[squid-users] Squid v3.3.8 & SSL Bumping Issues

From: David Marcos <davem.business_at_gmail.com>
Date: Tue, 8 Jul 2014 22:17:42 -0400

Hi,

I have been attempting to configure SSL bumping with Squid v3.3.8. I
have a well configured Squid proxy for HTTP and HTTP Intercept
proxying. I am now trying to expand the configuration to bump SSL
connections. I believe I have the basics of the configuration correct
for both direct HTTPS proxying as well as intercepted HTTPS, but am
having a few issues that I would appreciate some input on.
Specifically:

     a. HTTPS Page Rendering: Some HTTPS pages load fine. However, I
have found that if I try to login to online banking or other secure
pages that either (1) the page does not render properly (I get flat,
unorganized text) or (2) the page simply does not load. With respect
to the latter, some pages simply bring me right back to the login
page; there seems to be some kind of behind-the-scenes redirection
that is being rejected and preventing logging in. What
recommendations might anyone have to tweak my configuration to address
these issues?

     b. HTTP Strict Transport Security (HSTS): Some pages flat-out
reject any SSL bumping due to HSTS. I am using Chrome, which I'm sure
aggravates the issue. Is there a way to configure Squid to get around
HSTS? (Yes, I know this may be a dumb question given how HSTS works,
but would appreciate any insight.)

Fundamentally, my intent is to set up Squid for home use to block
advertising, malware, and in particular, perform content adaptation.
One of my specific goals is to modify search URL paths to restrict
explicit search returns (e.g. affixing "&safe=active" to any Google
search path). I have additionally configured ICAP with SquidClamav,
multiple ACLs for blocking of ads and malware, and SquidGuard for
additional domain and url blocking. SquidGuard is also successfully
manipulating *unencrypted* Google, Yahoo, and Bing URL paths to insert
commands to suppress explicit search returns. (I should note that
when I tested out SSL bumping, I disabled ICAP, Squidguard, and ACLs
for blocking of ads and malware; the issues described above
persisted.)

Below is my squid.conf file to help out.

Thanks in advance,

Dave

#########BEGIN FILE#############
hosts_file /etc/hosts
visible_hostname proxyserver
shutdown_lifetime 5 seconds
coredump_dir /tmp

dns_nameservers 192.168.1.1 208.67.222.222 208.67.220.220
half_closed_clients off
negative_ttl 0
negative_dns_ttl 2 minutes

http_port 127.0.0.1:3128

http_port 192.168.1.1:3128 ssl-bump generate-host-certificates=on
dynamic_cert_mem_cache_size=4MB cert=/etc/squid3/certs/cert.crt
key=/etc/squid3/certs/cert.key

http_port 192.168.1.1:3129 intercept

https_port 192.168.1.1:3130 intercept ssl-bump
generate-host-certificates=on dynamic_cert_mem_cache_size=4MB
cert=/etc/squid3/certs/cert.crt key=/etc/squid3/certs/cert.key

sslcrtd_program /usr/lib/squid3/ssl_crtd -s /disk/dyn-certs/sslcrtd_db -M 4MB
sslcrtd_children 5

udp_incoming_address 192.168.1.1
pinger_enable off
forwarded_for delete
via off

memory_replacement_policy heap GDSF
cache_replacement_policy heap LFUDA
maximum_object_size_in_memory 1 MB
minimum_object_size 0 KB
maximum_object_size 64 MB
memory_pools off
cache_mem 256 MB
cache_dir aufs /disk/squid-cache 25000 32 512
cache_swap_low 95
cache_swap_high 97
ipcache_size 10240
fqdncache_size 2048
quick_abort_min 0 KB
quick_abort_max 0 KB
max_filedescriptors 4096
read_ahead_gap 512 KB

client_lifetime 6 hours
connect_timeout 10 seconds

log_icp_queries off
buffered_logs on
debug_options ALL,1
logformat squid %tg %6tr %>A %Ss/%03>Hs UA=%{User-Agent}>h
XFF=%{X-Forwarded-For}>h CKE=- %rm %ru %un %Sh/%<A %mt BYTES=%<st
access_log stdio:/var/log/squid/access.log squid
cache_log /var/log/squid/cache.log
cache_store_log none #/var/log/squid/store.log

icap_enable on
icap_send_client_ip on
icap_send_client_username on
icap_client_username_encode off
icap_client_username_header X-Authenticated-User
icap_preview_enable on
icap_preview_size 1024
icap_service sqclamav_req reqmod_precache bypass=1
icap://127.0.0.1:1344/squidclamav
adaptation_access sqclamav_req allow all
icap_service sqclamav_resp respmod_precache bypass=1
icap://127.0.0.1:1344/squidclamav
adaptation_access sqclamav_resp allow all

refresh_pattern -i \.(gif|png|jpg|jpeg|ico|bmp)$ 10080 90% 43200
override-expire ignore-no-store ignore-private
refresh_pattern -i \.(iso|avi|wav|mp3|m3u|mp4|mpeg|swf|flv|x-flv)$
43200 90% 259200 override-expire ignore-no-store ignore-no-cache
ignore-private
refresh_pattern -i
\.(deb|rpm|exe|zip|tar|tgz|ram|rar|bin|ppt|pptx|doc|docx|xls|xlsx|tiff)$
10080 90% 43200 override-expire ignore-no-store ignore-private
refresh_pattern -i \.index.(html|htm)$ 0 40% 10080
refresh_pattern -i \.(html|htm|css|js)$ 1440 40% 40320
refresh_pattern -i exe$ 0 50% 259200
refresh_pattern -i zip$ 0 50% 259200
refresh_pattern -i tar\.gz$ 0 50% 259200
refresh_pattern -i tgz$ 0 50% 259200
refresh_pattern ^ftp: 1440 20% 10080
refresh_pattern ^gopher: 1440 0% 1440
refresh_pattern -i (\.cgi$|/cgi-bin/|\?) 0 0% 0
refresh_pattern . 0 20% 4320

