SSLBUMP without MITM

doktornotor

If you want SSL bump to have any chance of working, you need this patch on top of latest Squid package on pfSense. Now, with that patch, whatever is whitelisted should get through (spliced), the rest will get bumped (and dealth with by stuff like Squidguard or whatever else, again, not tested, will not touch). Since, that's the approach that was there from the very beginning and that made sense for users. Making a transparent TCP tunnel is not exactly the goal people are trying to produce.

susamlicubuk

hi bbassotti

The following topic maybe helps you

https://forum.pfsense.org/index.php?topic=123874.0

tadaog

This peek and slice permits Squidguard and Squid to block https://pages according the rules set in SquidGuardian/Squid, without decoding the rest of the pages.

Usually it's just what everybody needs!

I've learned this in pratice and tried it with OpnSense (a fork of pfSense) and I've been hugely surprised how effective it is!

So I copied and pasted from their squid.conf the excerpt below in the Service/Squid Proxy Server/General/Show Advanced Options/Custom ACLS (Before Auth):

setup ssl bump acl's

acl bump_step1 at_step SslBump1
acl bump_step2 at_step SslBump2
acl bump_step3 at_step SslBump3
acl bump_nobumpsites ssl::server_name "/usr/local/etc/squid/nobumpsites.acl"

configure bump

ssl_bump peek bump_step1 all
ssl_bump splice all
ssl_bump peek bump_step2 all
ssl_bump splice bump_step3 all

ssl_bump bump

sslproxy_cert_error deny all

tadaog

This procedure (after activating SSL Filtering in the SSL Man in the Middle Filtering) does this job wonderfully, and WITHOUT the need of Man In the Middle Filtering, without any need of certs added to the clients.

Only the URL is decoded and blocked (or permitted) as configured in Squidguard/Squid.

I use pfBlockerNG too for the others critical blockings that need to be done on the battlefield that the Internet has become today!

tadaog

Sorry, I forgot to say that I'm using this without Transparent Proxy.

I'm using proxy.pac (and symlinks to it: wpad.dat and wpad.da) in the following way:

1. Installed Shellcmd, Cron, Squidguard and Squid packages.

2. in Services/Shellcmd, click Add
       Add Command:
           /usr/local/etc/rc.d/nginx onestart
       Shellcmd Type:
           shellcmd
       Description:
           2nd. instance nginx for wpad
       and click Save.

3. In Services/Cron, click Add
       Fill Minute with */3, User root and Command
           [ -f /var/run/nginx.pid ] && true || /usr/local/etc/rc.d/nginx onestart

4. My pfSense firewall has LAN IP 192.168.192.1, so you change the IP to YOUR pfSense IP in the proxy.pac I pasted right after this post and use Diagnostics/Edit File to copy, paste and save in /usr/local/www/nginx/proxy.pac

5. Create symlinks wpad.dat and wpad.da of proxy.pac in the same directory.

6. Create rules to force proxy use. The clients that use Detect Automatically in the browser usually gets thru the proxy, but follow the instructions that you'll find in this forum about wpad.dat configuration in Squid.

7. Client browsers may be configured to use proxy by manual configuration of course.

tadaog

The proxy.pac I use follows:

function FindProxyForURL(url, host) {

var wpad = "DIRECT";
  // Return wpad;  // by-pass when you wish to put Squid Proxy offline without removing proxy.pac

host = host.toLowerCase();

var hostIP;
  var isIpV4Addr = /^(\d+.){3}\d+$/;

if (isIpV4Addr.test(host))
    hostIP=host;
  else
    hostIP=dnsResolve(host);
  if (hostIP != 0) {
    if (isPlainHostName(host) ||
        shExpMatch(host, ".local") ||
        shExpMatch(host, ".localdomain.local") ||
        shExpMatch(hostIP, "10.") ||
        shExpMatch(hostIP, "192.168.") ||
        shExpMatch(hostIP, "127.") ||
        isInNet(hostIP, "172.16.0.0", "255.240.0.0") ||
        shExpMatch(host, "fe80::"))
      return wpad;
// Main LAN
    var myIP = myIpAddress();
    if (shExpMatch(myIP, "169.254.*") ||
        isInNet(myIP, "192.168.192.0", "255.255.252.0"))
      wpad = "PROXY 192.168.192.1:3128; DIRECT";
// For additional LAN subnets (example)
    else if (isInNet(myIP, "192.168.198.0", "255.255.252.0"))
      wpad = "PROXY 192.168.198.1:3128; DIRECT";
  }
  return wpad;
}

bbassotti

@tadaog:

This peek and slice permits Squidguard and Squid to block https://pages according the rules set in SquidGuardian/Squid, without decoding the rest of the pages.

Usually it's just what everybody needs!

I've learned this in pratice and tried it with OpnSense (a fork of pfSense) and I've been hugely surprised how effective it is!

So I copied and pasted from their squid.conf the excerpt below in the Service/Squid Proxy Server/General/Show Advanced Options/Custom ACLS (Before Auth):

setup ssl bump acl's

acl bump_step1 at_step SslBump1
acl bump_step2 at_step SslBump2
acl bump_step3 at_step SslBump3
acl bump_nobumpsites ssl::server_name "/usr/local/etc/squid/nobumpsites.acl"

configure bump

ssl_bump peek bump_step1 all
ssl_bump splice all
ssl_bump peek bump_step2 all
ssl_bump splice bump_step3 all

ssl_bump bump

sslproxy_cert_error deny all

Thank you ! This work also with transparent proxy  :)

fabiomello

i am the person who did this change to opnsense, if you want and the maintaner of package accepts, i could do a pull request with this change.
note: it works only with domain and not with complete urls, because dont do the intercept

doktornotor

@fabiomello:

i am the person who did this change to opnsense, if you want and the maintaner of package accepts, i could do a pull request with this change.

