[squid-users] connecting directly to ssl-bump intercept port causes runaway CPU
Jason Haar
Jason_Haar at trimble.com
Wed Nov 12 19:23:00 UTC 2014
Typical, I figured out an iptables workaround within seconds of sending
my last email
I still think squid needs to be able to stop this DoS, but this will
stop the issue occurring
iptables -t nat -A PREROUTING -d proxy.ip -i lan.interface -p tcp -m tcp
--dport 3127 -j REDIRECT --to-ports 9876 #9876 has nothing running on it
iptables -t nat -A PREROUTING ! -d lan.subnet/netmask -i lan.interface
-p tcp -m tcp --dport 443 -j REDIRECT --to-ports 3127 #3127 is our ssl
intercept port
So I get "connection refused" when I try to connect to the proxy on port
3127, but https intercept still works for anything else. Now squid never
sees the direct 3127 connection and so never goes into a loop
Jason
--
Cheers
Jason Haar
Corporate Information Security Manager, Trimble Navigation Ltd.
Phone: +1 408 481 8171
PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1
More information about the squid-users
mailing list