So what do you recommend as a solution? The only line I have in my conf that has "ssl" in it is this acl SSL_ports port 443 563 but I have these port as "safe" acl Safe_ports port 443 563 How do I allow the connection thru SSL ports but close them down enough to not get a HTTP Proxy CONNECT Loop DoS show on my scan? Thanks Jason On Fri, Dec 17, 2010 at 11:38 PM, Amos Jeffries <squid3@xxxxxxxxxxxxx> wrote: > On 18/12/10 04:35, Jason Greene wrote: >> >> On Thu, Dec 16, 2010 at 7:41 PM, Amos Jeffries<squid3@xxxxxxxxxxxxx> >> wrote: >>> >>> On 17/12/10 10:38, Jason Greene wrote: >>>> >>>> I m trying to close a security hole >>>> >>>> >>>> I want to use maxconn on ALL IPs >>>> >>>> acl limitusercon maxconn 3 >>>> http_access deny all limitusercon >>> >>> Testing the "all" there is not useful. That should be just: >>> >>> http_access deny limitusercon >>> >>> ... making sure its placed at the top of your access controls so nothing >>> doing an allow can bypass it. Right after the "deny CONNECT !SSL_Ports" >>> should do. >> >> Thanks, I'll try this out. >> >>> >>>> >>>> But it doesn't seem to work and the hole still appears on a scan. >>> >>> What hole? >> >> >> HTTP Proxy CONNECT Loop DoS >> > > If that is what I think it is you are missing the default "deny CONNECT > !SSL_Ports" or have opened SSL_Ports too wide. > Due to: > - the proxy listening ports are not SSL/CONNECT safe ports. > - port 443 listening is reverse-proxy territory + reverse proxy must not > accept CONNECT requests (older squid releases allowed it wrongly). > > Amos > -- > Please be using > Current Stable Squid 2.7.STABLE9 or 3.1.9 > Beta testers wanted for 3.2.0.3 >
