[squid-users] Using SSL bump and reverse proxy for DNS sinkhole

Discussion:

thompsonm

2018-09-08 08:25:44 UTC

Hello, I have a question about squid SSL bump and reverse proxy. Basically
for a final project I want to create a DNS sinkhole, where the client tries
to query a domain that has a bad reputation or is known for drive-by
downloads etc, and the DNS server returns false information, such as an
internal IP. Then the client is redirected to this internal IP, where a web
server is listening, and makes the HTTP request as normal. All the HTTP
requests along with host, URL, client IP etc, are then logged. It's easy to
make this work with HTTP. However, I want it to work also with HTTPS. So
basically set up a MITM SSL proxy, where the proxy generates it's own
certificate for the suspicious website the client is trying to connect to,
and then HTTP requests are forwarded to a web server listening on the same
host.

I'm not sure how to do this. Is there any way to do this with squid SSL bump
and reverse proxy?

--
Sent from: http://squid-web-proxy-cache.1019090.n4.nabble.com/Squid-Users-f1019091.html

Antony Stone

2018-09-08 08:41:54 UTC

Permalink

Post by thompsonm
Hello, I have a question about squid SSL bump and reverse proxy. Basically
for a final project I want to create a DNS sinkhole, where the client tries
to query a domain that has a bad reputation or is known for drive-by
downloads etc, and the DNS server returns false information, such as an
internal IP. Then the client is redirected to this internal IP, where a web
server is listening, and makes the HTTP request as normal.

Okat, that makes sense (technically, at least) so far...

Post by thompsonm
All the HTTP requests along with host, URL, client IP etc, are then logged.

Yep, the web server (which I presume is run by you) will do that for you.

Post by thompsonm
It's easy to make this work with HTTP. However, I want it to work also with
HTTPS.

What's the difference? A web server can serve HTTPS as easily as it can serve
HTTP.

Post by thompsonm
So basically set up a MITM

In The Middle of what?

Client is one end, but what's at the "other end" of some connection you're in
the "middle" of?

Surely the other end is your own web server - I mean, you're trying to prevent
people from connecting to (certain) real sites by giving the clients fake DNS
replies, yes? So, they never end up on the real site, and there's no
connection for you to intercept.

Post by thompsonm
SSL proxy, where the proxy generates its own certificate for the suspicious
website the client is trying to connect to, and then HTTP requests are
forwarded to a web server listening on the same host.

This is over-complicated. You just need one of:

1. a web server which will generate an SSL certificate on the fly and then serve
HTT{S content back to the client using that certificate

or

2. a pile of SSL certificates which you generate using your own CA at the same
time you put the fake entries into DNS. After all, you know what domains
you're putting into your "DNS sinkhole", so just generate an SSL certificate
for each one as you do it, load them onto your web server, and there you go.

Basically, if you don't need to use Squid in intercept mode for the HTTP
solution, you don't need to use SSL Bump for the HTTPS solution.

Post by thompsonm
I'm not sure how to do this. Is there any way to do this with squid SSL
bump and reverse proxy?

Not that I can see, no, because there is no connection to be in the middle of
that you want to intercept. You want the client to be at one end, and your
own server at the other end, whether it's HTTP or HTTPS - in neither case do
you want clients to connect to the real servers.

Or, have I misunderstood something about your objective?

Antony.

--
<flopsie> yes, but this is #lbw, we don't do normal

Please reply to the list;
please *don't* CC me.

thompsonm

2018-09-08 09:00:41 UTC

Permalink

"1. a web server which will generate an SSL certificate on the fly and then
serve
HTT{S content back to the client using that certificate "

Is there a way to do this? The only way I can find is to use wildcard
certificates. But that's not what I'm trying to do.

"2. a pile of SSL certificates which you generate using your own CA at the
same
time you put the fake entries into DNS. After all, you know what domains
you're putting into your "DNS sinkhole", so just generate an SSL certificate
for each one as you do it, load them onto your web server, and there you go.
"

This is not really feasible because the lists are always being updated. I
could write a script or something but I think it would be better just to
have a web server or proxy create the certificates when the client tries to
connect.

--
Sent from: http://squid-web-proxy-cache.1019090.n4.nabble.com/Squid-Users-f1019091.html

Antony Stone

2018-09-08 09:16:23 UTC

Permalink

Post by thompsonm
"1. a web server which will generate an SSL certificate on the fly and then
serve HTTPS content back to the client using that certificate "
Is there a way to do this? The only way I can find is to use wildcard
certificates. But that's not what I'm trying to do.

I don't have a recipe for it, but I'd thought that since Squid can create a
certificate on demand, Apache or NGinx would be able to too.

If that's not feasible, though...

Post by thompsonm
"2. a pile of SSL certificates which you generate using your own CA at the
same time you put the fake entries into DNS. After all, you know what
domains you're putting into your "DNS sinkhole", so just generate an SSL
certificate for each one as you do it, load them onto your web server, and
there you go. "
This is not really feasible because the lists are always being updated.

So? Update the certificates at the same time as DNS. It'll be a lot less work
for your web server, too, just having to use a pre-existing certificate to
service a request, rather than having to generate a certificate every time it
sees the first request for a domain.

Post by thompsonm
I could write a script or something but I think it would be better just to
have a web server or proxy create the certificates when the client tries to
connect.

Agreed, but just in case it's not feasible, a script to generate SSL certs
from your DNS list certainly would be.

Either way, I don't see that Squid's MITM SSL Bump facility is a solution,
because as I said previously, you have no connection to be in the middle of.

Antony.

--
All generalisations are inaccurate.

Please reply to the list;
please *don't* CC me.