Securing Instant Messengers

Warning: Any example presented here is provided "as-is" with no support or guarantee of suitability. If you have any further questions about these examples please email the squid-users mailing list.

Outline

Administrators often need to permit or block the use of IM (Instant Messengers) within Enterprises. While most use proprietary protocols and do not enter the Squid proxy at all, some have a port-80 failover mode, or may be explicitly configured to use a non-transparent proxy.

Applications

AOL Instant Messenger (AIM)

Warning: Any example presented here is provided "as-is" with no support or guarantee of suitability. If you have any further questions about these examples please email the squid-users mailing list.

Details

AIM natively uses TCP port 5190 and bypasses the Squid proxy. When configured to use an explicit proxy, it will use CONNECT tunneling to go through squid.

Squid Configuration File

# Permit AOL Instant Messenger to connect to the OSCAR service
acl AIM_ports port 5190 443

acl AIM_domains dstdomain .oscar.aol.com .blue.aol.com
acl AIM_domains dstdomain .messaging.aol.com .aim.com

acl AIM_nets dst 64.12.0.0/16 205.188.0.0/16

http_access allow CONNECT AIM_ports AIM_nets
http_access allow CONNECT AIM_ports AIM_domains

AOL

Warning: Any example presented here is provided "as-is" with no support or guarantee of suitability. If you have any further questions about these examples please email the squid-users mailing list.

Squid Configuration File

Configuration file to Include:

  • /!\ AOL are known to change their Server IPs. The list below cannot be confirmed.

# AOL

acl aol dst 64.12.200.89/32 64.12.161.153/32 64.12.161.185/32
acl aol dst 205.188.153.121/32 205.188.179.233/32

http_access deny aol

by YuriVoinov

Facebook Messenger

Warning: Any example presented here is provided "as-is" with no support or guarantee of suitability. If you have any further questions about these examples please email the squid-users mailing list.

Outline

Facebook Messenger is FB instant messaging application. Using it may be prohibited by corporate security policy.

Usage

Usually Facebook Messenger works in most Squid's setups without any additional configuration. Blocking it, however, require some additional steps. To block Facebook Messengert, you require SSL Bump-aware squid, or, at least, peek-n-splice configuration.

Squid Configuration File

SSL Bump-aware setup

Paste the configuration file like this:

# Block Facebook messenger
acl deny_fb_im dstdomain .messenger.com
http_access deny deny_fb_im
deny_info TCP_RESET deny_fb_im

Peek-and-splice setup

If you prefer not to put proxy certificate to clients, you can configure your proxy like this:

# Peek-n-splice rules
acl facebook_messenger ssl::server_name .messenger.com
acl DiscoverSNIHost at_step SslBump1

ssl_bump peek DiscoverSNIHost
ssl_bump terminate facebook_messenger
ssl_bump splice all

then reconfigure Squid.

This is enough to make Facebook Messenger fully unoperable, also as Web-version.

Gizmo Project (Pidgeon IM, Fring, Taler, ICQ, IRC, AOL)

Warning: Any example presented here is provided "as-is" with no support or guarantee of suitability. If you have any further questions about these examples please email the squid-users mailing list.

Gizmo Project include software to connect to a wide range of messaging protocols and VoIP services. This config does not include settings to block those IM which are not Gizmo Project provided services.

see Also:

If you know of other IM services available through Gizmo software please inform us.

Squid Configuration File

Configuration file to Include:

# Gizmo Project
acl gizmo dstdomain .gizmoproject.com

# Gizmo VoIP
acl gizmo dstdomain .talqer.com .gizmocall.com .fring.com

# Gizmo Chat
acl gizmo dstdomain .pidgin.im

http_access deny gizmo

ICQ ("I Seek You")

Warning: Any example presented here is provided "as-is" with no support or guarantee of suitability. If you have any further questions about these examples please email the squid-users mailing list.

Squid Configuration File

Configuration file to Include:

# ICQ
acl icq dstdomain .icq.com

http_access deny icq

MSN Messenger and Windows Live Messenger

Warning: Any example presented here is provided "as-is" with no support or guarantee of suitability. If you have any further questions about these examples please email the squid-users mailing list.

Details

Natively uses port 1863 and bypasses the Squid proxy. But when that has been locked down by the firewall admin it will failover to port 80 and enter Squid.

