[squid-users] Help with UA filtering in https connections
Alex Rousskov
rousskov at measurement-factory.com
Tue Jan 2 16:06:43 UTC 2018
On 01/02/2018 07:08 AM, Matus UHLAR - fantomas wrote:
> On 02.01.18 06:04, squidnoob wrote:
>> http_access allow CONNECT safe_ports
>> http_access deny CONNECT
>> I understand adding this line that you suggested as it's not already
>> there.
>> http_access deny !safe_ports
Yes, this or similar line (and possibly other lines) is needed, provided
it matches your proxying environment. My sketch only dealt with your
original/specific problem, not general proxying protections...
>> However, i don't understand why i would need to add this (http_access
>> deny CONNECT !SSL_Ports ) given the two lines above in the existing config.
You do not need to add it AFAICT.
> the two lines above unconditionally allow CONNECT anywhere,
This is incorrect. The lines deny CONNECT to unsafe ports. What Amos
correctly pointed out is that *non-CONNECT* transactions may go to
unsafe ports as well, and it is considered best practice to block such
traffic by default.
Please note that denying CONNECTs to unsafe ports at step1 may not work
well because the generated by Squid certificate will be rejected by the
browser in many cases. You may decide to simply terminate such CONNECT
transactions instead:
# terminate malicious tunnels and bump everything else
ssl_bump terminate !safe_ports
ssl_bump stare all
ssl_bump bump all
Alex.
More information about the squid-users
mailing list