ts.%03tu %6tr %a %Ss/%03Hs %st %rm %ru %[un
%Sh/%a %mt %note %adapt::last_h
And I could see that eCap adapter X-Virus-ID:yes in the access.log
(%adapt::last_h)
So, I think I am very close to pass X-Virus-ID:yes as a meta header.
Can you suggest me how I can do it. (I think it may require a code
change in XactionRep.cc but I am not sure.) Please suggest.
Thanks,
Jatin
On Sat, Oct 11, 2014 at 2:03 PM, Jatin Bhasin jbhasi...@gmail.com wrote:
Hi Alex,
I changed my ACL's a bit to see annotations in access.log file. My web
browser is point to squid port 3127.
So squid.conf is as below: (first two lines are for note logging as
you suggested.)
-
logformat with_note %ts.%03tu %6tr %a %Ss/%03Hs %st %rm %ru %[un
%Sh/%a %mt %note
access_log /var/log/squid/access.log with_note
adaptation_masterx_shared_names X-Virus-ID
acl toBump note X-Virus-ID yes
acl p3127 myportname 3127
ssl_bump client-first p3127 (Hence all requests will be bumped.)
I made changes to the eCap adapter as you had suggested. But I do not
see any annotations in access.log file.
1412995864.045 7 10.100.249.11 TAG_NONE/200 0 CONNECT
www.bwin.com:443 - HIER_NONE/- - -
1412995867.108 2573 10.100.249.11 TCP_MISS/200 10122 GET
https://www.bwin.com/ - HIER_DIRECT/195.72.134.135 text/html -
Now i I introduce another paramter in the squid.conf file as below:
note X-Virus-ID yes p3127
And I get following in access.log (so this is definitely not coming
from my eCap adapter but because of the note directive above)
1412996265.992 7 10.100.249.11 TAG_NONE/200 0 CONNECT
www.bwin.com:443 - HIER_NONE/- - X-Virus-ID:%20yes%0D%0A
1412996266.159 87 10.100.249.11 TAG_NONE/200 1400 GET
https://www.bwin.com/ - HIER_NONE/- - X-Virus-ID:%20yes%0D%0A
Now, this makes me feel that annotations from my eCap adapter are not
travelling to squid for both CONNECT and GET.
So, would my eCap adapter has to do something else to let squid know
that the annotations its providing is a note.
Thanks,
Jatin
On Sat, Oct 11, 2014 at 2:18 AM, Alex Rousskov
rouss...@measurement-factory.com wrote:
On 10/09/2014 11:57 PM, Jatin Bhasin wrote:
adaptation_masterx_shared_names X-Virus-ID
acl toBump note X-Virus-ID yes
ssl_bump client-first toBump
OK.
My eCap adapter functions which returns yes for the X-Virus-ID are:
=
const libecap::Area Adapter::Xaction::option(const libecap::Name name)
const
{
std::string str = yes;
return libecap::Area(str.data(), str.size());
}
Two bugs here:
* You are returning a pointer to str, which is a temporary, on-stack
storage. Use libecap::Area::FromTempString() instead.
* You are returning yes value for all option names. The return value
should be conditional on name parameter being lequal to
libecap::metaVirusId (X-Virus-ID).
These two bugs may not actually affect you (for several reasons), but
you should fix them anyway.
void
Re: [squid-users] blockVirgin Works for CONNECT but Custom Response does not work
Hi Alex, That will be awesome if that works. I will try this option. Thanks, Jatin On 23 Aug 2014, at 10:24, Alex Rousskov rouss...@measurement-factory.com wrote: On 08/21/2014 07:06 PM, Jatin Bhasin wrote: So, can somebody suggest me if there is a way to pass a flag to squid from ecap adapter to decrypt a site regardless of what ACL says. For example if I have an acl as below which says do not decrypt www.888.com but If my ecap adapter could pass a message to squid asking it to decrypt www.888.com (for that session only) and ignore the below acl. Is it possible? Given a recent-enough Squid version, an adaptation service can control Squid behavior via the annotations mechanism and the note ACL associated with it. For example, your eCAP adapter can return an X-Bump:yes annotation(**) that Squid can then match using the note ACL. Something along these untested lines: acl note toBump X-Bump yes ssl_bump server-first toBump ssl_bump server-first ... ssl_bump none all This mechanism should be supported for ssl_bump ACLs but I have not tested that claim myself. HTH, Alex. (**) In eCAP terminology, an X-Bump:yes annotation is an adapter transaction option named X-Bump with a yes value. See libecap::Options, which is a parent of libecap::adapter::Xaction.
