Search squid archive

Re: connecting directly to ssl-bump intercept port causes runaway CPU

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Typical, I figured out an iptables workaround within seconds of sending
my last email

I still think squid needs to be able to stop this DoS, but this will
stop the issue occurring

iptables -t nat -A PREROUTING -d proxy.ip -i lan.interface -p tcp -m tcp
--dport 3127 -j REDIRECT --to-ports 9876 #9876 has nothing running on it
iptables -t nat -A PREROUTING  ! -d lan.subnet/netmask  -i lan.interface
-p tcp -m tcp --dport 443 -j REDIRECT --to-ports 3127 #3127 is our ssl
intercept port

So I get "connection refused" when I try to connect to the proxy on port
3127, but https intercept still works for anything else. Now squid never
sees the direct 3127 connection and so never goes into a loop

Jason

-- 
Cheers

Jason Haar
Corporate Information Security Manager, Trimble Navigation Ltd.
Phone: +1 408 481 8171
PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1


_______________________________________________
squid-users mailing list
squid-users@xxxxxxxxxxxxxxxxxxxxx
http://lists.squid-cache.org/listinfo/squid-users





[Index of Archives]     [Linux Audio Users]     [Samba]     [Big List of Linux Books]     [Linux USB]     [Yosemite News]

  Powered by Linux