On 26 February 2016 at 00:38, Amos Jeffries <squid3@xxxxxxxxxxxxx> wrote: > On 26/02/2016 11:47 a.m., Dick Visser wrote: >> Hi >> >> I'm trying to set up an acl to allow a link checker tool to do its >> work through squid. >> This tool is a Wordpress plugin. >> The whole reason I have squid is so that Wordpress itself cannot >> retrieve random stuff from the Internet. >> >> I had come up with the idea of allowing HEAD method, so the link >> checker plugin can do its job while at the same time not allowing >> malicious content to be retrieved. >> This appears to work well. >> >> However, when the plugins tries to check HTTPS URLs it uses CONNECT, >> which is then denied by squid. > > The tool is setup to relay TLS "HTTPS" through an *HTTP* proxy. To have > any more control than what you already found with that particular > layering will require MITM'ing that traffic with Squid SSL-Bump feature. > > However, Squid is capable of recieving TLS connections in its role as > explicit/forward proxy. If the tool can be updated to use TLS to secure > its connection to the proxy, then to deliver its https:// messages to > the proxy over that (instead of using "HTTPS") you will get better > control without any loss of security. > I checked and the tool does not support TLS to the proxy... It is not a problem here to use SSLbump, but I don't understand how to configure squid to allow *only* HEAD request on HTTPS. Because that is done using the CONNECT method. The HEAD method doesn't go 'inside' the CONNECT method - or am I mixing things up? I'll start with using Squid 3.5.x to make sure I have the latest versions. Thanks Dick _______________________________________________ squid-users mailing list squid-users@xxxxxxxxxxxxxxxxxxxxx http://lists.squid-cache.org/listinfo/squid-users
