[squid-users] kaspersky and ufdbguard

[Vacheslav]

Peace,

When I configured Kaspersky to use proxy, I started getting as an example:

BLOCK -10.96.0.104 config https-option  
195.122.177.165:443 CONNECT

I have require https hostname. Kaspersky is updating fine.

Anyone has an idea what Kaspersky is connecting ?

___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

[squid-users] Very High Response Times to Certain Websites with Squid

[Justin & Roseanne James]

 Hello,
I have a proxy server setup with Squid 3.5.23, and am having issues with
high response times to a lot of websites. As you can see below, I'm seeing
response times of over 1,000,000 milliseconds!

1526528717.346 1032187 10.10.10.5 TAG_NONE/200 0 CONNECT 54.239.29.128:443 -
HIER_NONE/- -
1526528717.346 1032158 10.10.10.5 TAG_NONE/409 0 CONNECT api.amazon.com:443 -
HIER_NONE/- text/html;charset=utf-8
1526528717.346 1000764 10.10.10.5 TAG_NONE/200 0 CONNECT 23.34.22.196:443 -
HIER_NONE/- -
1526528717.346 1000734 10.10.10.5 TAG_NONE/409 0 CONNECT www.amazon.com:443 -
HIER_NONE/- text/html;charset=utf-8
1526528717.346 1032128 10.10.10.5 TAG_NONE/200 0 CONNECT 72.21.206.140:443 -
HIER_NONE/- -
1526528717.346 1032124 10.10.10.5 TAG_NONE/409 0 CONNECT
s.amazon-adsystem.com:443 - HIER_NONE/- text/html;charset=utf-8
1526528717.346 1000903 10.10.10.5 TAG_NONE/200 0 CONNECT 52.94.237.193:443 -
HIER_NONE/- -
1526528717.346 1000899 10.10.10.5 TAG_NONE/409 0 CONNECT
transient.amazon.com:443 - HIER_NONE/- text/html;charset=utf-8
1526528717.346 1031571 10.10.10.5 TAG_NONE/200 0 CONNECT 72.21.206.141:443 -
HIER_NONE/- -
1526528717.346 1031564 10.10.10.5 TAG_NONE/409 0 CONNECT
aax-us-east.amazon-adsystem.com:443 - HIER_NONE/- text/html;charset=utf-8
1526528717.346 1000902 10.10.10.5 TAG_NONE/200 0 CONNECT 23.21.218.68:443 -
HIER_NONE/- -
1526528717.346 1000897 10.10.10.5 TAG_NONE/409 0 CONNECT
settings.crashlytics.com:443 - HIER_NONE/- text/html;charset=utf-8
1526528717.346 803516 10.10.10.2 TAG_NONE/200 0 CONNECT 54.88.34.154:443 -
HIER_NONE/- -
1526528717.346 803506 10.10.10.2 TAG_NONE/409 0 CONNECT
fls-na.amazon.com:443 - HIER_NONE/- text/html;charset=utf-8
1526528717.346 803516 10.10.10.2 TAG_NONE/200 0 CONNECT 54.88.34.154:443 -
HIER_NONE/- -
1526528717.346 803506 10.10.10.2 TAG_NONE/409 0 CONNECT
fls-na.amazon.com:443 - HIER_NONE/- text/html;charset=utf-8
1526528717.346 1000765 10.10.10.5 TAG_NONE/200 0 CONNECT 52.94.236.223:443 -
HIER_NONE/- -
1526528717.346 1000734 10.10.10.5 TAG_NONE/409 0 CONNECT msh.amazon.com:443 -
HIER_NONE/- text/html;charset=utf-8

I'm not doing anything special. Squid is running transparently and I have
iptables rules setup to forward port 80 and 443 traffic appropriately from
my firewall to my squid box. I can curl the above sites on my server and
results are returned almost instantly (not going through squid).

Many thanks for any help you can provide!
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] Squid configuration sanity check

[Eliezer Croitoru]

And..

If there are objects you don’t want to be served from the proxy directly you 
can try to edit the templates.

 

Eliezer

 



  Eliezer Croitoru
Linux System Administrator
Mobile: +972-5-28704261
Email: elie...@ngtech.co.il



 

From: squid-users  On Behalf Of Alex 
K
Sent: Wednesday, May 16, 2018 21:08
To: Amos Jeffries 
Cc: squid-users@lists.squid-cache.org
Subject: Re: [squid-users] Squid configuration sanity check

 

Ok, clear.

