[solved] Why is squid blocking the website ecovadis.com?

[sjjh]

I need some help with analyzing how squid determines if a website should be blocked. I do have a couple of websites that seem to be false positive blocks. One is https://ecovadis.com. If I try to open the website I get following squid error message:

The requested URL could not be retrieved

The following error was encountered while trying to retrieve the URL: https://132.148.217.3/*

    Access Denied.
[...]

The IP address does belong to the blocked domain. I enabled Squid debugging:

Code Select Expand

cat /usr/local/etc/squid/pre-auth/debug.conf
debug_options ALL,1 33,2 28,9
Following output:

Code Select Expand

2021-02-04T16:37:42 squid .226 kid1| 33,2| client_side.cc(586) swanSong: local=132.148.217.3:443 remote=10.63.19.52:44632 flags=33
2021-02-04T16:37:42 squid .225 kid1| 33,2| client_side.cc(895) kick: local=132.148.217.3:443 remote=10.63.19.52:44632 flags=33 Connection was closed
2021-02-04T16:37:42 squid .215 kid1| 28,3| DomainData.cc(115) match: aclMatchDomainList: 'ip-132-148-217-3.ip.secureserver.net' found
2021-02-04T16:37:42 squid .215 kid1| 28,3| DomainData.cc(110) match: aclMatchDomainList: checking 'ip-132-148-217-3.ip.secureserver.net'
2021-02-04T16:37:42 squid .215 kid1| 28,3| DomainData.cc(115) match: aclMatchDomainList: '132.148.217.3' NOT found
2021-02-04T16:37:42 squid .215 kid1| 28,3| DomainData.cc(110) match: aclMatchDomainList: checking '132.148.217.3'
2021-02-04T16:37:42 squid .215 kid1| 28,3| RegexData.cc(43) match: checking '132.148.217.3:443'
2021-02-04T16:37:42 squid .215 kid1| 28,3| RegexData.cc(43) match: checking '132.148.217.3:443'
2021-02-04T16:37:42 squid .215 kid1| 33,2| client_side.cc(2742) httpsSslBumpAccessCheckDone: sslBump action peekneeded for local=132.148.217.3:443 remote=10.63.19.52:44632 FD 22 flags=33

So it seems that match: aclMatchDomainList: 'ip-132-148-217-3.ip.secureserver.net' is the relevant log line. Is that correct? Where does it come from? In the OPNsense GUI Squid configuration I cannot see any reference to secureserver.net. Digging deeper, there is an entry in the generated black list file that might be relevant:

Code Select Expand

cat /usr/local/etc/squid/acl/Blacklist1 | grep "secureserver.net"
.ip.secureserver.net
We are using the UT1 Blacklist as remote black list. If have a look at the black list, I see a similar entry:

Code Select Expand

~/Downloads/blacklists$ grep -rni "ip.secureserver.net"
phishing/domains:187528:ip.secureserver.net
adult/domains:1375364:ip.secureserver.net
malware/domains:188629:ip.secureserver.net
So is this the relevant black list entry? Does anybody know anything about the domain?

And why is Squid checking the domain ip-132-148-217-3.ip.secureserver.net in the first place at all? I mean, I can understand that Squid checks for https://ecovadis.com and 132.148.217.3. But why for the domain ip-132-148-217-3.ip.secureserver.net?
To answer my own question: That's the ptr record. I did ask the similar/same question before in the forum, but didn't understand the replies completely at that time: https://forum.opnsense.org/index.php?topic=20355.0
So Squid checks the ptr record, receives ip-132-148-217-3.ip.secureserver.net as a result, checks that string with the black list and hits the match ip.secureserver.net there.
Trying to wrap my head around it again, I end up with the questions:

• Why is the ptr record of the IP address 132.148.217.3 the domain ip-132-148-217-3.ip.secureserver.net and not the domain ecovadis.com
• Why is the UT 1 blacklist containing the entry ip.secureserver.net? Is that a mistake (if it is a valid ptr record)?
• What to do?

IMHO to manually whitelist the IP address seems not to be a final solution, rather a workaround, which won't scale (beside the fact, that I failed to get it working)... Or did I get it wrong?

Thanks in advance! Simon

[Fright]

what exactly do you type in the browser when the squid blocks access?
https://132.148.217.3/ ?

[sjjh]

No, I'm using the domain: https://ecovadis.com

[Fright]

can't reproduce behavior:
-the UT1 Blacklist list does not contain ip.secureserver.net
-squid deny page displays name in "URL:" if request was made by name. not ip
-if the request contains a name, then only the name and ip-address are checked against blacklists (as it should be with dstdomain directive).

[sjjh]

can't reproduce behavior:
-the UT1 Blacklist list does not contain ip.secureserver.net

Easy explanation: After looking at it again I was confident enough to ask Fabrice, the  UT1 blacklist maintainer, if I got it right and if secureserver.net could be removed. Fabrice responded very quickly and removed it. Now the website is not blocked any more.

-squid deny page displays name in "URL:" if request was made by name. not ip
-if the request contains a name, then only the name and ip-address are checked against blacklists (as it should be with dstdomain directive).

My experience is different -- but no idea why. If I come across another case and won't forget until then, I'll come back here to find the root cause.

Thanks for your help!