Re: [squid-users] IP detection when using SSL/HTTPS

From: Amos Jeffries <squid3_at_treenet.co.nz>
Date: Sat, 07 May 2011 04:00:39 +1200

On 06/05/11 22:55, Stefan Baur wrote:
> Hi list,
>
> I have been using the following squid.conf snippet for a while:
>
> #----------------------------
> acl thisisanip url_regex ^[^:]*://([^/@]*@)?[0-9\.]*(:|/|$|\?) ^[0-9\.]*$
>
> acl whitelist dstdomain "/etc/squid/whitelist.txt"
> acl whitelist_ip dst "/etc/squid/whitelist_ip.txt"
>
> #Check IP Whitelist
> http_access allow thisisanip whitelist_ip
> http_access deny thisisanip
>
> #Check Domain Whitelist
> http_access allow whitelist
>
> # And finally deny all other access to this proxy
> http_access deny all
> #----------------------------
>
> I believe the url_regex snippet was even provided by Henrik in
> <http://www.mail-archive.com/squid-users@squid-cache.org/msg26777.html>
>
> The reason for adding the thisisanip acl was that squid took a loooooong
> time accessing IPs.
> I'm not*exactly* sure why, but I believe squid tries a reverse DNS
> lookup for each IP and tries to compare the result with the names listed
> in the domain-name-based whitelist, which is time-consuming, especially
> if there is no name associated with the IP in question.
> With the above setup, squid will check:
> 1) a) it is an IP and 1) b) it is in the whitelist ==>Allow, no need for
> DNS lookups
> 2) it is an IP ==> since it wasn't in the allowed list from above, deny
> it, no need for DNS lookups
> 3) it is a domain listed in the whitelist ==> Allow
> 4) catch-all ==> Deny
>
> This has worked like a charm so far, but now I am running into the issue
> that I need SSL/HTTPS connects to IPs.
> When using SSL/HTTPS, url_regex doesn't work.
>
> Any suggestions how I can emulate that behavior?

The ^[0-9\.]*$ is not quite correct for HTTPS/CONNECT. It needs to
account for :port as well as IP.

Already or soon you will also be seeing IPv6 requests.

This is the current-day version of what Henrik posted:

acl thisisanip url_regex -i
   ^[^:]*://([^/@]*@)?\[?[0-9\.:a-f]*(\]|/|$|\?)
   ^[0-9\.:a-f]*$

(line insisted on wrapping so I've manually wrapped it at the only
actual whitespace).

> I understand that url_regex'ing is not supported because the URL may
> contain sensitive information and/or is encrypted, and that's a Good
> Thing [TM] - but I wouldn't need the entire URL anyway, just the host part.

  - "sensitive information" claims are FUD. It is only (partially)
relevant when logging the URL. And then only if the login password is
sent in the clear.

  - URL being encrypted inside HTTPS is only a problem if you are
matching the path section (urlpath_regex). domain:port are still there.

Amos

-- 
Please be using
   Current Stable Squid 2.7.STABLE9 or 3.1.12
   Beta testers wanted for 3.2.0.7 and 3.1.12.1
Received on Fri May 06 2011 - 16:00:48 MDT

This archive was generated by hypermail 2.2.0 : Sat May 07 2011 - 12:00:02 MDT