RE: [squid-users] blockVirgin Works for CONNECT but Custom Response does not work
Hello Jatin, Unfortunately I cannot answer your question. But why would you like to bump the connection when admin *explicitly* specified it as *not to be bumped*. I think eCap adapter here acts as a passive beast just scanning what admin tells it to, not what it thinks it needs to scan. Raf I wanted to block a particular website based on CONNECT request because I am not bumping (decrypting) the site. But now I have realised that if I do not dump the site then there is no way I can paint a custom message on the browser. So, can somebody suggest me if there is a way to pass a flag to squid from ecap adapter to decrypt a site regardless of what ACL says. For example if I have an acl as below which says do not decrypt www.888.com but If my ecap adapter could pass a message to squid asking it to decrypt www.888.com (for that session only) and ignore the below acl. Is it possible? acl no_ssl_interception dstdomain .888.com ssl_bump none no_ssl_interception ssl_bump client-first all skip
Re: [squid-users] blockVirgin Works for CONNECT but Custom Response does not work
On 22/08/2014 7:14 p.m., Rafael Akchurin wrote: Hello Jatin, Unfortunately I cannot answer your question. But why would you like to bump the connection when admin *explicitly* specified it as *not to be bumped*. I think eCap adapter here acts as a passive beast just scanning what admin tells it to, not what it thinks it needs to scan. Indeed. Jatin I think you need to check exactly what response the eCAP adapter is producing for these CONNECT requests. The status code, content-type header and message body all need to be in agreement to have any chance at all of working. You may even have to use a 302/303 status to redirect to a different URL which has the content in it. Keep in mind also that the mainstream popular browsers simply will not display anything except their own error pages in response to unsuccessful CONNECT. Perhapse a bit on the extreme side, but that is how they have chosen to prevent security vulnerabilities which have been abused badly in the past. Amos
Re: [squid-users] blockVirgin Works for CONNECT but Custom Response does not work
On 08/21/2014 07:06 PM, Jatin Bhasin wrote: So, can somebody suggest me if there is a way to pass a flag to squid from ecap adapter to decrypt a site regardless of what ACL says. For example if I have an acl as below which says do not decrypt www.888.com but If my ecap adapter could pass a message to squid asking it to decrypt www.888.com (for that session only) and ignore the below acl. Is it possible? Given a recent-enough Squid version, an adaptation service can control Squid behavior via the annotations mechanism and the note ACL associated with it. For example, your eCAP adapter can return an X-Bump:yes annotation(**) that Squid can then match using the note ACL. Something along these untested lines: acl note toBump X-Bump yes ssl_bump server-first toBump ssl_bump server-first ... ssl_bump none all This mechanism should be supported for ssl_bump ACLs but I have not tested that claim myself. HTH, Alex. (**) In eCAP terminology, an X-Bump:yes annotation is an adapter transaction option named X-Bump with a yes value. See libecap::Options, which is a parent of libecap::adapter::Xaction.
RE: [squid-users] blockVirgin Works for CONNECT but Custom Response does not work
Hello Jatin, May be this (for ICAP not for eCap) describes your issue - http://docs.diladele.com/faq/squid.html#why-i-see-cannot-connect-to-site-using-https-browser-message-instead-of-usual-site-is-blocked Raf From: Jatin Bhasin jbhasi...@gmail.com Sent: Thursday, August 21, 2014 12:47 PM To: squid-users@squid-cache.org Subject: [squid-users] blockVirgin Works for CONNECT but Custom Response does not work When I see a CONNECT request in my eCap adapter then if I call function blockVirgin then I see a squid ACCESS DENIED page which is good. But if instead of calling blockVirgin if I generate a CUSTOM response message saying YOU ARE NOT AUTHORISED TO VIEW THIS PAGE then build response based on FAQ https://answers.launchpad.net/ecap/+faq/2516 then it fails. Although the same code (request satisfaction) works if I build a custom response for a GET request. Please suggest how can I achieve CUSTOM response for a CONNECT.
