On 01/02/2018 07:08 AM, Matus UHLAR - fantomas wrote: > On 02.01.18 06:04, squidnoob wrote: >> http_access allow CONNECT safe_ports >> http_access deny CONNECT >> I understand adding this line that you suggested as it's not already >> there. >> http_access deny !safe_ports Yes, this or similar line (and possibly other lines) is needed, provided it matches your proxying environment. My sketch only dealt with your original/specific problem, not general proxying protections... >> However, i don't understand why i would need to add this (http_access >> deny CONNECT !SSL_Ports ) given the two lines above in the existing config. You do not need to add it AFAICT. > the two lines above unconditionally allow CONNECT anywhere, This is incorrect. The lines deny CONNECT to unsafe ports. What Amos correctly pointed out is that *non-CONNECT* transactions may go to unsafe ports as well, and it is considered best practice to block such traffic by default. Please note that denying CONNECTs to unsafe ports at step1 may not work well because the generated by Squid certificate will be rejected by the browser in many cases. You may decide to simply terminate such CONNECT transactions instead: # terminate malicious tunnels and bump everything else ssl_bump terminate !safe_ports ssl_bump stare all ssl_bump bump all Alex. _______________________________________________ squid-users mailing list squid-users@xxxxxxxxxxxxxxxxxxxxx http://lists.squid-cache.org/listinfo/squid-users
