Discussion:
[squid-users] Squid 3.5.15 - ERR_CONNECTION_REFUSED while accessing blocked non-HTTPS pages.
Irakli Gobejishvili
2017-04-12 14:24:31 UTC
Permalink
Hello everyone.

I am successfully filtering HTTPS traffic with intercept/PBR setup and
users get my custom ERR_ACCESS_DENIED page from Squid. Permitted pages
(both HTTP/HTTPS) also work absolutely fine.

The problem is, when users try to access filtered page with HTTP request,
then they get ERR_CONNECTION_REFUSED in their browsers, instead of seeing
that custom deny page and I see nothing in access.log, as if Squid never
even got the request. If I remove that domain from deny ACL or access it
via HTTPS, then it works fine and can be seen in access.log. What can I do
to fix this?


Relevant fragment from configuration:

acl CONNECT method CONNECT
reply_header_access Alternate-Protocol deny all

ssl_bump stare all
ssl_bump bump all
sslproxy_cert_error allow all
sslproxy_flags DONT_VERIFY_PEER

acl BADSITES ssl::server_name "/etc/squid/BADSITES"
acl USERS src 10.10.80.0/24

http_access deny BADSITES USERS
http_access allow USERS

http_port 3128
https_port 3130 intercept ssl-bump connection-auth=off
generate-host-certificates=on dynamic_cert_mem_cache_size=8MB
cert=/etc/squid/ssl_cert/CA.pem
Amos Jeffries
2017-04-12 16:17:13 UTC
Permalink
SSL-Bump featres in Squid are still very volatile. What appear to be
minor change can have big behaviour differences and security fixes
between any two releases. It is not worth anyones time (including yours)
re-debugging and re-fixing an older release for things that have already
been fixed.

So, Rule #1 when using those features is to follow new releases. If any
problems are encountered try the very latest to see if it is fixed.
Today that is 3.5.25, or if 3.5 is still affected the 4.0.19 beta.
Post by Irakli Gobejishvili
Hello everyone.
I am successfully filtering HTTPS traffic with intercept/PBR setup and
users get my custom ERR_ACCESS_DENIED page from Squid. Permitted pages
(both HTTP/HTTPS) also work absolutely fine.
The problem is, when users try to access filtered page with HTTP request,
then they get ERR_CONNECTION_REFUSED in their browsers, instead of seeing
that custom deny page and I see nothing in access.log, as if Squid never
even got the request. If I remove that domain from deny ACL or access it
via HTTPS, then it works fine and can be seen in access.log. What can I do
to fix this?
What is the exact traffic behaviour that is going on?

"filtering HTTPS traffic with intercept/PBR setup" tells us nothing
about the tiny but critical input details that the security systems huge
differences in correct vs wrong behaviour hinge on.

and what do you think Squid is doing in reaction to that?
Post by Irakli Gobejishvili
acl CONNECT method CONNECT
reply_header_access Alternate-Protocol deny all
ssl_bump stare all
ssl_bump bump all
sslproxy_cert_error allow all
sslproxy_flags DONT_VERIFY_PEER
Ah, sure. Things can look like they are working well when you hide all
possible TLS/SSL errors from yourself (and the users).

Anything major could be going on and you simply not seeing it.
Post by Irakli Gobejishvili
acl BADSITES ssl::server_name "/etc/squid/BADSITES"
acl USERS src 10.10.80.0/24
Missing:
http_access deny !Safe_ports
http_access deny CONNECT !SSL_Ports
http_acecss deny !localhost manager
Post by Irakli Gobejishvili
http_access deny BADSITES USERS
http_access allow USERS
Missing:
http_access deny all
Post by Irakli Gobejishvili
http_port 3128
https_port 3130 intercept ssl-bump connection-auth=off
generate-host-certificates=on dynamic_cert_mem_cache_size=8MB
cert=/etc/squid/ssl_cert/CA.pem
Amos

Loading...