/!\

Microsoft This is only confirmed to work with MSN Messenger and Windows Live Messenger if there is any other parts to the formal name its maybe another program completely with different access needs.

Squid Configuration File

Configuration file to Include:

# MSN Messenger

acl msn urlpath_regex -i gateway.dll
acl msnd dstdomain messenger.msn.com gateway.messenger.hotmail.com
acl msn1 req_mime_type application/x-msn-messenger

http_access deny msnd
http_access deny msn
http_access deny msn1

by YuriVoinov

Riot Messenger

Warning: Any example presented here is provided "as-is" with no support or guarantee of suitability. If you have any further questions about these examples please email the squid-users mailing list.

Outline

Riot Instant Messenger is open-source end-to-end encryption messenger/VoIP/group chats/file transfers application. Using it may be prohibited by corporate security policy.

Usage

Usually Riot works in most Squid's setups without any additional configuration. Blocking it, however, require some additional steps. To block Riot, you require SSL Bump-aware squid, or, at least, peek-n-splice configuration.

Squid Configuration File

SSL Bump-aware setup

Paste the configuration file like this:

# Block Riot.im
acl deny_riot dstdomain .riot.im .matrix.org
http_access deny deny_riot
deny_info TCP_RESET deny_riot

Peek-and-splice setup

If you prefer not to put proxy certificate to clients, you can configure your proxy like this:

# Peek-n-splice rules
acl DiscoverSNIHost at_step SslBump1
acl deny_riot ssl::server_name_regex .riot\.im .martix\.org
ssl_bump peek DiscoverSNIHost
ssl_bump terminate deny_riot
ssl_bump splice all

then reconfigure Squid.

This is enough to make Riot fully unoperable with default server(s).

by YuriVoinov

Signal Messenger

Warning: Any example presented here is provided "as-is" with no support or guarantee of suitability. If you have any further questions about these examples please email the squid-users mailing list.

Outline

The default configuration file for Squid only permits only HTTPS port 443 to be used with CONNECT tunnels.

Signal Messenger uses custom ports 4433 and 8443.

Usage

This configuration is useful to pass Signal Messenger traffic through a Squid proxy.

More

As described above, Squid (in most cases) deny Signal bootstrap connect.

How initial Signal bootstrap works?

Signal Messenger tries to perform an HTTP CONNECT to textsecure-service-ca.whispersystems.org via port 80, 4433, 8443. When two or more attempts are successful, it initiates a WebSocket connection to the available server port.

Squid Configuration File

Paste the configuration file like this:

acl SSL_ports port 4433 8443 # Signal Messenger

With the above your regular access permissions for any given client are applied to Signal. Just the same as if it were performing HTTPS connections.

  • {X} Note that port 80 is still too unsafe to allow generic CONNECT to happen on it. However, Signal client often can't do initial connect without permission CONNECT to port 80 at textsecure-service-ca.whispersystems.org. You are warned.

If your proxy is configured to use Features/SslPeekAndSplice, also add this to configuration:

acl DiscoverSNIHost at_step SslBump1

acl NoSSLIntercept ssl::server_name textsecure-service-ca.whispersystems.org

ssl_bump peek DiscoverSNIHost
ssl_bump splice NoSSLIntercept
# other SSL-bump rules ...

and reconfigure.

Important update (06/03/2017)

  • /!\ Important update (06/03/2017) to prevent this article misleading you to the assumption that you indded got to the right place.

Notice that the methods that are mentioned in the next article are not up-to-date(06/03/2017) and are expected to work only for specific setups. Setups which uses ssl-bump needs a much more complicated concept then the mentioned in the article to make it so skype clients will be able to run smooth with squid in the picture. Else then that skype in many cases will require direct access to the Internet and will not work in a very restricted networks with allow access only using a proxy. I belive that NTOP have some more details on how to somehow make skype work or be blocked in some cases. I recommend peeking at theri at: https://github.com/ntop/nDPI/search?utf8=✓&q=skype

Skype Access Controls

Warning: Any example presented here is provided "as-is" with no support or guarantee of suitability. If you have any further questions about these examples please email the squid-users mailing list.

Squid Configuration File

Configuration file to include.

  • /!\ Since FTP uses numeric IPs the Skype ACL must be exact including the port.

