Search squid archive

TCP_Denied for when requesting IP as URL over SSL using squid proxy server.

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Hi,

I'm hoping somebody can help me here, because I'm at a loss about what
to do next.

Basically we have squid running as a proxy server to restrict access
to just those sites which we've included in our ACL's
I have noticed recently that it isn't handling HTTPS reqests properly
if the URL contains an IP address instead of a domain name.

The reason this is a particular problem is that although the users can
connect to the page using the domain name, something within that
domain is then forwarding requests to the same web-server using its IP
address.
I'm sure I have my ACL's setup correctly because squid will forward
the request using either URL if I send the requests using HTTP.  It
then times out on the web-server because it only allows https, but at
least the request is being forwarded to the web-server rather than
being denied in squid

Here's an extract from the logs that might explain it better :-

    158.41.4.44 - - [04/Dec/2009:15:56:47 +0000] "GET
http://stpaccess.marksandspencer.com/ HTTP/1.1" 504 1024 TCP_MISS:NONE
    158.41.4.44 - - [04/Dec/2009:15:57:02 +0000] "CONNECT
stpaccess.marksandspencer.com:443 HTTP/1.0" 200 7783 TCP_MISS:DIRECT
    158.41.4.44 - - [04/Dec/2009:16:01:53 +0000] "GET
http://63.130.82.113/Citrix/MetaFrameXP/default/login.asp HTTP/1.1"
504 1064 TCP_MISS:NONE
    158.41.4.44 - - [04/Dec/2009:16:03:13 +0000] "CONNECT
63.130.82.113:443 HTTP/1.0" 403 980 TCP_DENIED:NONE


And config extracts:

    acl SSL_ports port 443 563 444
    acl Safe_ports port 80 8002 23142 5481 5181 5281 5381 5481 5581
5400 5500       # http
    acl Safe_ports port 23142       # OPEL project
    acl Safe_ports port 21          # ftp
    acl Safe_ports port 443 444 563 # https, snew#s

    acl CONNECT method CONNECT

    acl regex_ms dstdom_regex   -i "/home/security/regex_marksandspencer.txt"
    acl urlregex_mands url_regex -i
"/home/security/regex_marksandspencer_ip.txt"
    acl mands_allowed_nets  src  "/home/security/mands_allowed_nets.txt"

    http_access allow manager localhost
    http_access deny manager
    http_access deny !Safe_ports
    http_access deny CONNECT !SSL_ports

    http_access allow regex_ms  mands_allowed_nets
    http_access allow urlregex_mands mands_allowed_nets
    http_access deny all

There are actually a lot more ACL's than this, but these are the only
ones I think are relevant

relevant extracts from files linked to ACLs:
  regex_marksandspencer.txt
      .*marksandspencer.*com

  regex_marksandspencer_ip.txt
      .*.63.130.82.113


Thanks for any help.

Kevin,

[Index of Archives]     [Linux Audio Users]     [Samba]     [Big List of Linux Books]     [Linux USB]     [Yosemite News]

  Powered by Linux