Re: [squid-users] blockVirgin Works for CONNECT but Custom Response does not work
Hello, Yes, that is the same scenario what I have been experiencing but when I call function (x-blockVirgin()) from my ecap adapter then squid does print the access denied page which is one of my squid error pages. So as I see that squid does complete the SSL handshake and then paints the access denied page which works fine. But if I try to paint a custom message then squid does not complete the handshake and just continues to paint the blockpage which then is rejected by the browser (as browser is expecting a proper handshake before receiving any response data). May be this is a bug in squid or I am not doing it right, but it would be great if somebody can suggest if I am doing something wrong. Thanks, Jatin On Thu, Aug 21, 2014 at 9:35 PM, Rafael Akchurin rafael.akchu...@diladele.com wrote: Hello Jatin, May be this (for ICAP not for eCap) describes your issue - http://docs.diladele.com/faq/squid.html#why-i-see-cannot-connect-to-site-using-https-browser-message-instead-of-usual-site-is-blocked Raf From: Jatin Bhasin jbhasi...@gmail.com Sent: Thursday, August 21, 2014 12:47 PM To: squid-users@squid-cache.org Subject: [squid-users] blockVirgin Works for CONNECT but Custom Response does not work When I see a CONNECT request in my eCap adapter then if I call function blockVirgin then I see a squid ACCESS DENIED page which is good. But if instead of calling blockVirgin if I generate a CUSTOM response message saying YOU ARE NOT AUTHORISED TO VIEW THIS PAGE then build response based on FAQ https://answers.launchpad.net/ecap/+faq/2516 then it fails. Although the same code (request satisfaction) works if I build a custom response for a GET request. Please suggest how can I achieve CUSTOM response for a CONNECT.
Re: [squid-users] blockVirgin Works for CONNECT but Custom Response does not work
Hello, I wanted to block a particular website based on CONNECT request because I am not bumping (decrypting) the site. But now I have realised that if I do not dump the site then there is no way I can paint a custom message on the browser. So, can somebody suggest me if there is a way to pass a flag to squid from ecap adapter to decrypt a site regardless of what ACL says. For example if I have an acl as below which says do not decrypt www.888.com but If my ecap adapter could pass a message to squid asking it to decrypt www.888.com (for that session only) and ignore the below acl. Is it possible? acl no_ssl_interception dstdomain .888.com ssl_bump none no_ssl_interception ssl_bump client-first all Thanks, Jatin On Fri, Aug 22, 2014 at 9:59 AM, Jatin Bhasin jbhasi...@gmail.com wrote: Hello, Yes, that is the same scenario what I have been experiencing but when I call function (x-blockVirgin()) from my ecap adapter then squid does print the access denied page which is one of my squid error pages. So as I see that squid does complete the SSL handshake and then paints the access denied page which works fine. But if I try to paint a custom message then squid does not complete the handshake and just continues to paint the blockpage which then is rejected by the browser (as browser is expecting a proper handshake before receiving any response data). May be this is a bug in squid or I am not doing it right, but it would be great if somebody can suggest if I am doing something wrong. Thanks, Jatin On Thu, Aug 21, 2014 at 9:35 PM, Rafael Akchurin rafael.akchu...@diladele.com wrote: Hello Jatin, May be this (for ICAP not for eCap) describes your issue - http://docs.diladele.com/faq/squid.html#why-i-see-cannot-connect-to-site-using-https-browser-message-instead-of-usual-site-is-blocked Raf From: Jatin Bhasin jbhasi...@gmail.com Sent: Thursday, August 21, 2014 12:47 PM To: squid-users@squid-cache.org Subject: [squid-users] blockVirgin Works for CONNECT but Custom Response does not work When I see a CONNECT request in my eCap adapter then if I call function blockVirgin then I see a squid ACCESS DENIED page which is good. But if instead of calling blockVirgin if I generate a CUSTOM response message saying YOU ARE NOT AUTHORISED TO VIEW THIS PAGE then build response based on FAQ https://answers.launchpad.net/ecap/+faq/2516 then it fails. Although the same code (request satisfaction) works if I build a custom response for a GET request. Please suggest how can I achieve CUSTOM response for a CONNECT.
