Martin Hanson
2018-05-13 01:55:56 UTC
Hi,
I have a setup with a PF firewall that intercepts HTTP and HTTPS traffic and forwards that to Squid. Squid is setup to log all traffic and it uses a SSL bump for the HTTPS traffic.
In the setup I have a whitelist of domains that doesn't get logged, the rest of the traffic gets logged and redirected to SquidGuard for further blacklisting. All that works great.
What I cannot figure out is how to add a couple of local IP addresses that can ONLY access the whitelist (or possibly ANOTHER whitelist) and nothing else on the Internet.
The ACL for the "windows_boxes" is the one that is supposed to ONLY access the whitelisted domains. However, when I enter the URL https://www.mojang.com I get a "Access denied". However, if I add a NON-SSL domain to the whitelist, then those works.
This is my current squid.conf. I know I am overlooking something, but I cannot figure out what I am doing wrong.
<SNIP>
acl step1 at_step SslBump1
acl localnet src 192.168.1.0/24
# These boxes may ONLY access the whitelist.
acl windows_boxes src 192.168.1.201 192.168.1.202
acl whitelist ssl::server_name .mojang.com .minecraft.net d2pi0bc9ewx28h.cloudfront.net mcupdate.tumblr.com minecraft-textures-1196058387.us-east-1.elb.amazonaws.com .steampowered.com .steamcommunity.com .steamgames.com .steamusercontent.com .steamcontent.com .steamstatic.com .akamaihd.net .ubuntu.com
# We don't want the whitelist to be cached.
cache deny whitelist
# We want direct access on the whitelist.
always_direct allow whitelist
# Don't redirect to SquidGuard.
redirector_access deny whitelist
# We only redirect HTTP and HTTPS.
acl SSL_ports port 443
acl Safe_ports port 80 # http
acl Safe_ports port 443 # https
acl CONNECT method CONNECT
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
# Only allow cachemgr access from localhost
http_access allow localhost manager
http_access deny manager
# !!! THIS ISN'T WORKING !!! ubuntu.com, mojang.com still gets blocked on these boxes.
http_access deny windows_boxes !whitelist
http_access allow localhost
http_access allow localnet
http_access deny all
# We'll intercept trafic using PF.
http_port 127.0.0.1:3129 intercept
https_port 127.0.0.1:3130 intercept ssl-bump cert=/etc/squid/ssl_cert/myCA.pem generate-host-certificates=on dynamic_cert_mem_cache_size=4MB
sslcrtd_program /usr/local/libexec/squid/ssl_crtd -s /var/lib/ssl_db -M 4MB
sslproxy_cafile /usr/local/openssl/cabundle.file
# Become a TCP tunnel without decrypting proxied traffic for the whitelist.
ssl_bump splice whitelist
ssl_bump peek step1
ssl_bump bump all
# We want the query strings as well.
strip_query_terms off
# Leave coredumps in the first cache dir
coredump_dir /var/squid/cache
redirect_program /usr/local/bin/squidGuard -c /etc/squidguard/squidguard.conf
</SNIP>
Any feedback would be greatly appreciated! Thank you in advance!
Kindest regards.
I have a setup with a PF firewall that intercepts HTTP and HTTPS traffic and forwards that to Squid. Squid is setup to log all traffic and it uses a SSL bump for the HTTPS traffic.
In the setup I have a whitelist of domains that doesn't get logged, the rest of the traffic gets logged and redirected to SquidGuard for further blacklisting. All that works great.
What I cannot figure out is how to add a couple of local IP addresses that can ONLY access the whitelist (or possibly ANOTHER whitelist) and nothing else on the Internet.
The ACL for the "windows_boxes" is the one that is supposed to ONLY access the whitelisted domains. However, when I enter the URL https://www.mojang.com I get a "Access denied". However, if I add a NON-SSL domain to the whitelist, then those works.
This is my current squid.conf. I know I am overlooking something, but I cannot figure out what I am doing wrong.
<SNIP>
acl step1 at_step SslBump1
acl localnet src 192.168.1.0/24
# These boxes may ONLY access the whitelist.
acl windows_boxes src 192.168.1.201 192.168.1.202
acl whitelist ssl::server_name .mojang.com .minecraft.net d2pi0bc9ewx28h.cloudfront.net mcupdate.tumblr.com minecraft-textures-1196058387.us-east-1.elb.amazonaws.com .steampowered.com .steamcommunity.com .steamgames.com .steamusercontent.com .steamcontent.com .steamstatic.com .akamaihd.net .ubuntu.com
# We don't want the whitelist to be cached.
cache deny whitelist
# We want direct access on the whitelist.
always_direct allow whitelist
# Don't redirect to SquidGuard.
redirector_access deny whitelist
# We only redirect HTTP and HTTPS.
acl SSL_ports port 443
acl Safe_ports port 80 # http
acl Safe_ports port 443 # https
acl CONNECT method CONNECT
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
# Only allow cachemgr access from localhost
http_access allow localhost manager
http_access deny manager
# !!! THIS ISN'T WORKING !!! ubuntu.com, mojang.com still gets blocked on these boxes.
http_access deny windows_boxes !whitelist
http_access allow localhost
http_access allow localnet
http_access deny all
# We'll intercept trafic using PF.
http_port 127.0.0.1:3129 intercept
https_port 127.0.0.1:3130 intercept ssl-bump cert=/etc/squid/ssl_cert/myCA.pem generate-host-certificates=on dynamic_cert_mem_cache_size=4MB
sslcrtd_program /usr/local/libexec/squid/ssl_crtd -s /var/lib/ssl_db -M 4MB
sslproxy_cafile /usr/local/openssl/cabundle.file
# Become a TCP tunnel without decrypting proxied traffic for the whitelist.
ssl_bump splice whitelist
ssl_bump peek step1
ssl_bump bump all
# We want the query strings as well.
strip_query_terms off
# Leave coredumps in the first cache dir
coredump_dir /var/squid/cache
redirect_program /usr/local/bin/squidGuard -c /etc/squidguard/squidguard.conf
</SNIP>
Any feedback would be greatly appreciated! Thank you in advance!
Kindest regards.