Thank you Amos. 

Alex

 

On Wed, May 16, 2018 at 3:33 PM, Amos Jeffries  > wrote:

On 16/05/18 18:17, Alex K wrote:
> Hi again,
> 
> With this config I get:
> 
> ERROR: No forward-proxy ports configured.
> 
> I am wondering if I could just add a dummy entry:
> 
> http_port 3130
> 
> to suppress this error.
> 
> But not sure how this is useful when reading:
> 
> https://wiki.squid-cache.org/KnowledgeBase/NoForwardProxyPorts
> 

As the wiki page says Squid generates URLs sometimes which require the
client to contact the proxy directly for something(s). That cannot be
done through a port used for TPROXY or NAT interception traffic.

The port 3130 (if you choose that over the well-known 3128 port) should
not be a "dummy" that does nothing. Squid *will* open and listen for
traffic there. Clients will at times be told to fetch URLs from the
Squid machines public hostname at that port.

You can firewall the port off from all access if you really want to.
Just be aware that will add error messages about the proxy port not
being accessible to whatever problem the client is having that required
direct contact with Squid in the first place (usually trying to display
an error page).

Amos

 

___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] SOLVED - SECURITY ALERT: Host header forgery detected

[Eliezer Croitoru]

Amos,

And this issue is kind of big\mega corp services or CDN services.
Now I am really not sure I understand what this security host forgery is about.
There are couple cases:
- Simple forward proxy with ssl-bump which no header forgery should ever happen 
when the client requests for a specific domain and no IP
- Intercept proxy  with ssl-bump enabled that has no SNI host
- Intercept proxy with ssl-bump enabled that has SNI and squid passes the 
clients SNI host

Which one of the above is this specific case?
And if there are other cases it's good to list them and I will try to wiki 
these details.

Thanks,
Eliezer


Eliezer Croitoru
Linux System Administrator
Mobile: +972-5-28704261
Email: elie...@ngtech.co.il



-Original Message-
From: squid-users  On Behalf Of Amos 
Jeffries
Sent: Tuesday, May 15, 2018 21:28
To: squid-users@lists.squid-cache.org
Subject: Re: [squid-users] SOLVED - SECURITY ALERT: Host header forgery detected

On 16/05/18 02:02, Eliezer Croitoru wrote:
> Hey Martin,
> 
> Technically there should be a way to inform Squid-Cache about multiple 
> addresses for the same destination.
> If Squid doesn't know that it's a real IP of the domains a partial solution 
> is to use the same DNS service but it can also be something else.
> For example there should be a way\option for squid to decide if this address 
> of the client or server is secured.
> 
> Amos what do you think?
> Can a Host header forgery detection override acl be added? Should it be added?
> I believe that  if there are some properties to the remote certificate we can 
> flag the service as "Secure"
> IE if the OS runs a "openssl s_client -host www.ubuntnu.com -connect 
> 91.189.89.118:443
>  And the certificate is fine then... it's there is no place for any SECURITY 
> ALERT.

A malicious actor would simply forward the TLS handshake to the real
server they are spoofing. Same way Squid does for SSL-Bump.

The counter argument of not sending SNI to that suspicious server will
have failures with these exact same mega-corp services. Think
foo.example.com hosted on Google hosting where the generic server cert
is "foo.1e1.net" not "foo.example.com", nor even google.com".


The "problem" that needs to be resolved is simply that the genuine
servers do not have a reliable match between their IP and client
presented domain name(s).

Amos
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] Squid configuration sanity check

[Alex K]

Ok, clear.
Thank you Amos.

Alex

On Wed, May 16, 2018 at 3:33 PM, Amos Jeffries  wrote:

> On 16/05/18 18:17, Alex K wrote:
> > Hi again,
> >
> > With this config I get:
> >
> > ERROR: No forward-proxy ports configured.
> >
> > I am wondering if I could just add a dummy entry:
> >
> > http_port 3130
> >
> > to suppress this error.
> >
> > But not sure how this is useful when reading:
> >
> > https://wiki.squid-cache.org/KnowledgeBase/NoForwardProxyPorts
> >
>
> As the wiki page says Squid generates URLs sometimes which require the
> client to contact the proxy directly for something(s). That cannot be
> done through a port used for TPROXY or NAT interception traffic.
>
> The port 3130 (if you choose that over the well-known 3128 port) should
> not be a "dummy" that does nothing. Squid *will* open and listen for
> traffic there. Clients will at times be told to fetch URLs from the
> Squid machines public hostname at that port.
>
> You can firewall the port off from all access if you really want to.
> Just be aware that will add error messages about the proxy port not
> being accessible to whatever problem the client is having that required
> direct contact with Squid in the first place (usually trying to display
> an error page).
>
> Amos
>
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] Squid configuration sanity check

