Squid Proxy: Parsing https header values for specific values

[user_01_01]

My Squid proxy has a `external_acl_type` script: `token_auth.py` that parses header values and if the header contains `X-My-Header: target-value` we allow the request through, otherwise, deny it. Akin to a token authorization system.



token_auth.py:

Code Select Expand

#!/usr/bin/env python3
import sys

while True:
    line = sys.stdin.readline().strip()
    if not line:
        break

    parts = line.split()

    header_value = parts[2]
    target_value = "target-value"

    # Check if the target header value is present
    if header_value == target_value:
        sys.stdout.write("OK\n")
    else:
        sys.stdout.write("ERR\n")

    sys.stdout.flush()

We can test that this works fine:

✅ Allowed Through:

    curl -x http://localhost:3128 -H "X-My-Header: target-value" http://www.example.com

❌ Not Allowed Through (this is good):
   
    curl -x http://localhost:3128 -H "X-My-Header: WRONG-target-value" http://www.example.com



The problem:

However, if we change the `example.com` url to a `HTTPS` url:

    sudo curl -v -x http://172.17.2.200:3128 -H "X-My-Header: target-value" --cacert /etc/squid/bump.crt https://www.example.com

Even though, yes, it's denied, we did provide the correct header value "X-My-Header: target-value", so it shouldn't be denied!

Code Select Expand

<hr>
<div id="footer">
<p>Generated Mon, 24 Jun 2024 04:12:05 GMT by sven-u (squid/5.7)</p>
<!-- ERR_ACCESS_DENIED -->
</div>
</body></html>

What I am almost positive is happening is that my `token_auth.py` script cannot parse https encrypted headers. I have tried SSL bumping, but no difference. Adding some logging to my python script I cannot see the Header or URL:

Code Select Expand

2024-06-23 23:56:06,750 Client IP: 172.17.2.200, Method: CONNECT, URL: -, Header: -
2024-06-23 23:56:06,750 Header did not match: -

I have been stuck here for 3 days now. I am not sure what to do. How can I parse https headers through a external_acl_type helper? Can anyone point me in the right direction?

Please, please help. Thank you.



squid.conf:

Code Select Expand

# External ACL for intermediate certificate fetching
acl intermediate_fetching transaction_initiator certificate-fetching
http_access allow intermediate_fetching

# SSL certificate generator program
sslcrtd_program /usr/lib/squid/security_file_certgen -s /var/lib/squid/ssl_db -M 20MB

# Handle SSL certificate errors
sslproxy_cert_error allow all

# Define SSL bumping steps
acl step1 at_step SslBump1
acl step2 at_step SslBump2
acl step3 at_step SslBump3

# Bumping steps
ssl_bump peek step1
ssl_bump bump step2
ssl_bump bump step3

# Define SSL ports
acl SSL_ports port 443

# SSL bump configuration
http_port 3128 tcpkeepalive=60,30,3 ssl-bump generate-host-certificates=on dynamic_cert_mem_cache_size=20MB tls-cert=/etc/squid/bump.crt tls-key=/etc/squid/bump.key cipher=HIGH:MEDIUM:!LOW:!RC4:!SEED:!IDEA:!3DES:!MD5:!EXP:!PSK:!DSS options=NO_TLSv1,NO_SSLv3,SINGLE_DH_USE,SINGLE_ECDH_USE tls-dh=prime256v1:/etc/squid/bump_dhparam.pem

# Custom log format to include X-My-Header
logformat custom_log %{%Y-%m-%d %H:%M:%S}tl %>a:%>p %Ss/%03>Hs "%rm %ru HTTP/%rv" %>Hs %<st %tr "%{User-Agent}>h" "%{Referer}>h" "%{X-My-Header}>h"
access_log /var/log/squid/access.log custom_log

# External ACL configuration for header checks
external_acl_type check_headers_helper %SRC %METHOD %<h{X-My-Header} /etc/squid/COOKIE_AUTH/token_auth.py
acl check_headers external check_headers_helper

# Allow access only if headers contain the specific value
http_access allow check_headers

# Deny all other access
http_access deny all

# Handle SSL certificate errors
acl BadSite ssl_error SQUID_X509_V_ERR_DOMAIN_MISMATCH
sslproxy_cert_error allow BadSite
sslproxy_cert_error deny all

# Squid normally listens to port 3128
http_port 3128 intercept

# PID file configuration
pid_filename none

# Header and logging configuration
via off
reply_header_access X-Cache deny all
reply_header_access X-Cache-Lookup deny all
follow_x_forwarded_for allow localhost
follow_x_forwarded_for deny all
request_header_access X-Forwarded-For deny all

# Disk cache directory
cache_dir ufs /var/spool/squid 100 16 256

# Leave coredumps in the first cache dir
coredump_dir /var/spool/squid

# Add any of your own refresh_pattern entries above these
refresh_pattern ^ftp:      1440    20%  10080
refresh_pattern -i (/cgi-bin/|\?) 0   0%  0
refresh_pattern .      0   20%  4320