[squid-users] Clarification on behavior

Joseph Jones josepjones at expediagroup.com
Thu Oct 10 14:43:09 UTC 2019

we are using squid a a perimeter egress filter. one think I've recently noticed is based on my current config it's possible to make a request through squid to an HTTPS endpoint with out doing a CONNECT request. 

I was wondering if this should be allowed behavior for a proxy or if it's just a business requirement to deny that type of request or if that behavior shouldn't be allowed anyway.  My concern being if squid is deployed in an environment that has PCI/PII data I wouldn't want squid to hold that data decrypted even for a little while and the client should have encrypted tunnel through to the server. 

the following request gets rejected and should be. (This is because of the rule: http_access deny CONNECT !SSL_ports)
cat <<EOL | nc localhost 3128
CONNECT ifconfig.io:80 HTTP/1.1
Host: ifconfig.io:80
User-Agent: curl/7.29.0
Proxy-Connection: Keep-Alive


however this request is allowed unless I add (http_access deny SSL_Ports !CONNECT)
cat <<EOL | nc localhost 3128
GET https://ifconfig.io/ip HTTP/1.1
User-Agent: curl/7.29.0
Host: ifconfig.io
Accept: */*
Proxy-Connection: Keep-Alive


This request is of concern because this means squid is doing the https request and decrypting the response before returning it to the client. I can solve this by making the squid endpoint SSL too. but even then I don't want squid to have the data decrypted at all. Which is why I've added the extra rule.

I'm testing this off of latest master commit. 

basically I'm wonder if my extra access rule of http_access deny SSL_PORTS !CONNECT is sufficient enough to make sure squid doesn't decrypt the response. 

$ ./src/squid -v
Squid Cache: Version 5.0.0-VCS
Service Name: squid

This binary uses OpenSSL 1.1.1d FIPS  10 Sep 2019. For legal restrictions on distribution see https://www.openssl.org/source/license.html

configure options:  '--prefix=/home/josepjones/.local/squid' '--enable-icmp' '--with-openssl'

debug_options ALL,1 11,3 rotate=0

# tg  - GMT time
# >a  - Client source IP address
# >p  - Client source port
# Ss  - Squid request status
# >Hs - HTTP status code sent to client
# <st - Total size of reply sent to client
# >st - Total size of request received from client. Excluding chunked encoding bytes.
# >rm - Request method from client
# >ru - Request URL received from client
# >rd - Request URL domain from client
# <a  - Server IP address of the last server or peer connection
logformat my_squid [%tl] %>a %6>p %Ss/%03>Hs %>st %<st %>rm %>ru %>rd/%<a

access_log stdio:/dev/stdout logformat=my_squid rotate=0
cache_log stdio:/dev/stderr

acl SSL_ports port 443
acl Safe_ports port 80    # http
acl Safe_ports port 8080  # http
acl Safe_ports port 443   # https

acl http_whitelist dstdomain "/home/josepjones/.local/squid/etc/whitelist.txt"
acl http_blacklist dstdomain "/home/josepjones/.local/squid/etc/blacklist.txt"

# Recommended minimum Access Permission configuration:
# Deny requests to certain unsafe ports
http_access deny !Safe_ports

# Deny CONNECT to other than secure SSL ports
http_access deny CONNECT !SSL_ports

http_access deny SSL_Ports !CONNECT

http_access deny http_blacklist
http_access allow http_whitelist

http_access deny CONNECT http_blacklist
http_access allow CONNECT http_whitelist

http_access deny all

# disable caching
cache deny all

# Squid normally listens to port 3128
http_port 3128
visible_hostname squid

# Uncomment and adjust the following to add a disk cache directory.
cache_mem 0
# cache_dir rock /home/josepjones/.local/squid/var/spool 100

# Leave coredumps in the first cache dir
coredump_dir /home/josepjones/.local/squid


Joseph M Jones

More information about the squid-users mailing list