[Amos Jeffries]

On 16/05/18 18:17, Alex K wrote:
> Hi again,
> 
> With this config I get:
> 
> ERROR: No forward-proxy ports configured.
> 
> I am wondering if I could just add a dummy entry:
> 
> http_port 3130
> 
> to suppress this error.
> 
> But not sure how this is useful when reading:
> 
> https://wiki.squid-cache.org/KnowledgeBase/NoForwardProxyPorts
> 

As the wiki page says Squid generates URLs sometimes which require the
client to contact the proxy directly for something(s). That cannot be
done through a port used for TPROXY or NAT interception traffic.

The port 3130 (if you choose that over the well-known 3128 port) should
not be a "dummy" that does nothing. Squid *will* open and listen for
traffic there. Clients will at times be told to fetch URLs from the
Squid machines public hostname at that port.

You can firewall the port off from all access if you really want to.
Just be aware that will add error messages about the proxy port not
being accessible to whatever problem the client is having that required
direct contact with Squid in the first place (usually trying to display
an error page).

Amos
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] Squid configuration sanity check

[Alex K]

Hi again,

With this config I get:

ERROR: No forward-proxy ports configured.

I am wondering if I could just add a dummy entry:

http_port 3130

to suppress this error.

But not sure how this is useful when reading:

https://wiki.squid-cache.org/KnowledgeBase/NoForwardProxyPorts

Alex

On Tue, May 8, 2018 at 7:49 PM, Amos Jeffries  wrote:

> On 08/05/18 22:36, Alex K wrote:
> > Correction:
> >
> > On Tue, May 8, 2018 at 1:35 PM, Alex K wrote:
> >
> > Hi Amos,
> >
> > On Tue, May 8, 2018 at 8:55 AM, Amos Jeffries wrote:
> >
> > On 08/05/18 04:56, Alex K wrote:
> > > Hi Amos,
> > >
> > > On Mon, May 7, 2018 at 7:30 PM, Amos Jeffries wrote:
> > >
> > > On 08/05/18 00:24, Alex K wrote:
> > > > Hi all,
> > > >
> > ...
> > > > acl localhost src 192.168.200.1/32
> > >
> > > 192.168.200.1 is assigned to your lo interface?
> > >
> > > Yes, this is the IP of one of the interfaces of the device at
> the
> > > network where the users use squid to reach Internet.
> > >
> >
> > No, I mean specifically the interface named "lo" which has ::1
> and
> > 127.0.0.0/8 assigned by the system. It has
> > some special security
> > properties like hardware restriction preventing globally
> > routable IPs
> > being used as dst-IP of packets even routed through it result in
> > rejections.
> >
> > I have not assigned 192.168.200.1 at lo. It is assigned to an
> > interface (eth3 for example). localhost is here misleading. it could
> > say "proxy"
>
> Yes, it should be different. "localhost" ACL is used for some defaults.
> What you are doing here is adding 192.168.200.1 to the ::! etc
> definition of the predefined localhost ACL.
>
>
> >
> > >
> > > >
> > > > acl SSL_ports port 443
> > > > acl Safe_ports port 80
> > > > acl Safe_ports port 21
> > > > acl Safe_ports port 443
> > > > acl Safe_ports port 10080
> > > > acl Safe_ports port 10443
> > > > acl SSL method CONNECT
> > >
> > > The above can be quite deceptive,
> > >
> > > I removed port 21 as I don't think I am using FTP.
> > >
> >
> > Sorry, I missed out the last half of that text. I was meaning
> > the "SSL"
> > ACL definition specifically. CONNECT method is not restricted to
> SSL
> > protocol even when all you are doing is intercepting port 443
> (think
> > HTTP/2, WebSockets, QUIC, etc). It would be better to use the
> > provided
> > CONNECT ACL in place of "SSL" - they are identical in definition
> and
> > CONNECT is clearer to see if/when some access control is not as
> > tightly
> > restricted as "SSL" would make it seem.
> >
> > You mean remove  "acl SSL method CONNECT" and leave only "acl
> > CONNECT method CONNECT" ?
> >
>
> Yes. Exactly so.
>
> Amos
>
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users