[squid-users] Help with UA filtering in https connections

Alex Rousskov rousskov at measurement-factory.com
Tue Jan 2 16:06:43 UTC 2018

On 01/02/2018 07:08 AM, Matus UHLAR - fantomas wrote:
> On 02.01.18 06:04, squidnoob wrote:
>> http_access allow CONNECT safe_ports
>> http_access deny CONNECT

>> I understand adding this line that you suggested as it's not already
>> there.
>> http_access deny !safe_ports

Yes, this or similar line (and possibly other lines) is needed, provided
it matches your proxying environment. My sketch only dealt with your
original/specific problem, not general proxying protections...

>> However, i don't understand why i would need to add this (http_access
>> deny CONNECT !SSL_Ports ) given the two lines above in the existing config.

You do not need to add it AFAICT.

> the two lines above unconditionally allow CONNECT anywhere, 

This is incorrect. The lines deny CONNECT to unsafe ports. What Amos
correctly pointed out is that *non-CONNECT* transactions may go to
unsafe ports as well, and it is considered best practice to block such
traffic by default.

Please note that denying CONNECTs to unsafe ports at step1 may not work
well because the generated by Squid certificate will be rejected by the
browser in many cases. You may decide to simply terminate such CONNECT
transactions instead:

  # terminate malicious tunnels and bump everything else
  ssl_bump terminate !safe_ports
  ssl_bump stare all
  ssl_bump bump all


More information about the squid-users mailing list