Blocking

# Skype

acl numeric_IPs dstdom_regex ^(([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)|(\[([0-9a-f]+)?:([0-9a-f:]+)?:([0-9a-f]+|0-9\.]+)?\])):443
acl Skype_UA browser ^skype

http_access deny numeric_IPS
http_access deny Skype_UA
  • /!\ Recent releases of Skype have been evading the above restriction by not sending their User-Agent headers and using domain names. The following can be used to catch those installs, but be aware it will likely also catch other agents.

acl validUserAgent browser \S+
http_access deny !validUserAgent

Permitting

  • /!\ This needs to be done before any restrictive CONNECT http_access controls.

acl numeric_IPs dstdom_regex ^(([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)|(\[([0-9a-f]+)?:([0-9a-f:]+)?:([0-9a-f]+|0-9\.]+)?\])):443
acl Skype_UA browser ^skype

http_access allow CONNECT localnet numeric_IPS Skype_UA
  • {i} Note that Skype prefers the port 443 which is by default enabled in Squid anyway so this configuration is only needed when you block HTTPS access through the proxy.

If you limit HTTPS access to known sites only, then permitting Skype will break that policy.

Metro Skype WIndows 10

/!\ This is required to Skype work if Squid SSL-Bump aware.

Add this domains to splice ACL then reconfigure Squid:

## Trusted SKYPE addresses
# api.aps|skypegraph|edge Metro Skype requires
(a\.config|pipe|api\.aps|skypegraph|edge)\.skype\.com
# Metro Skype requires
ocsp\.omniroot\.com
trouter\.io
msedge\.net

# messenger.live.com requires for Metro Skype
mobile\.pipe\.aria\.microsoft\.com
messenger\.live\.com

squid.conf part should looks like this:

acl NoSSLIntercept ssl::server_name_regex "/usr/local/squid/etc/acl.url.nobump"
ssl_bump splice NoSSLIntercept

by YuriVoinov

Telegram Messenger

Warning: Any example presented here is provided "as-is" with no support or guarantee of suitability. If you have any further questions about these examples please email the squid-users mailing list.

How to pass Telegram

Starting from version 0.10.11 (for tdesktop) Telegram client uses a pinned TLS connection during bootstrap connection to 149.154.160.0/20. Also, it can use relatively large Amazon/Google/Azure networks by push notifications as web-fronting.

So SSL-Bump proxy must be configured to splice initial connection from Telegram to server:

# SSL-bump rules
acl DiscoverSNIHost at_step SslBump1
# Splice specified servers
acl NoSSLIntercept ssl::server_name_regex "/usr/local/squid/etc/acl.url.nobump"
ssl_bump peek DiscoverSNIHost
ssl_bump splice NoSSLIntercept
ssl_bump bump all

Add this to acl.url.nobump:

# Telegram
149\.154\.1(6[0-9]|7[0-5])\.(25[0-5]|2[0-4][0-9]|1[0-9][0-9]|[1-9]?[0-9])
# Alternate Telegram bootstrap
35.19[2-9]\.(25[0-5]|2[0-4][0-9]|1[0-9][0-9]|[1-9]?[0-9])\.(25[0-5]|2[0-4][0-9]|1[0-9][0-9]|[1-9]?[0-9])
13\.[0-9][0-9]\.(25[0-5]|2[0-4][0-9]|1[0-9][0-9]|[1-9]?[0-9])\.(25[0-5]|2[0-4][0-9]|1[0-9][0-9]|[1-9]?[0-9])
18\.18[4|5]\.(25[0-5]|2[0-4][0-9]|1[0-9][0-9]|[1-9]?[0-9])\.(25[0-5]|2[0-4][0-9]|1[0-9][0-9]|[1-9]?[0-9])

This is minimal access requires Telergam to connect.

This only affects Telegram clients using HTTP proxy settings. On interception proxy it will works also with Telegram clients AUTO mode (the default).

Trillian

Warning: Any example presented here is provided "as-is" with no support or guarantee of suitability. If you have any further questions about these examples please email the squid-users mailing list.

Squid Configuration File

Configuration file to Include:

  • /!\ Trillian may change their Server IPs. If you know of others please inform us.

