Re: [squid-users] never_direct + https site access problem in sandwich setup!!!

From: Amos Jeffries <squid3_at_treenet.co.nz>
Date: Fri, 11 Jul 2008 00:43:48 +1200

Shiva Raman wrote:
> Hi all
> I am running a squid1->DG->squid2 sandwich setup and i am facing
> the following problem.
> When i give "never_direct allow all" in squid1.conf , i am not able to
> access any https sites.
> Without the above configuration line , all users can access https
> sites and even sites denied in the Content filter. For eg: suppose
> http://www.redhat.com is a banned site in content filter, i am able to
> access https://www.redhat.com which byepasses the content filter and
> is served by squid2.
>
> My requirement is to allow all https traffic through this setup but
> the requests should flow through content filter and then to squid2
> for serving. Is it possible to tell squid1 to pass the https traffic
> to the content filter and then to squid2?

Your requirement should work, but the intermediate (DG) appears to be
failing.

The problems sounds very much like others recently where squidguard was
not letting HTTPS through due to its configuration.

Configure squid1 with "never_direct all" then attempt to resolve WHY
*DG* is denying CONNECT requests to port 443 through. You can trace the
requests making it into squid1 through the squid1 access.log and the
requests making it out to the internet via the squid2 access.log.

Your squid configs have serious security issues, but not related to the
HTTPS problem you mention. Notes inline.

>
>
> The Ports used here are 3128->8080->8081 .
>
> Following is the configuration of my
> squid1.conf
> ----------------
> http_port 3128
> cache_peer 127.0.0.1 parent 8080 0 no-query proxy-only default
> hierarchy_stoplist cgi-bin ?
> acl QUERY urlpath_regex cgi-bin \?
> no_cache deny QUERY
> cache_mem 8 MB
> auth_param basic children 5
> auth_param basic realm Squid proxy-caching web server
> auth_param basic credentialsttl 2 hours
> auth_param basic casesensitive off
> ##Changed for user authentication
> auth_param basic program /usr/lib/squid/pam_auth
> refresh_pattern ^ftp: 1440 20% 10080
> refresh_pattern ^gopher: 1440 0% 1440
> refresh_pattern . 0 20% 4320
> acl all src 0.0.0.0/0.0.0.0
> acl all_dst dst 0.0.0.0/0.0.0.0

Um, these are essentially the same. Any reason you are duplicating? The
dst differs only in that it forces rDNS lookup before matching.

> acl manager proto cache_object
> acl localhost src 127.0.0.1/255.255.255.255
> acl to_localhost dst 127.0.0.0/8
> acl SSL_ports port 443 563
> acl Safe_ports port 80 # http
> acl Safe_ports port 21 # ftp
> acl Safe_ports port 443 563 # https, snews
> acl Safe_ports port 70 # gopher
> acl Safe_ports port 210 # wais
> acl Safe_ports port 1025-65535 # unregistered ports
> acl Safe_ports port 280 # http-mgmt
> acl Safe_ports port 488 # gss-http
> acl Safe_ports port 591 # filemaker
> acl Safe_ports port 777 # multiling http
> acl CONNECT method CONNECT
> ## Change for deny caching

??

> never_direct allow all
> no_cache deny all

Should be "cache deny all" nowadays.

> cache_access_log /var/log/squid/access.log

Should be "access_log /var/log/squid/access.log" nowadays.

> visible_hostname 192.168.10.175

visible_hostname is supposed to be a reversible DNS _hostname_.

> acl students src 192.168.10.2-192.168.10.25
> acl ttt src 192.168.10.25-192.168.10.254
> acl test dstdom_regex .yahoo.com .google.* .org
> acl test1 dstdom_regex .sun.* .oracle.*
> acl test2 dstdom_regex .rediff.*
> acl time1 time 00:00-23:00
> acl time2 time 09:00-23:00
> acl lpdf urlpath_regex pdf$ mp3$ gif$ gz$
> acl ljob url_regex -i ^http://*job*
> acl usr1 proxy_auth user3 user1
> http_access allow students usr1

So (students AND ('user1' OR 'user3')) are allowed to do anything
without limit?
Methinks the trio of deny lines below (excluding deny all) should be
above this line.

> http_access allow manager localhost
> http_access deny manager
> http_access deny !Safe_ports
> http_access deny CONNECT !SSL_ports
> http_access deny all
> http_reply_access allow all
> icp_access allow all
> coredump_dir /var/spool/squid
>
> Squid2.conf
> ---------------
> http_port 8081
> hierarchy_stoplist cgi-bin ?
> acl QUERY urlpath_regex cgi-bin \?
> no_cache deny QUERY
> cache_access_log /usr/local/squid/var/logs/access.log
> cache_log /usr/local/squid/var/logs/cache.log
> cache_store_log /usr/local/squid/var/logs/store.log
> auth_param basic children 5
> auth_param basic realm Squid proxy-caching web server
> auth_param basic credentialsttl 2 hours
> auth_param basic casesensitive off
> refresh_pattern ^ftp: 1440 20% 10080
> refresh_pattern ^gopher: 1440 0% 1440
> refresh_pattern . 0 20% 4320
> acl all src 0.0.0.0/0.0.0.0
> acl manager proto cache_object
> acl localhost src 127.0.0.1/255.255.255.255
> acl to_localhost dst 127.0.0.0/8
> acl SSL_ports port 443 563
> acl Safe_ports port 80 # http
> acl Safe_ports port 21 # ftp
> acl Safe_ports port 443 563 # https, snews
> acl Safe_ports port 70 # gopher
> acl Safe_ports port 210 # wais
> acl Safe_ports port 1025-65535 # unregistered ports
> acl Safe_ports port 280 # http-mgmt
> acl Safe_ports port 488 # gss-http
> acl Safe_ports port 591 # filemaker
> acl Safe_ports port 777 # multiling http
> acl CONNECT method CONNECT
> http_access allow manager localhost
> http_access deny manager
> http_access deny !Safe_ports
> http_access deny CONNECT !SSL_ports
> acl our_networks src 192.168.0.0/24 192.168.1.0/24
> http_access allow Safe_ports

Anything which gets past the "deny !Safe_ports" safety line (good using
it at the top BTW)
Will make the above line is essentially "http_access allow all"

* coupled with the squid1 giving out publicly the IP of this box
* coupled with a wildcard "http_port 8081"

Results in this squid being an open-proxy for anyone who cares to scan it.

> http_access allow SSL_ports
> http_access allow our_networks
> http_access allow localhost
> http_access deny all

None of these have any effect. see above.

> http_reply_access allow all
> icp_access allow all
> cache_effective_user squid
> cache_effective_group squid

DON'T use cache_effective_user unless you really have to.
On top of that its _far_ better to leave the group security to the OS,
even if you are forced to set cache-effective_user.

> visible_hostname 192.168.10.175

Same deal as for squid1.

> coredump_dir /usr/local/squid/var/cache
>
>
> Thanks for any help
>
> Regards
>
> Shiva Raman

Amos

-- 
Please use Squid 2.7.STABLE3 or 3.0.STABLE7
Received on Thu Jul 10 2008 - 12:43:51 MDT

This archive was generated by hypermail 2.2.0 : Thu Jul 10 2008 - 12:00:03 MDT