Search squid archive

Re: Help with UA filtering in https connections

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On 01/02/2018 07:08 AM, Matus UHLAR - fantomas wrote:
> On 02.01.18 06:04, squidnoob wrote:
>> http_access allow CONNECT safe_ports
>> http_access deny CONNECT


>> I understand adding this line that you suggested as it's not already
>> there.
>> http_access deny !safe_ports

Yes, this or similar line (and possibly other lines) is needed, provided
it matches your proxying environment. My sketch only dealt with your
original/specific problem, not general proxying protections...


>> However, i don't understand why i would need to add this (http_access
>> deny CONNECT !SSL_Ports ) given the two lines above in the existing config.

You do not need to add it AFAICT.


> the two lines above unconditionally allow CONNECT anywhere, 

This is incorrect. The lines deny CONNECT to unsafe ports. What Amos
correctly pointed out is that *non-CONNECT* transactions may go to
unsafe ports as well, and it is considered best practice to block such
traffic by default.

Please note that denying CONNECTs to unsafe ports at step1 may not work
well because the generated by Squid certificate will be rejected by the
browser in many cases. You may decide to simply terminate such CONNECT
transactions instead:

  # terminate malicious tunnels and bump everything else
  ssl_bump terminate !safe_ports
  ssl_bump stare all
  ssl_bump bump all


Alex.
_______________________________________________
squid-users mailing list
squid-users@xxxxxxxxxxxxxxxxxxxxx
http://lists.squid-cache.org/listinfo/squid-users




[Index of Archives]     [Linux Audio Users]     [Samba]     [Big List of Linux Books]     [Linux USB]     [Yosemite News]

  Powered by Linux