Filter SSL connections with squid proxy

19
2014-04
  • BrNathan

    We have a Ubuntu server between our network & the firewall for URL filtering. Of course SSL connections are a problem. I am looking into ways of doing some basic filtering. I have even thought of using sslstrip & squid, but this doesn't seem like a very good solution. Does anyone have a suggestion of how I might be able to do this. I searched a lot of Google, but didn't really get any good answers... perhaps that is because there are none?

    Thanks!

  • Answers
  • sdanelson

    At the current time I don't think you can do this with squid. The potential is there:

    We believe it is technically possible to implement dynamic certificate generation for transparent connections. Doing so requires turning Squid transaction handling steps upside down, so that the secure connection with the server is established before the secure connection with the client. The implementation will be difficult, but it will allow Squid to get the server name from the server certificate and use that to generate a fake server certificate to give to the client. Quality patches or sponsorships welcomed.

    Source: see limitations section of http://wiki.squid-cache.org/Features/DynamicSslCert

    I know of at least one commercial solution that does this. There may be more.

  • cstamas

    Well you cannot do this. SSL is made to prevent any kind of manipulation/modification.

    You can block entire hosts, but you cannot see the url the user sees.

  • Marcus K

    The question is a bit old but still relevant to answer.

    What is "basic SSL filtering" to you? Do you want to filter HTTPS (SSL-wrapped HTTP) or filter everything on port 443 ?

    ufdbGuard is a URL filter for Squid that besides the straightforward URL based filtering also probes port 443 to find out what type of traffic is going through Squid. ufdbGuard recognises SSL+HTTP, SSH, various tunnels/VPNs, various major chat applications and unrecognised protocols is marked as "unknown protocol". ufdbGuard can block each type, and can enforce the use of valid SSL certificates and the use of a FQDN.


  • Related Question

    Squid Proxy Antivirus - Recommendations / Performance
  • Jon Rhoades

    Due to our user's increasing expertise at downloading virus and the like, we are investigating adding Antivirus to our Squid proxy.

    A casual Google reveals several free and one paid:

    None of the 'free' ones have reached v1 yet, nor do any inspire huge confidence form their websites (although of course I would rather they spent their time on the app rather than their website!).

    Does anybody have experience with any of these (or any other similar apps). If so are they suitable for a production network with 400ish concurrent users, and what sort of CPU/RAM requirements does it have?

    --

    Also while we are at it - Would you recommend using ClamAV as the scanning engine or something like McAfee?


  • Related Answers
  • Deutsch

    I've implemented two anti-virus proxy servers using HAVP and ClamAV and it has worked well for the last year or so. Even though HAVP hasn't reached a 1.0 version yet is has been very stable.

    If you go the HAVP route, make sure to check out the implementation recommendations located at http://havp.hege.li/forum/viewtopic.php?f=2&t=11. You will want to make a "Squid sandwich" with a copy of Squid running before and after requests make it to HAVP.

    The CPU/RAM requirements aren't that bad since you won't be scanning downloads over a certain size. On a 50 user network we're running HAVP and ClamAV on an older 2.8GHZ Xeon server with 2 GB of RAM with no no problem. There was also no noticeable difference in speed between running Squid alone or with HAVP scanning enabled.

    With regards to what scanner(s) to use, I have used ClamAV in mail servers for a long time and it's quite good in that niche. However, the level of protection offered for HTTP clients doesn't seem to be as comprehensive at this time. (But ClamAV is continually getting better so I'm sure that won't be true for long.) We use it as a second level of defense in addition to Sophos on the Windows client boxes and they work very well together.

  • llazzaro

    alt text
    With this guide I configured Squid + c_icap +Clamav and I found it to be the best atleast for now for squid plus antivirus automatic. It will deny any file with a virus from downloading from internet (of course that clamav detects)

    I tried some of the list, like viralator (but seems project dead).

    Hope it helps!

  • Steve-o

    HAVP uses a multi-process design like Apache to handle many simultaneous requests whilst protecting against memory leaks and faults in the anti-virus scanner libraries or subsystems.

    A Squid cache sandwich is best if you require caching, beware these days that most websites are rather public cache unfriendly and such that benefit is only useful for large resources such as youtube videos.

    I've gone from Squid sandwich to plain HAVP setup due to the minimal benefit. For example Google update likes running partial range requests which are highly non-conducive to being cached.