X-Mail-List: ufdbGuard
Hi Marcus,
Below are some analysis and questions.
Best regards,
Cleberson Vieira
Em 25-01-2017 12:00, Marcus Kool escreveu:
X-Mail-List: ufdbGuard
Hi Cleberson,
I am not sure how to interpret "to be blocked when they access via CONNECT"...
In a mixed environment with transparent intercept (which has no CONNECT,
but Squid generates a fake CONNECT for ufdbGuard) and a forward proxy
(which has a CONNECT) ufdbGuard receives real CONNECTs and fake CONNECTs.
For a forward proxy, if a connection is bumped, ufdbGuard receives
CONNECT www.example.com
GET https://www.example.com/index.html
If a connection is spliced, ufdbGuard only receives
CONNECT www.example.com
In this case, having an "exception" or category that blocks when
receiving the first CONNECT would be interesting, even generating
certificate errors for the client. In my understanding, I believe the
"block-on-connect" option was intended to remedy this.
To complicate things, for transparent intercept, Squid does not send the
FQDN but the IP with the fake CONNECT. So it becomes:
if a connection is bumped, ufdbGuard receives
CONNECT IP.AD.DR.ESS
GET https://www.example.com/index.html
If a connection is spliced, ufdbGuard only receives
CONNECT IP.AD.DR.ESS
And this complicates things a lot since filtering on IP address is prone
to errors since IP addresses can be shared by many domains.
For transparent interception, treatment is complicated. :/
There is an issue with blocking: blocking a CONNECT will display
errors in a browser that a regular end user does not understand,
so ufdbGuard usually does not block a CONNECT but waits for the
GET https://www.example.com/index.html
which it can block while being able to display an understandable
error message to the end user.
The category-specific option block-on-connect was introduced to
block a category where it is known that it does not use plain HTTPS
(TLS-encrypted HTTP) but some other protocol which Squid does
not understand and does not forward anything to ufdbGuard.
In other words, the CONNECT must be blocked since there will never be
a GET https://example.com.
An example of such category is Skype.
The manual has an error and section 8.1.1 should have this:
squid-uses-active-bumping on
...
category skype {
domainlist chat/skype/domains
option block-on-connect on
option allow-skype-over-https off
}
Follow the steps in the manual, and set a configuration:
option block-on-connect on
It generated the following errors at start:
FATAL ERROR: line 284: syntax error in configuration file
/etc/ufdbguard/ufdbGuard.conf *****
I tried to find a reference of the "block-on-connect" option in the
source code and I did not find anything:
# grep -i 'block-on-connect' /usr/src/ufdbGuard-1.32.4/* -R
Any explanation for this?
Marcus
On 25/01/17 11:18, Cleberson Vieira wrote:
X-Mail-List: ufdbGuard
Hi Marcus,
Your statement about acls represents my current scenario.
About proxy mode, I use the two modes. But what could that influence?
Is there any valid option to replace does not exist "block-on-connect"?
Best regards,
Cleberson Vieira
Em 25-01-2017 10:53, Marcus Kool escreveu:
X-Mail-List: ufdbGuard
Hi Cleberson,
I understand that you use Squid with ssl_bump in a mixed mode with acls that
peek, bump and/or splice.
Do you have transparent interception or forward proxy mode?
Thanks
Marcus
On 25/01/17 09:57, Cleberson Vieira wrote:
X-Mail-List: ufdbGuard
Hi everyone,
Could someone help me in this problem?
Best regards,
Cleberson Vieira
Em 23-01-2017 12:54, Cleberson Vieira escreveu:
X-Mail-List: ufdbGuard
Hi everyone,
The reference manual, item (8.1.1 Active HTTPS Bumping with ufdbGuard) specifies the
"block-on-connect" option. This option does not exist in ufdbGuard.conf.
I would like sites configured in squid like no_bump (splice), such as banks and
social networks, to be blocked when they access via CONNECT.
The "block-bumped-connect on" option also did not work.
Is there any option for this situation?
Best regards,
Cleberson Vieira
------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, SlashDot.org! http://sdm.link/slashdot
_______________________________________________
ufdbGuard-support mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/ufdbguard-support
------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, SlashDot.org! http://sdm.link/slashdot
_______________________________________________
ufdbGuard-support mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/ufdbguard-support
------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, SlashDot.org! http://sdm.link/slashdot
_______________________________________________
ufdbGuard-support mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/ufdbguard-support
------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, SlashDot.org! http://sdm.link/slashdot
_______________________________________________
ufdbGuard-support mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/ufdbguard-support
------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, SlashDot.org! http://sdm.link/slashdot
_______________________________________________
ufdbGuard-support mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/ufdbguard-support
------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, SlashDot.org! http://sdm.link/slashdot
_______________________________________________
ufdbGuard-support mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/ufdbguard-support
