Search squid archive

Re: host header forgery check in docker environment

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On 18/06/18 16:54, Kedar K wrote:
> Hi Amos, 
> Here is the topology:
> 
> client (curl from host running docker) --> squid_child (docker, using
> ssl-bump with intercept) --> squid_parent (VM with internet connection,
> https_port without ssl-bump) --> origin server.

Consider where/how the child proxy is getting the origin servers' TLS
certificate details with which to forge a server certificate in the bump
action.


> 
> local - 72.19.0.2:443 <http://72.19.0.2:443/> is the container running
> squid child
> remote - remote=172.19.0.1:44522 <http://172.19.0.1:44522/>  is the host
> machine where containers are running, I am using a curl to do initial
> tests. Eventually, request would come from other containers or external
> hosts on the docker daemon host.
> 
> With http traffic this works fine; wherein the request is forwarded to
> Parent and then to origin server. However, with https header forgery
> kicks in and tls is terminated.

Given that you are essentially void'ing what little security TLS
provides, there is no point in using it to secure any of these
connections. Just use curl (or squidclient) to send https:// URLs in
plain text HTTP messages. It is just as (in)secure as your current setup
and works much more reliably.

Amos
_______________________________________________
squid-users mailing list
squid-users@xxxxxxxxxxxxxxxxxxxxx
http://lists.squid-cache.org/listinfo/squid-users




[Index of Archives]     [Linux Audio Users]     [Samba]     [Big List of Linux Books]     [Linux USB]     [Yosemite News]

  Powered by Linux