[squid-users] HEAD over HTTPS
Amos Jeffries
squid3 at treenet.co.nz
Thu Feb 25 23:38:27 UTC 2016
On 26/02/2016 11:47 a.m., Dick Visser wrote:
> Hi
>
> I'm trying to set up an acl to allow a link checker tool to do its
> work through squid.
> This tool is a Wordpress plugin.
> The whole reason I have squid is so that Wordpress itself cannot
> retrieve random stuff from the Internet.
>
> I had come up with the idea of allowing HEAD method, so the link
> checker plugin can do its job while at the same time not allowing
> malicious content to be retrieved.
> This appears to work well.
>
> However, when the plugins tries to check HTTPS URLs it uses CONNECT,
> which is then denied by squid.
The tool is setup to relay TLS "HTTPS" through an *HTTP* proxy. To have
any more control than what you already found with that particular
layering will require MITM'ing that traffic with Squid SSL-Bump feature.
However, Squid is capable of recieving TLS connections in its role as
explicit/forward proxy. If the tool can be updated to use TLS to secure
its connection to the proxy, then to deliver its https:// messages to
the proxy over that (instead of using "HTTPS") you will get better
control without any loss of security.
Amos
More information about the squid-users
mailing list