Search squid archive

Re: https debug

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



You probably meant 4.5...
http://www1.ngtech.co.il/repo/centos/7/x86_64/squid-4.5-1.el7.x86_64.rpm

Eliezer

----
Eliezer Croitoru
Linux System Administrator
Mobile: +972-5-28704261
Email: eliezer@xxxxxxxxxxxx



-----Original Message-----
From: squid-users [mailto:squid-users-bounces@xxxxxxxxxxxxxxxxxxxxx] On Behalf Of Amos Jeffries
Sent: Wednesday, January 2, 2019 12:01
To: squid-users@xxxxxxxxxxxxxxxxxxxxx
Subject: Re:  https debug

On 2/01/19 10:30 pm, Sampei wrote:
> About way to use https protocol I think I use connect tunnel, here

When a CONNECT tunnel is being used and not SSL-Bump'ed then all TLS
related issues are problems with one of the endpoint software. Not
related to the proxy at all. Squid is just blindly relaying the TLS
bytes as-is between the endpoints.

That said, some specific configs may encounter issues due to explicitly
telling Squid to do certain things which cannot be done to CONNECT
tunnels (eg. URL-rewrite, ACL checks of path strings), or to deny the
CONNECT which obviously would make the TLS not "work" at all.


I suspect that in your case some other port is involved which you do not
know about and are thus not letting through Squid. The access.log should
show what Squid is dealing with there.


> parttial of my squid.conf
> 
> 
> acl SSL_ports port 443          # https
> acl SSL_ports port 563          # snews
> ...
> acl Safe_ports port 80          # http
> acl Safe_ports port 21          # ftp
> acl Safe_ports port 443         # https
> ...
> http_access deny CONNECT !SSL_ports

Okay, but should be following the Safe_ports check. The default config
orders these checks by how common it is to encounter the attack types
they exist to prevent.

> http_access deny CONNECT !Safe_ports

The default config uses this instead:

 http_access deny !Safe_ports

The purpose of this Safe_ports ACL is to prevent the proxy handling
*any* traffic for protocols whose traffic syntax directly conflicts with
HTTP traffic syntax.

By limiting this check to only CONNECT messages, you are opening your
proxy to most of the attacks the Safe_port ACL was designed to prevent.



> acl test dstdomain example.com
> http_access allow test
> http_access allow CONNECT test

This latter is pointless. "test" was already allowed, so this line is
never reached by any traffic which it can match.


> I think to upgrade 4.x Squid but I'm looking for valid repository for
> Centos 7 which contains this pkg.

The official repositories for CentOS are detailed at
<https://wiki.squid-cache.org/KnowledgeBase/CentOS>

(I see that page needs an update Eliezer now has 4.4 in his main CentOS
repository <http://www1.ngtech.co.il/repo/centos/7/x86_64/>)


Amos
_______________________________________________
squid-users mailing list
squid-users@xxxxxxxxxxxxxxxxxxxxx
http://lists.squid-cache.org/listinfo/squid-users

_______________________________________________
squid-users mailing list
squid-users@xxxxxxxxxxxxxxxxxxxxx
http://lists.squid-cache.org/listinfo/squid-users




[Index of Archives]     [Linux Audio Users]     [Samba]     [Big List of Linux Books]     [Linux USB]     [Yosemite News]

  Powered by Linux