we are using squid a a perimeter egress filter. one think I've recently noticed is based on my current config it's possible to make a request through squid to an HTTPS endpoint with out doing a CONNECT request. I was wondering if this should be allowed behavior for a proxy or if it's just a business requirement to deny that type of request or if that behavior shouldn't be allowed anyway. My concern being if squid is deployed in an environment that has PCI/PII data I wouldn't want squid to hold that data decrypted even for a little while and the client should have encrypted tunnel through to the server. the following request gets rejected and should be. (This is because of the rule: http_access deny CONNECT !SSL_ports) cat <<EOL | nc localhost 3128 CONNECT ifconfig.io:80 HTTP/1.1 Host: ifconfig.io:80 User-Agent: curl/7.29.0 Proxy-Connection: Keep-Alive EOL however this request is allowed unless I add (http_access deny SSL_Ports !CONNECT) cat <<EOL | nc localhost 3128 GET https://ifconfig.io/ip HTTP/1.1 User-Agent: curl/7.29.0 Host: ifconfig.io Accept: */* Proxy-Connection: Keep-Alive EOL This request is of concern because this means squid is doing the https request and decrypting the response before returning it to the client. I can solve this by making the squid endpoint SSL too. but even then I don't want squid to have the data decrypted at all. Which is why I've added the extra rule. I'm testing this off of latest master commit. basically I'm wonder if my extra access rule of http_access deny SSL_PORTS !CONNECT is sufficient enough to make sure squid doesn't decrypt the response. $ ./src/squid -v Squid Cache: Version 5.0.0-VCS Service Name: squid This binary uses OpenSSL 1.1.1d FIPS 10 Sep 2019. For legal restrictions on distribution see https://www.openssl.org/source/license.html configure options: '--prefix=/home/josepjones/.local/squid' '--enable-icmp' '--with-openssl' squid.conf: debug_options ALL,1 11,3 rotate=0 # tg - GMT time # >a - Client source IP address # >p - Client source port # Ss - Squid request status # >Hs - HTTP status code sent to client # <st - Total size of reply sent to client # >st - Total size of request received from client. Excluding chunked encoding bytes. # >rm - Request method from client # >ru - Request URL received from client # >rd - Request URL domain from client # <a - Server IP address of the last server or peer connection logformat my_squid [%tl] %>a %6>p %Ss/%03>Hs %>st %<st %>rm %>ru %>rd/%<a access_log stdio:/dev/stdout logformat=my_squid rotate=0 cache_log stdio:/dev/stderr acl SSL_ports port 443 acl Safe_ports port 80 # http acl Safe_ports port 8080 # http acl Safe_ports port 443 # https acl CONNECT method CONNECT acl http_whitelist dstdomain "/home/josepjones/.local/squid/etc/whitelist.txt" acl http_blacklist dstdomain "/home/josepjones/.local/squid/etc/blacklist.txt" # # Recommended minimum Access Permission configuration: # # Deny requests to certain unsafe ports http_access deny !Safe_ports # Deny CONNECT to other than secure SSL ports http_access deny CONNECT !SSL_ports http_access deny SSL_Ports !CONNECT http_access deny http_blacklist http_access allow http_whitelist http_access deny CONNECT http_blacklist http_access allow CONNECT http_whitelist http_access deny all # disable caching cache deny all # Squid normally listens to port 3128 http_port 3128 visible_hostname squid # Uncomment and adjust the following to add a disk cache directory. cache_mem 0 # cache_dir rock /home/josepjones/.local/squid/var/spool 100 # Leave coredumps in the first cache dir coredump_dir /home/josepjones/.local/squid -- Joseph M Jones _______________________________________________ squid-users mailing list squid-users@xxxxxxxxxxxxxxxxxxxxx http://lists.squid-cache.org/listinfo/squid-users