So, this could be pretty much rewritten to:

setup ssl bump acl's

acl bump_step1 at_step SslBump1
acl bump_step2 at_step SslBump2
acl bump_step3 at_step SslBump3
acl bump_nobumpsites ssl::server_name "/usr/local/etc/squid/nobumpsites.acl"

configure bump

ssl_bump peek bump_step1 all
ssl_bump splice all
ssl_bump peek bump_step2 all
ssl_bump splice bump_step3 all
ssl_bump bump

sslproxy_cert_error deny all

@fabiomello:

note: it works only with domain and not with complete urls, because dont do the intercept

Yes, that is the problem. It does not intercept. Most of the code does nothing, as indicated above. It splices everything, you are finished with the stuff after the red line marked above [1].

What the code in pfSense Squid attempts to do is: do NOT intercept 'Whitelist' ACL (that's what your no-op bump_nobumpsites ACL attempts to do but the code is just not used anywhere) and intercept the rest [2]

[1] https://github.com/pfsense/FreeBSD-ports/blob/devel/www/pfSense-pkg-squid/files/usr/local/pkg/squid.inc#L1539
[2]
https://github.com/pfsense/FreeBSD-ports/blob/devel/www/pfSense-pkg-squid/files/usr/local/pkg/squid.inc#L1826
https://github.com/pfsense/FreeBSD-ports/blob/devel/www/pfSense-pkg-squid/files/usr/local/pkg/squid.inc#L1887

I must be missing something here.

tadaog

doktornotor:

You patch does getting the full https URL only and wonderfully, it we put ".*" at the whitelist, so that squidguard can do its job of denying or allowing it according its rules, exactly as it does with http.

So, to summarize, putting in the whitelist field:

.*

and squidGuard does its jobs with http and https URLs!!!

doktornotor

OK, so I guess there are no changes really required for the SquidGuard + SSL usecase. Thanks for feedback.

jimp

To summarize, this does work with transparent interception without installing a CA on clients, but I can only get it to see the domain name, not the full URL as some in the thread have stated.

• Squid General tab, Show Advanced Options, Custom ACLs (before auth)

acl bump_step1 at_step SslBump1
ssl_bump peek bump_step1 all
ssl_bump splice all
sslproxy_cert_error deny all

• ACLs tab, whitelist:```
  .*

When squidGuard blocks it kills the connection, it doesn't redirect or do anything nice.

And naturally this doesn't let you see the body so no chance for AV or similar to check the contents.

doktornotor

@jimp: As I understand the previous post, there's really no need to put anything into Custom ACLs; the code is equivalent to what we have in the package already when you whitelist everything (.*) - there's

ssl_bump splice whitelist
ssl_bump bump all

(and the second line won't have anything to match left when you've whitelisted everything)

jimp

Ah, so all you need is the whitelist ".*" and the rest happens automatically? Cool. That does seem to work.

doktornotor

Yeah, it's basically "supertransparent", as in - no certificates forged/no need to install certs on clients. (And yeah, obviously it's limited in sense that you just get enough info about the connection for SquidGuard to do its job, but nothing else, i.e., no content filtering/AV/etc.)

Perhaps could use some hints in the GUI…

jimp

Would be nice to kick that in somehow when CA = "None" when using SSL Interception, or at least allow CA = None to be set in that case. It doesn't seem like that should be necessary since it isn't going to be using the CA when acting in that role. I haven't tried it though, maybe squid is dumb and still needs it set.

doktornotor

Yeah, afraid that's a no go, the certs are really required - plus, the ACL (whitelist) can be anything there and be changed at any time,  or have lines prepended/appended, really no way for Squid to figure out it's not going to need to fake any certs.

(But you could generate a temporary one for the CA in the background on each config resync; would need additional logic/code though in squid.inc. If you want something like this, I'd prefer having a separate checkbox for this, with some JS logic that'd gray out/disable unneeded MITM stuff in the GUI, and use a different ACL than the current whitelist for that, basically just use the built-in "all" one - like ssl_bump splice all)

shonjir

I'm running a variation of this config in transparent mode with squidguard and shallalist quite successfully.

I'm not sure why exactly, but this configuration improves over basic step 1 peek and splice all by allowing logging of the server certificate (instead of just IP address), domain blocking of SSL sites via squidguard list, and provides an alternate splice operation for certain sites that for some reason cannot connect after the certificate name is captured.

# peek at client TLS-request to get SNI
# peek at server cert (for logging)
# splice earlySplice at step 3 only
acl earlySplice ssl::server_name "*.crashplan.com"
ssl_bump peek step1
ssl_bump peek step2 earlySplice
ssl_bump splice step3 earlySplice
ssl_bump splice all
sslproxy_cert_error deny all

doktornotor

Well yes, that will no doubt improve splice since you get whole lot more information available at steps 2/3, as explained here:
https://github.com/pfsense/FreeBSD-ports/blob/devel/www/pfSense-pkg-squid/files/usr/local/pkg/squid.inc#L1539

The above makes bumping impossible, however.

It's not possible to do zillion variants in the GUI. Use Advanced Options, Custom ACLs (before auth).

shonjir

The above makes bumping impossible, however.

This is understood.  For my use case, I don't need full blown MiTM - logging the site name and simple domain blocking are sufficient.

Right now I'm using custom ACLs for this.  It's a hack (because it supersedes the auto-generated ssl_bump directives that follow), but it works.

It would be nice if it were available as a simple toggle in the config or if the various ssl config options were exposed for customization under 'advanced', but it works reasonably well as-is.

Thank you for your work making this tool available!