X-Mail-List: ufdbGuard
Hi Cleberson,
Ah, sorry for the confusion:
the manual is double wrong: it should read:
option block-bumped-connect on|off
I will fix this error in the manual with the next release.
Best regards,
Marcus
On 26/01/17 15:39, Cleberson Vieira wrote:
> X-Mail-List: ufdbGuard
>
>
>
>
> Hi Marcus,
>
> Below are some analysis and questions.
>
> Best regards,
>
> Cleberson Vieira
>
>
> Em 25-01-2017 12:00, Marcus Kool escreveu:
>> X-Mail-List: ufdbGuard
>> Hi Cleberson,
>>
>> I am not sure how to interpret "to be blocked when they access via
>> CONNECT"...
>>
>> In a mixed environment with transparent intercept (which has no CONNECT,
>> but Squid generates a fake CONNECT for ufdbGuard) and a forward proxy
>> (which has a CONNECT) ufdbGuard receives real CONNECTs and fake CONNECTs.
>>
>> For a forward proxy, if a connection is bumped, ufdbGuard receives
>> CONNECT www.example.com
>> GET https://www.example.com/index.html
>> If a connection is spliced, ufdbGuard only receives
>> CONNECT www.example.com
> In this case, having an "exception" or category that blocks when receiving
> the first CONNECT would be interesting, even generating certificate errors
> for the client. In my understanding, I believe the
> "block-on-connect" option was intended to remedy this.
>>
>> To complicate things, for transparent intercept, Squid does not send the
>> FQDN but the IP with the fake CONNECT. So it becomes:
>> if a connection is bumped, ufdbGuard receives
>> CONNECT IP.AD.DR.ESS
>> GET https://www.example.com/index.html
>> If a connection is spliced, ufdbGuard only receives
>> CONNECT IP.AD.DR.ESS
>> And this complicates things a lot since filtering on IP address is prone
>> to errors since IP addresses can be shared by many domains.
> For transparent interception, treatment is complicated. :/
>>
>> There is an issue with blocking: blocking a CONNECT will display
>> errors in a browser that a regular end user does not understand,
>> so ufdbGuard usually does not block a CONNECT but waits for the
>> GET https://www.example.com/index.html
>> which it can block while being able to display an understandable
>> error message to the end user.
>>
>> The category-specific option block-on-connect was introduced to
>> block a category where it is known that it does not use plain HTTPS
>> (TLS-encrypted HTTP) but some other protocol which Squid does
>> not understand and does not forward anything to ufdbGuard.
>> In other words, the CONNECT must be blocked since there will never be
>> a GET https://example.com.
>> An example of such category is Skype.
>>
>> The manual has an error and section 8.1.1 should have this:
>>
>> squid-uses-active-bumping on
>> ...
>> category skype {
>> domainlist chat/skype/domains
>> option block-on-connect on
>> option allow-skype-over-https off
>> }
>
> Follow the steps in the manual, and set a configuration:
>
> option block-on-connect on
>
> It generated the following errors at start:
>
> FATAL ERROR: line 284: syntax error in configuration file
> /etc/ufdbguard/ufdbGuard.conf *****
>
> I tried to find a reference of the "block-on-connect" option in the source
> code and I did not find anything:
>
> # grep -i 'block-on-connect' /usr/src/ufdbGuard-1.32.4/* -R
>
> Any explanation for this?
>
>>
>> Marcus
>>
>> On 25/01/17 11:18, Cleberson Vieira wrote:
>>> X-Mail-List: ufdbGuard
>>>
>>>
>>>
>>> Hi Marcus,
>>>
>>> Your statement about acls represents my current scenario.
>>>
>>> About proxy mode, I use the two modes. But what could that influence?
>>>
>>> Is there any valid option to replace does not exist "block-on-connect"?
>>>
>>> Best regards,
>>>
>>> Cleberson Vieira
>>>
>>>
>>> Em 25-01-2017 10:53, Marcus Kool escreveu:
>>>> X-Mail-List: ufdbGuard
>>>> Hi Cleberson,
>>>>
>>>> I understand that you use Squid with ssl_bump in a mixed mode with acls
>>>> that peek, bump and/or splice.
