Search squid archive

Re: TCP_Denied for when requesting IP as URL over SSL using squid proxy server.

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



kevin band wrote:
I've managed to get this working, but I'm not happy because in doing
so I've created a different issue.

My problems all started a few weeks ago when I was trying to tighten
up the rules.
Basically we have two squid proxy servers which are supposed to
contain the same configuration.
I noticed that on one of the servers, there was an extra rule that
wasn't there on the other :-

    http_access allow CONNECT SSL_ports

The net effect of this rule was that anyone requesting any URL via
https would be allowed through the squid proxy server regardless of
the settings in my whitelist files.

I've now put this rule back in place and I now can get to the
63.130.82.113 address using https.
The problem is that I can now get to any URL via https, even though I
have rules in place which are supposed to only allow access to the
websites that I have put into my whitelist files.

Is this a bug in the way squid is handling the CONNECT method?

Any suggestions as to how I can tighten things up again but still
allow through the 63.130.82.113 request via https?  As I've said
before the rules work OK for http.

The IP pattern you had was off:
  .*.63.130.82.113

Redux:

** regex assumes all patterns not beginning with ^ have an implicit .* prefix.
Therefore:  .*.63.130.82.113   ==  .63.130.82.113

 ** regex '.' means any character.

Therefore: .63.130.82.113 == [a-zA-Z0-9\.]163[a-zA-Z0-9\.]130[a-zA-Z0-9\.]82[a-zA-Z0-9\.]113

 ** you have that pattern seeking IP addresses
Therefore:  .63.130.82.113  ==  [0-9\.]63\.130\.82\.113


IMO you need to write the regex as:   ^63\.130\.82\.113

I'm not sure why the raw-IP got through in regular requests. Possibly some other pattern or ACL matched and permitted it.

Amos
--
Please be using
  Current Stable Squid 2.7.STABLE7 or 3.0.STABLE20
  Current Beta Squid 3.1.0.15

[Index of Archives]     [Linux Audio Users]     [Samba]     [Big List of Linux Books]     [Linux USB]     [Yosemite News]

  Powered by Linux