Wednesday, July 30, 2014

Squid Transparent Proxy + Deny HTTPS Access (CONNECT method)



According to Wikipedia:




HTTP CONNECT tunneling



A variation of HTTP tunneling when behind an HTTP proxy server is to use the "CONNECT" HTTP method.1[2] In this mechanism, the client asks an HTTP proxy server to forward the TCP connection to the desired destination. The server then proceeds to make the connection on behalf of the client. Once the connection has been established by the server, the proxy server continues to proxy the TCP stream to and from the client. Note that only the initial connection request is HTTP - after that, the server simply proxies the established TCP connection.




This mechanism is how a client behind an HTTP proxy can access websites using SSL or TLS (i.e. HTTPS).



Not all HTTP proxy servers support this feature, and even those that do may limit the behaviour (for example only allowing connections to the default HTTPS port 443, or blocking traffic which doesn't appear to be SSL).




My question is:



Can I block the access for a Website, even though (later on) the access and traffic is HTTPS, but with initial HTTP request?







I'm trying to do something like this, but it just doesn't work:



acl social_networks dstdomain "/etc/squid3/acls/social_networks.acl"
http_access deny CONNECT social_networks all


The access to the Websites in this ACL are still working, even though I'm considering the CONNECT method.


Answer



yes, it is possible with squid acls to block access to https websites (we use squidguard for it). I think squid use the SNI information from modern browsers.




But you can't do it transparent (it is, but really not recommend to brake https connections in that ugly and insecure way). Users browser need to use the proxy port directly. Best way to force them is to block routing to wan interfaces or only to port 443. One good and flexible way to deploy the proxy settings is a auto configuration with wpad/pac files - specially when not every device is managed. On managed devices you can use gpos and so on to deploy the proxy settings.


No comments:

Post a Comment

linux - How to SSH to ec2 instance in VPC private subnet via NAT server

I have created a VPC in aws with a public subnet and a private subnet. The private subnet does not have direct access to external network. S...