On 14/06/11 03:14, Alejandro Cabrera Obed wrote:
Dear, I have a Debian + Squid proxy reverse machine working very well
for HTTP internal sites.
But now I have to setup a reverse resolution for a HTTPS external site
in a non-default port:
https://www.company.com:7000
Nowadays the Debian+Squid box has http and https proxy setup to get
Internet sites:
export http_proxy=http://10.1.1.1:3128
export https_proxy=http://10.1.1.1:3128
(10.1.1.1 is our company proxy)
So how can I implement a HTTPS reverse site with Squid in my scenario ???
Assuming you still have the basic security in place your proxy will be
locked down as to which ports it can blindly relay HTTPS to.
Normally you would just add this:
acl SSL_ports port 7000
BUT... port 7000 is one of the common ports used by IRC (think botnet
master C&C servers).
So I will advise a bit more strictness. Like so:
...
acl SSL_ports port 443 7000
http_access deny CONNECT !SSL_ports <-- already in squid.conf
acl ABC dstdomain .example.com
acl port7000 port 7000
http_access deny CONNECT port7000 !ABC
...
Amos
--
Please be using
Current Stable Squid 2.7.STABLE9 or 3.1.12
Beta testers wanted for 3.2.0.9 and 3.1.12.3