0

I have squid proxy in transparent mode:

  • all 80 and 443 traffic are redirected to a squid proxy via nftables
  • squid has a set of whitelisted sites / domain names and by default block anything left

I have noticed that the block by default policy works fine for most webistes but not for youtube.com (which should not be accessible).

Here is a sample of my squid log when a user is viewing youtube video:

1758713693.077 33 192.168.140.14 TCP_DENIED/403 5646 POST https://rr1---sn-uxah5-uoge.googlevideo.com/videoplayback? - HIER_NONE/- text/html 1758713693.249 124 192.168.140.14 NONE_NONE/000 0 CONNECT 172.217.148.134:443 - ORIGINAL_DST/172.217.148.134 - 1758713693.254 4 192.168.140.14 TCP_DENIED/403 5661 POST https://rr1---sn-woc7knes.googlevideo.com/videoplayback? - HIER_NONE/- text/html 1758713693.335 38 192.168.140.14 NONE_NONE/000 0 CONNECT 102.16.77.8:443 - ORIGINAL_DST/102.16.77.8 - 1758713693.336 0 192.168.140.14 TCP_DENIED/403 5646 POST https://rr1---sn-uxah5-uoge.googlevideo.com/videoplayback? - HIER_NONE/- text/html 1758713693.463 98 192.168.140.14 NONE_NONE/000 0 CONNECT 172.217.148.134:443 - ORIGINAL_DST/172.217.148.134 - 1758713693.465 1 192.168.140.14 TCP_DENIED/403 5661 POST https://rr1---sn-woc7knes.googlevideo.com/videoplayback? - HIER_NONE/- text/html 1758713697.835 27 192.168.140.14 NONE_NONE/000 0 CONNECT 102.16.77.8:443 - ORIGINAL_DST/102.16.77.8 - 1758713697.837 0 192.168.140.14 TCP_DENIED/403 5646 POST https://rr1---sn-uxah5-uoge.googlevideo.com/videoplayback? - HIER_NONE/- text/html 1758713697.967 103 192.168.140.14 NONE_NONE/000 0 CONNECT 172.217.148.134:443 - ORIGINAL_DST/172.217.148.134 - 1758713697.968 0 192.168.140.14 TCP_DENIED/403 5661 POST https://rr1---sn-woc7knes.googlevideo.com/videoplayback? - HIER_NONE/- text/html 1758713698.035 31 192.168.140.14 NONE_NONE/000 0 CONNECT 102.16.77.8:443 - ORIGINAL_DST/102.16.77.8 - 1758713698.037 0 192.168.140.14 TCP_DENIED/403 5646 POST https://rr1---sn-uxah5-uoge.googlevideo.com/videoplayback? - HIER_NONE/- text/html 1758713701.213 27 192.168.140.14 NONE_NONE/000 0 CONNECT 102.16.77.8:443 - ORIGINAL_DST/102.16.77.8 - 1758713701.214 0 192.168.140.14 TCP_DENIED/403 5647 POST https://rr1---sn-uxah5-uoge.googlevideo.com/videoplayback? - HIER_NONE/- text/html 1758713701.360 105 192.168.140.14 NONE_NONE/000 0 CONNECT 172.217.148.134:443 - ORIGINAL_DST/172.217.148.134 -

As you can see:

  • The request to rr1---sn-uxah5-uoge.googlevideo.com is effectively blocked
  • Right after that, the user browser initiates a CONNECT to the raw IP address and it passes and thus allowing him to view the youtube video despite squid filtering youtube.

Some websites like facebook.com and whatsapp.com also feature this strange behavior.

I need your help to figure out, how to prevent these types of event?

Notes:

  • OS : Debian 12
  • Squid version : Squid Cache: Version 5.7 installed from official Debian 12 repository
  • Squid configuration : paste bin
  • Squid CA certificate has been deployed to all clients.
Improve this question
0

1 Answer 1

Reset to default
0

You need to use the following:

acl aclname ssl::server_name [option] .foo.com ... # matches server name obtained from various sources [fast] # # The ACL computes server name(s) using such information sources as # CONNECT request URI, TLS client SNI, and TLS server certificate # subject (CN and SubjectAltName). The computed server name(s) usually # change with each SslBump step, as more info becomes available: # * SNI is used as the server name instead of the request URI, # * subject name(s) from the server certificate (CN and # SubjectAltName) are used as the server names instead of SNI.

Your squid should have SSL support compiled in. Check with squid -v |grep ssl. On Debian it is squid-openssl package.

Improve this answer

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.