acl SSL_ports port 443 21 563 445 1494 2598 5006
acl Safe_ports port 21 80 443 563 70 210 280 488 591 777 1025-65535
acl purge method PURGE
acl CONNECT method CONNECT
acl FTP proto FTP

acl lan src 192.168.1.0/24
acl vpn src 192.168.12.0/24
acl to_lan dst 192.168.1.0/24
acl to_vpn dst 192.168.12.0/24

acl malware_stinks dstdomain
"/disk/squidguard/blacklist_acls/suspiciousdomains_Medium.txt"
acl ad_regex url_regex -i
"/disk/squidguard/blacklist_acls/ad_block_easylist.txt"
acl privacy_regex url_regex -i
"/disk/squidguard/blacklist_acls/privacy_easylist.txt"
deny_info http://www.lan/malware.html malware_stinks
deny_info http://www.lan/adregex.html ad_regex
deny_info http://www.lan/privacy.html privacy_regex

http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports

http_access deny malware_stinks
http_access deny ad_regex
http_access deny privacy_regex

http_access allow localhost manager
http_access deny manager
http_access allow localhost purge
http_access deny purge
http_access allow FTP localhost
http_access allow FTP lan
http_access allow FTP vpn
http_access allow lan
http_access allow to_lan
http_access allow vpn
http_access allow localhost

http_access deny all

http_reply_access allow all

icp_access allow lan
icp_access allow vpn
icp_access deny all

snmp_access allow lan
snmp_access allow vpn
snmp_access deny all

htcp_access allow lan
htcp_access allow vpn
htcp_access deny all

always_direct allow lan
always_direct allow vpn

ssl_bump none localhost
ssl_bump server-first lan
ssl_bump server-first vpn
sslproxy_cert_error allow all
sslproxy_flags DONT_VERIFY_PEER

request_header_replace Accept */*
request_header_replace Accept-Encoding gzip
request_header_replace Accept-Language en
request_header_replace From
request_header_replace Referer
request_header_replace Cookie
request_header_replace Cookie2

request_header_add DNT 1

request_header_access Allow allow all
request_header_access Authorization allow all
# corresponds to above replace acl
request_header_access From deny !to_lan
# corresponds to above replace acl
request_header_access Referer deny !to_lan
request_header_access WWW-Authenticate allow all
request_header_access Proxy-Authorization allow all
request_header_access Proxy-Authenticate allow all
request_header_access Content-Encoding allow all
request_header_access Content-Length allow all
request_header_access Content-Type allow all
request_header_access Date allow all
request_header_access Expires allow all
request_header_access Host allow all
request_header_access If-Modified-Since allow all
request_header_access Last-Modified allow all
request_header_access Location allow all
request_header_access Pragma allow all
# corresponds to above replace acl
request_header_access Accept deny !to_lan
request_header_access Accept-Charset deny !to_lan
# corresponds to above replace acl
request_header_access Accept-Encoding deny !to_lan
# corresponds to above replace acl
request_header_access Accept-Language deny !to_lan
request_header_access Content-Language allow all
request_header_access Mime-Version allow all
request_header_access Retry-After allow all
request_header_access Title allow all
request_header_access Connection allow all
request_header_access Proxy-Connection allow all
request_header_access User-Agent allow all
request_header_access Other allow all
request_header_access Cookie allow all
request_header_access Cookie2 allow all
# Corresponds to DNT header add/replace above
request_header_access DNT deny all
request_header_access All deny !to_lan

reply_header_access Allow allow all
reply_header_access Authorization allow all
reply_header_access Proxy-Authorization allow all
reply_header_access Proxy-Authenticate allow all
reply_header_access Content-Encoding allow all
reply_header_access Content-Length allow all
reply_header_access Content-Type allow all
reply_header_access Date allow all
reply_header_access Expires allow all
reply_header_access Host allow all
reply_header_access If-Modified-Since allow all
reply_header_access Last-Modified allow all
reply_header_access Location allow all
reply_header_access Pragma allow all
reply_header_access Accept allow all
reply_header_access Accept-Charset allow all
reply_header_access Accept-Encoding allow all
reply_header_access Accept-Language allow all
reply_header_access Content-Language allow all
reply_header_access Mime-Version allow all
reply_header_access Retry-After allow all
reply_header_access Title allow all
reply_header_access Connection allow all
reply_header_access User-Agent allow all
reply_header_access Other allow all
reply_header_access Set-Cookie allow all
reply_header_access Set-Cookie2 allow all
reply_header_access Transfer-Encoding allow all
reply_header_access Strict-Transport-Security allow all
reply_header_access DNT allow all

reply_header_access WWW-Authenticate deny !to_lan
reply_header_access Server deny !to_lan
reply_header_access Link deny !to_lan
reply_header_access All deny !to_lan

## SquidGuard
# This sets up 10 SquidGuard programs; 5 ready-to-go; 10
idled-and-prepped-to-go;
# and threading for a total of 15 SquidGuard handlers available to
tackle blocking
# Note *do not* use the concurrency option; it crashes SquidGuard
url_rewrite_program /usr/bin/squidGuard -c /etc/squid3/squidGuard.conf
url_rewrite_children 15 startup=5 idle=10
url_rewrite_bypass off
url_rewrite_access allow all
##########END FILE################
Received on Wed Jul 09 2014 - 02:33:19 MDT

This archive was generated by hypermail 2.2.0 : Wed Jul 09 2014 - 12:00:07 MDT