On 22/11/17 23:48, Vieri wrote:
________________________________
From: Amos Jeffries <squid3@xxxxxxxxxxxxx>
If you place that after the default "deny CONNECT !SSL_ports", and
before your UA checks, AND if you are using ssl_bump on the allowed
tunnels then you can relatively safely use "allow CONNECT".
Just be careful that the CONNECT allowed by that are always handled
safely by the ssl_bump rules you have.
Meaning that you either bump or terminate traffic you are not sure is
okay, splice if you are reasonably sure, etc. it is a balancing effort
between "splice as much as possible" and "terminate if unsure of the
traffic" advice.
As you say, I placed "allow CONNECT" after the default "deny CONNECT !SSL_ports", and before my UA checks. I'm also using:
ssl_bump stare all
ssl_bump bump all
Considering the following (taken from previous e-mail):
http_access deny intercepted !localnet
http_access deny interceptedssl !localnet
http_access deny explicit !ORG_all
http_access deny explicit SSL_ports
Would it be "safer" or "indifferent" to use the following right before the UA checks?
http_access allow CONNECT interceptedssl SSL_ports
All CONNECT transactions that get past that earlier line with !SSL_Ports
will match SSL_Ports. So that part of the line is redundant.
The "CONNECT interceptedssl" is more restricted than just "CONNECT" - so
is safer due to that yes. But also leaves some traffic open to the same
denial problem you had earlier if non-UA CONNECT happen other ways. Up
to you whether that is wanted or acceptible.
Amos
_______________________________________________
squid-users mailing list
squid-users@xxxxxxxxxxxxxxxxxxxxx
http://lists.squid-cache.org/listinfo/squid-users
