Search squid archive

Re: Blocking CONNECT

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On 7/31/19 10:44 PM, johnr wrote:

> acl CONNECT method CONNECT
> acl to_bad_ip dst 55.55.2.3
> http_access deny CONNECT to_bad_ip

> In the above squid config, if I were to try go to https://55.55.2.3:443 I
> would get an ACCESS DENIED but squid would not block the CONNECT (it would
> respond to 200) and then block the subsequent HTTP request.

Yes, that is (currently) intentional.


> Is it possible to tell squid to block the CONNECT?

Not for connections that are subject to SslBump processing AFAIK. There
is a known need for a feature that would make such
bumping-to-deliver-CONNECT-error optional, but that feature has not been
sponsored or donated yet (and its design may require a preliminary
discussion on squid-dev). If I am not missing any workarounds, then your
options are outlined at

https://wiki.squid-cache.org/SquidFaq/AboutSquid#How_to_add_a_new_Squid_feature.2C_enhance.2C_of_fix_something.3F


> I do server-first SSL bump so if I don't block the CONNECT squid will
> reach out to the upstream server which I don't want it to do.

Yes, that is one of the reasons why folks want to make
bumping-to-deliver-CONNECT-error optional.


> I know this would make it impossible to serve the block page
> and have the browser show an error but I don't mind about that.  

Yes, thank you for disclosing that understanding.

Alex.
_______________________________________________
squid-users mailing list
squid-users@xxxxxxxxxxxxxxxxxxxxx
http://lists.squid-cache.org/listinfo/squid-users




[Index of Archives]     [Linux Audio Users]     [Samba]     [Big List of Linux Books]     [Linux USB]     [Yosemite News]

  Powered by Linux