>>>>
>>>> Do you have transparent interception or forward proxy mode?
>>>>
>>>> Thanks
>>>> Marcus
>>>>
>>>>
>>>> On 25/01/17 09:57, Cleberson Vieira wrote:
>>>>> X-Mail-List: ufdbGuard
>>>>>
>>>>>
>>>>>
>>>>> Hi everyone,
>>>>>
>>>>> Could someone help me in this problem?
>>>>>
>>>>> Best regards,
>>>>>
>>>>> Cleberson Vieira
>>>>>
>>>>> Em 23-01-2017 12:54, Cleberson Vieira escreveu:
>>>>>> X-Mail-List: ufdbGuard
>>>>>>
>>>>>>
>>>>>> Hi everyone,
>>>>>>
>>>>>> The reference manual, item (8.1.1 Active HTTPS Bumping with ufdbGuard)
>>>>>> specifies the "block-on-connect" option. This option does not exist in
>>>>>> ufdbGuard.conf.
>>>>>>
>>>>>> I would like sites configured in squid like no_bump (splice), such as
>>>>>> banks and social networks, to be blocked when they access via CONNECT.
>>>>>>
>>>>>> The "block-bumped-connect on" option also did not work.
>>>>>>
>>>>>> Is there any option for this situation?
>>>>>>
>>>>>> Best regards,
>>>>>>
>>>>>> Cleberson Vieira
>>>>>>
>>>>>>
>>>>>> ------------------------------------------------------------------------------
>>>>>> Check out the vibrant tech community on one of the world's most
>>>>>> engaging tech sites, SlashDot.org! http://sdm.link/slashdot
>>>>>>
>>>>>>
>>>>>> _______________________________________________
>>>>>> ufdbGuard-support mailing list
>>>>>> [email protected]
>>>>>> https://lists.sourceforge.net/lists/listinfo/ufdbguard-support
>>>>>
>>>>> ------------------------------------------------------------------------------
>>>>> Check out the vibrant tech community on one of the world's most
>>>>> engaging tech sites, SlashDot.org! http://sdm.link/slashdot
>>>>>
>>>>>
>>>>>
>>>>> _______________________________________________
>>>>> ufdbGuard-support mailing list
>>>>> [email protected]
>>>>> https://lists.sourceforge.net/lists/listinfo/ufdbguard-support
>>>>>
>>>> ------------------------------------------------------------------------------
>>>> Check out the vibrant tech community on one of the world's most
>>>> engaging tech sites, SlashDot.org! http://sdm.link/slashdot
>>>> _______________________________________________
>>>> ufdbGuard-support mailing list
>>>> [email protected]
>>>> https://lists.sourceforge.net/lists/listinfo/ufdbguard-support
>>>>
>>>
>>>
>>> ------------------------------------------------------------------------------
>>> Check out the vibrant tech community on one of the world's most
>>> engaging tech sites, SlashDot.org! http://sdm.link/slashdot
>>>
>>>
>>>
>>> _______________________________________________
>>> ufdbGuard-support mailing list
>>> [email protected]
>>> https://lists.sourceforge.net/lists/listinfo/ufdbguard-support
>>>
>> ------------------------------------------------------------------------------
>> Check out the vibrant tech community on one of the world's most
>> engaging tech sites, SlashDot.org! http://sdm.link/slashdot
>> _______________________________________________
>> ufdbGuard-support mailing list
>> [email protected]
>> https://lists.sourceforge.net/lists/listinfo/ufdbguard-support
>>
>
>
>
> ------------------------------------------------------------------------------
> Check out the vibrant tech community on one of the world's most
> engaging tech sites, SlashDot.org! http://sdm.link/slashdot
>
>
>
> _______________________________________________
> ufdbGuard-support mailing list
> [email protected]
> https://lists.sourceforge.net/lists/listinfo/ufdbguard-support
>
------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, SlashDot.org! http://sdm.link/slashdot
_______________________________________________
ufdbGuard-support mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/ufdbguard-support
