Re: [squid-users] ACL blocks http, but not https

From: Amos Jeffries <squid3_at_treenet.co.nz>
Date: Wed, 27 Oct 2010 23:10:16 +1300

Re-doing since my earlier mail seems to have gone astray.
Apologies if you get this twice.

On 27/10/10 01:12, Marc Muehlfeld wrote:
> Hello,
>
> I have blocked some URLs through an url_regex acl, which works, if the
> URL contains any protocol execept https.
>
> The "blocked_urls.lst" file contains lines like:
> ([^\/]\.facebook\.com\/|[^\/]\.facebook\.com$|^.*://facebook\.com)+
> I've tested the regex using an online regex tester:
> "http://www.facebook.com" and "https://www.facebook.com" both match. But
> the https address can be reached, so I think, there must be a problem in
> my configuration (see below).

It does not match because the required URL details are not sent with HTTPS.

Also, regex is the second slowest ACL type possible in Squid. I've
outlines some steps you can make to improve the situation below...

(One of the side effects of the performance config is that it matches
both HTTP and HTTPS).

>
> I use 2.6.STABLE21 on CentOS 5.
>
> Regards,
> Marc
>
> # Define networks "all" and "localhost"
> acl all src 0.0.0.0/0.0.0.0
> acl localhost src 127.0.0.1/255.255.255.255
>

No need for netmask format:

  acl all src all
  acl localhost src 127.0.0.1

> # Default ports we allow
> acl Safe_ports port 21
> acl Safe_ports port 80
> acl Safe_ports port 443
> acl Safe_ports port 8080
>
> # Deny requests to unknown ports
> http_access deny !Safe_ports
>
> # Only allow cachemgr access from localhost
> acl manager proto cache_object
> http_access allow manager localhost
> http_access deny manager
>
> # Deny CONNECT to other than SSL ports
> acl SSL_ports port 443
> acl SSL_ports port 8443
> acl CONNECT method CONNECT
> http_access deny CONNECT !SSL_ports

Good. Sort of.

NP: port 8443 is not listed as one of the Safe_ports. It will be blocked
before this lines gets to allow it.

The fix is to either:
1) drop "acl SSL_ports port 8443"
or
2) add "acl Safe_ports port 8443"

>
> # Block access from all IPs to URLs out of this file
> acl blocked_urls url_regex "/etc/squid/blocked_urls.lst"
> deny_info ERR_BLOCKED_PRIVATE blocked_urls
> http_access deny all blocked_urls
>

Okay. As I said above regex is the second slowest ACL type in Squid.
(beaten only by external helpers which may take a long time to respond).

It's a 6-step process to fix:

Step 1) *remove* all entries from "blocked_urls.lst" meant to match
domain-only or IP-only. Add them instead to a dstdomain ACL. lets call
it "A"

Step 2) add a new http_access deny line using the new step-1 ACL before
the "blocked_urls" line.

Step 3) *copy* any domains or IPs which are left in the
"blocked_urls.lst" into another new dstdomain ACL. lets call this "B"

Step 4) replace the "all" in "deny all blocked_urls" with the name of
your new step-3 ACL.

Step 5) squid -k reconfigure (maybe a "squid -k parse" to check its
going to restart cleanly)

Step 6) watch your CPU relax.

NOTICE: you now have three ACLs. Knowing what they do is important.

   The first "A" (from step-1) matches only on raw-IPs or domains
received in the URL. *including HTTPS* requests.

   The second "B" (from step-3) limits the slow full-url regex matches
to only be done on the the domains or raw-IPs where they have a
possibility of matching and blocking something.

   The third (which was your blocked_urls.lst) matches the entire URL
including path. Patterns which include details about the path will only
match the protocols where a path is visible (ie not HTTPS)

What you need to take away from this is that 1) where possible add whole
domains and sets of sub-domains to "A" the first ACL. and 2) always make
sure that your second "B" and regex ACL are matched. New rules into the
regex need to be checked that the domain(s)the match are in the "B" list.

> # Allow access from all of our subnets
> acl MyNetworkMR_Srv src 192.168.29.0/24
> acl MyNetworkMR_Clt src 10.1.0.0/21
> http_access allow MyNetworkMR_Srv
> http_access allow MyNetworkMR_Clt
>
> # Allow access from localhost
> http_access allow localhost
>
> # Finally deny all other access to this proxy
> http_access deny all
>

Amos

-- 
Please be using
   Current Stable Squid 2.7.STABLE9 or 3.1.8
   Beta testers wanted for 3.2.0.2
Received on Wed Oct 27 2010 - 10:10:22 MDT

This archive was generated by hypermail 2.2.0 : Thu Oct 28 2010 - 12:00:04 MDT