# Trillian

acl trillian dst 66.216.70.167/32

http_access deny trillian

by YuriVoinov

Viber Messenger

Warning: Any example presented here is provided "as-is" with no support or guarantee of suitability. If you have any further questions about these examples please email the squid-users mailing list.

Outline

Viber Messenger is end-to-end encryption messenger/VoIP/group chats/file transfers application. Using it may be prohibited by corporate security policy.

Usage

Usually Viber works in most Squid's setups without any additional configuration. Blocking it, however, require some additional steps. To block Viber, you require SSL Bump-aware squid, or, at least, peek-n-splice configuration.

Squid Configuration File

Paste the configuration file like this:

# Block Viber
acl deny_viber ssl::server_name_regex .viber\.com
acl DiscoverSNIHost at_step SslBump1
ssl_bump peek DiscoverSNIHost
ssl_bump terminate deny_viber
ssl_bump splice all

then reconfigure Squid.

This is enough to make Viber fully unoperable (both desktop/mobile).

by YuriVoinov

Whatsapp Messenger (mobile/web)

Warning: Any example presented here is provided "as-is" with no support or guarantee of suitability. If you have any further questions about these examples please email the squid-users mailing list.

How to pass Whatsapp

Whatsapp is one of difficult-to-pass IM software. Two issues found:

  1. Web whatsapp general connecting
  2. Media files transfers for mobile Whatsapp application

First of all, Whatsapp requires SSL Bump-aware squid (no matter, bump all or splice all config). With splice all config, all Whatsapp apps should work without issues.

On the other hand, bump all config requires some additional steps to make both (web and mobile) Whatsapp applications work.

Squid Configuration File

First, let's assume you have SSL Bump configuration like this:

# SSL bump rules
acl DiscoverSNIHost at_step SslBump1
acl NoSSLIntercept ssl::server_name_regex "/usr/local/squid/etc/acl.url.nobump"
ssl_bump peek DiscoverSNIHost
ssl_bump splice NoSSLIntercept
ssl_bump bump all

To make Whatsapp works, add this to acl.url.nobump:

# Web.whatsapp.com
(w[0-9]+|[a-z]+)\.web\.whatsapp\.com
# Whatsapp CDN issue
.whatsapp\.net

That's all. Just reconfigure squid.

Don't forget to put proxy CA to mobile devices.

by YuriVoinov

Wire Messenger

Warning: Any example presented here is provided "as-is" with no support or guarantee of suitability. If you have any further questions about these examples please email the squid-users mailing list.

Outline

Wire by default blocked by SSL Bump-aware Squid. When run Wire behind proxy, you're get message YOUR CONNECTION IS NOT PRIVATE and no one Wire function works.

Usage

Wire uses next domain names to work:

wire.com, www.wire.com, prod-nginz-https.wire.com, prod-nginz-ssl.wire.com, prod-assets.wire.com, wire-app.wire.com

turn01.de.prod.wire.com, turn02.de.prod.wire.com, turn03.de.prod.wire.com, turn04.de.prod.wire.com

To make in work behind SSL Bump-aware Squid, you're simple require to splice 2nd level domain wire.com.

Squid Configuration File

Paste the configuration file like this:

acl DiscoverSNIHost at_step SslBump1

acl NoSSLIntercept ssl::server_name_regex .wire\.com

ssl_bump peek DiscoverSNIHost
ssl_bump splice NoSSLIntercept
# other SSL-bump rules ...

and reconfigure.

Yahoo! Messenger

Warning: Any example presented here is provided "as-is" with no support or guarantee of suitability. If you have any further questions about these examples please email the squid-users mailing list.

Squid Configuration File

Configuration file to Include:

# Yahoo! Messenger
acl ym dstdomain .messenger.yahoo.com .psq.yahoo.com
acl ym dstdomain .us.il.yimg.com .msg.yahoo.com .pager.yahoo.com
acl ym dstdomain .rareedge.com .ytunnelpro.com .chat.yahoo.com
acl ym dstdomain .voice.yahoo.com

acl ymregex url_regex yupdater.yim ymsgr myspaceim

# Other protocols Yahoo!Messenger uses ??
acl ym dstdomain .skype.com .imvu.com

http_access deny ym
http_access deny ymregex


CategoryConfigExample

ConfigExamples/Chat (last edited 2009-04-24 00:58:58 by AmosJeffries)