[squid-users] How to perform regex only after Squid knows the full url with SslBump
Hi, I have a use case that I want to access a certain URL path of a domain but not other. i.e. I want client to be able to access example.com/abc/login, but not other paths. Hence, I created ACL rule to achieve that, see below: ``` acl to_domain_whitelist url_regex "/squid-config/whitelist/allow.acl" acl http port 80 acl https port 443 acl connect method CONNECT http_access allow all to_domain_whitelist http_access deny all http_reply_access allow all acl step1 at_step SslBump1 acl step2 at_step SslBump2 acl step3 at_step SslBump3 ssl_bump peek step3 ssl_bump bump all ``` However the above code does not work properly, the URL regex matching happens before Squid performs decryption so that it can only match against the host name instead of full URL path. I wonder if there's a way to perform the URL regex only after Squid knows the full url with SslBump? Below is a briefing of the log. Thank you so much ``` - CONNECT example.com:443 HTTP/1.1 Host: example.com:443 User-Agent: curl/7.54.0 Proxy-Connection: Keep-Alive X-Forwarded-For: xx.xxx.xx.xx -- ... 2020/03/20 14:51:43.067| 28,3| Acl.cc(158) matches: checked: to_domain_whitelist = 0 2020/03/20 14:51:43.071| 85,2| client_side_request.cc(745) clientAccessCheckDone: The request CONNECT example.com:443 is DENIED; last ACL checked: all ... - GET /abc/login HTTP/1.1 Host: example.com User-Agent: curl/7.54.0 Accept: */* -- ``` -- Sent from: http://squid-web-proxy-cache.1019090.n4.nabble.com/Squid-Users-f1019091.html ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
Re: [squid-users] How to Configure Proxy Chaining with ssl-bump
Hi Amos, Thanks for your explanation. Could you instruct me how to install squid v5 based on CentOS 7? Based on url https://wiki.squid-cache.org/SquidFaq/BinaryPackages#KnowledgeBase.2FCentOS.Stable_Repository_Package_.28like_epel-release.29, CentOS seems not support squid v5. BR, Michael Amos Jeffries 於 2020年3月20日 週五 下午5:29寫道: > On 20/03/20 8:27 pm, Michael Chen wrote: > > Hi Amos, > > May I know which function Squid v3.5.28 cannot do for my scenario? > > Because Squid v3.5 still has command of cache_peer and ssl . > > > > TLS is a volatile environment, with many changes going on constantly. > Squid-3 has been deprecated since 2018 and is far behind in support > needed for current TLS practices. > > Especially when bumping you should always have the latest Squid version. > > > This first bit can be tested with Squid-3. It is just about getting a > secure connection to the peer, any Squid should be able to do that. > > Ensure that the peer proxy is delivering its CA *chain* properly. > * All the intermediates should be supplied during the server handshake. > * cache_peer should only need the root CA for that chain. Configured in > the sslca= or tls-ca= option. > > At this point your Squid should be able to pass traffic to the peer. > Test that with regular http:// URL requests to your Squid. *Not* HTTPS > or bumped traffic. > > > You can test this following with Squid-3, but do not expect it to work > very well. Squid-4 is better in a lot of cases, but still not completely. > > Your ssl_bump rules should peek at the client cert, then stare at the > server cert, then bump the crypto. Like so: > > ssl_bump peek step1 > ssl_bump stare all > ssl_bump bump all > > > Amos > ___ > squid-users mailing list > squid-users@lists.squid-cache.org > http://lists.squid-cache.org/listinfo/squid-users > ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
Re: [squid-users] How to Configure Proxy Chaining with ssl-bump
On 20/03/20 8:27 pm, Michael Chen wrote: > Hi Amos, > May I know which function Squid v3.5.28 cannot do for my scenario? > Because Squid v3.5 still has command of cache_peer and ssl . > TLS is a volatile environment, with many changes going on constantly. Squid-3 has been deprecated since 2018 and is far behind in support needed for current TLS practices. Especially when bumping you should always have the latest Squid version. This first bit can be tested with Squid-3. It is just about getting a secure connection to the peer, any Squid should be able to do that. Ensure that the peer proxy is delivering its CA *chain* properly. * All the intermediates should be supplied during the server handshake. * cache_peer should only need the root CA for that chain. Configured in the sslca= or tls-ca= option. At this point your Squid should be able to pass traffic to the peer. Test that with regular http:// URL requests to your Squid. *Not* HTTPS or bumped traffic. You can test this following with Squid-3, but do not expect it to work very well. Squid-4 is better in a lot of cases, but still not completely. Your ssl_bump rules should peek at the client cert, then stare at the server cert, then bump the crypto. Like so: ssl_bump peek step1 ssl_bump stare all ssl_bump bump all Amos ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
Re: [squid-users] How to Configure Proxy Chaining with ssl-bump
Hi Amos, May I know which function Squid v3.5.28 cannot do for my scenario? Because Squid v3.5 still has command of cache_peer and ssl . BR, Michael Amos Jeffries 於 2020年3月20日 週五 下午2:46寫道: > On 20/03/20 7:12 pm, Michael Chen wrote: > > Hi Amos, > > Squid version 3.5.28 > > Squid-3 cannot do what you are wanting. > > You require Squid-4 or later if the peer supports TLS/SSL connections, > and Squid-5 or later if it does not. > > > > > image.png > > BR, > > Michael > > > > Please avoid posting things images. They often do not make it through > the mailing list, are very hard to read and even worse to grep/search > for significant values. > > Amos > ___ > squid-users mailing list > squid-users@lists.squid-cache.org > http://lists.squid-cache.org/listinfo/squid-users > ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
Re: [squid-users] How to Configure Proxy Chaining with ssl-bump
On 20/03/20 7:12 pm, Michael Chen wrote: > Hi Amos, > Squid version 3.5.28 Squid-3 cannot do what you are wanting. You require Squid-4 or later if the peer supports TLS/SSL connections, and Squid-5 or later if it does not. > image.png > BR, > Michael > Please avoid posting things images. They often do not make it through the mailing list, are very hard to read and even worse to grep/search for significant values. Amos ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users