Squid as transparent HTTP/HTTPS whitelist only proxy

cloudfw · Jul 11, 2018, 7:39 AM

Anyone managed to get Squid working as a whitelist only transparent SSL proxy?

Goal is to:

Whitelist only allowed http/https urls (Remove 'Allow users on interface')
Use wildcard domainnames like *.google.com (So no Squidguard)
No certificate installation requirements on clients (Splice All)

Found several links, but no one works as expected. When the 'Allow users on interface' is checked all traffic including HTTPS is working as expected.

Any help very welcome.

marcelloc · Jul 11, 2018, 8:11 PM

Did you tried to include just a . on blacklist?

cloudfw · Jul 12, 2018, 12:24 PM

@marcelloc

This will give the same result as remove 'Allow users on interface' the error returned is:

'The following error encountered while trying to retrieve the URL: https://168.63.16.185/* Access Denied'

So it is like the DNS part is working but Squid does not have access it self.

The realtime logs state this for portal.azure.com (On whitelist):
12.07.2018 12:10:59 10.0.1.100 TCP_DENIED/200 168.63.16.185:443 - -
12.07.2018 12:10:59 10.0.1.100 TAG_NONE/403 https://portal.azure.com/ - -
12.07.2018 12:10:59 10.0.1.100 TCP_DENIED/200 168.63.16.185:443 - -
12.07.2018 12:10:59 10.0.1.100 TCP_DENIED/200 168.63.16.185:443 - -
12.07.2018 12:10:59 10.0.1.100 TCP_DENIED/200 168.63.16.185:443

It works perfect for HTTP only sites.

marcelloc · Jul 12, 2018, 1:12 PM

@cloudfw said in Squid as transparent HTTP/HTTPS whitelist only proxy:

This will give the same result as remove 'Allow users on interface' the error returned is:
'The following error encountered while trying to retrieve the URL: https://168.63.16.185/* Access Denied'
So it is like the DNS part is working but Squid does not have access it self.

Squid with splice all transparent proxy mode checks acls based on the remote server certificate but if the clients tries to send a direct https connection to the server, I can't see a way that squid will associate it with the domain you whitelisted.

Try the openappid feature from snort package(without intercepting traffic with squid) , see if it can identify what site/application is trying this direct connect.

cloudfw · Jul 12, 2018, 1:12 PM

@marcelloc But why is it working with HTTP then? same thing DNS lookup, then direct http to IP traffic. Have you had this HTTPS setup working?

marcelloc · Jul 12, 2018, 1:16 PM

@cloudfw said in Squid as transparent HTTP/HTTPS whitelist only proxy:

@marcelloc But why is it working with HTTP then? same thing DNS lookup, then direct http to IP traffic. Have you had this HTTPS setup working?

Because http traffic is not encrypted, squid can see the packet content. With ssl in splice all mode, squid does not intercept the connection, it just tries to check the server certificate. before establishing a tunnel between the client and the server.