I tried to create a whitelist for use with the https proxy that intercepts ssl. The environment to use is the following that was built last time. ** Create Proxy with Active Directory linkage and SSL interception with squid easily with docker **
The URL of the whitelist or blacklist is expressed by url_regex as follows.
** When representing a specific domain, including subdomains ** The following example represents a domain called qiita.com that contains subdomains.
whitelist
^(https*://)*([^/][^/]*\.)*qiita\.com(:443|:80)*(/.*)*$
** When representing a specific domain, including subdomains. So, if you want to combine multiple domain strings that have something in common ** The following example represents a domain called slack.com or slack-edge, com that contains subdomains.
whitelist
^(https*://)*([^/][^/]*\.)*slack(-edge)*\.com(:443|:80)*(/.*)*$
Prepare the above whitelist as a text file and load it as url_regex at squid.com
.
squid.com
acl whitelist url_regex -i "/etc/squid/whitelist"
http_access allow whitelist
Whitelisting only fqdn will connect you to a malicious site.
For example, suppose you write this on your whitelist:
whitelist
qiita\.com
But this would match if the full path or subdomain had the same string.
match_url
https://example.com/qiita.com/exploit.js
https://qiita.com.example.com/exploit.js
So why not write this, using the continuity from the first protocol to allow a particular domain name, including subdomains?
whitelist
^https*://([^/][^/]*\.)*qiita\.com/
This was no good.
Perhaps to get a certificate, I'm trying to connect to qiita.com: 443
first.
squid_log
TCP_DENIED/407 4054 CONNECT qiita.com:443 - HIER_NONE/- text/html
TCP_DENIED/407 4424 CONNECT qiita.com:443 - HIER_NONE/- text/html
TCP_DENIED/200 0 CONNECT qiita.com:443 PROSPER2\\USERNAME HIER_NONE/- -
Let's consider the protocol and port number in the previous rule. Anyway, if it's HTTP, let's communicate even if you enter: 80. The beginning of the string is matched with or without the protocol notation, and the end of the FQDN is matched with or without the port number.
whitelist
^(https*://)*([^/][^/]*\.)*qiita\.com(:443|:80)*/
It was still useless. It hasn't changed. It ends with a port number, so the last slash would get in the way and not match.
squid_log
TCP_DENIED/407 4054 CONNECT qiita.com:443 - HIER_NONE/- text/html
TCP_DENIED/407 4424 CONNECT qiita.com:443 - HIER_NONE/- text/html
TCP_DENIED/200 0 CONNECT qiita.com:443 PROSPER2\\USERNAME HIER_NONE/- -
In addition to the previous rule, there is a slash, or there is no slash, and the port number or FQDN is the end of the string. And said.
whitelist
^(https*://)*([^/][^/]*\.)*qiita\.com(:443|:80)*(/.*)*$
The root site was able to confirm communication at both https://qiita.com/
and the subdomain site was at https://zine.qiita.com/
.
Maybe this is OK.
Let's allow slack sites as well.
whitelist
^(https*://)*([^/][^/]*\.)*slack\.com(:443|:80)*(/.*)*$
Looking at it in a browser, it's halfway.
Looking at the log, I'm going to communicate with slack-edge.com.
squid_log
TCP_DENIED/407 4082 CONNECT a.slack-edge.com:443 - HIER_NONE/- text/html
TCP_DENIED/407 4452 CONNECT a.slack-edge.com:443 - HIER_NONE/- text/html
TCP_DENIED/407 4082 CONNECT a.slack-edge.com:443 - HIER_NONE/- text/html
TCP_DENIED/200 0 CONNECT a.slack-edge.com:443 PROSPER2\\USERNAME HIER_NONE/- -
So it looks like you could just put the string -edge ** or ** not ** after the string slack.
whitelist
^(https*://)*([^/][^/]*\.)*slack(-edge)*\.com(:443|:80)*(/.*)*$
Let's try it again in the browser. Yeah, this looks okay.
** It's much easier to use dstdomain for whitelists and blacklists ** However, I also tried to study regular expressions by trial and error.
Recommended Posts