[squid-users] Clarification on behavior

Alex Rousskov rousskov at measurement-factory.com
Thu Oct 10 22:06:49 UTC 2019


On 10/10/19 10:43 AM, Joseph Jones wrote:

> I've recently noticed is based on my current config it's possible to
> make a request through squid to an HTTPS endpoint with out doing a
> CONNECT request.


> I was wondering if this should be allowed behavior for a proxy or if
> it's just a business requirement to deny that type of request or if
> that behavior shouldn't be allowed anyway.

This is not a protocol issue: There are Squid deployments where "GET
https://..." requests are perfectly normal, and there are Squid
deployments where such requests must be blocked. Configure your Squid to
match your environment.


> My concern being if squid is deployed in an environment that has
> PCI/PII data I wouldn't want squid to hold that data decrypted even
> for a little while and the client should have encrypted tunnel
> through to the server.


> I'm wonder if my extra access rule of http_access deny SSL_PORTS
> !CONNECT is sufficient enough to make sure squid doesn't decrypt the
> response.

> http_access deny CONNECT !SSL_ports
> http_access deny SSL_PORTS !CONNECT

The above does not deny "GET https://example.com:80/". That may be OK in
your setup because there are no TLS servers on port 80 behind your
Squid, but, in general, it is not enough to prevent Squid decryption. If
you want to follow this path, you probably want access rules based on
request-target (a.k.a. URI) scheme -- prohibit requests with an "https:"
scheme.

If you do not want Squid to decrypt, consider building Squid without
OpenSSL (and GnuTLS) support. That way, if something slips past your
rules (for any reason), you can still be sure that Squid will not
decrypt anything.


HTH,

Alex.


> acl SSL_ports port 443
> acl Safe_ports port 80    # http
> acl Safe_ports port 8080  # http
> acl Safe_ports port 443   # https

> # Deny requests to certain unsafe ports
> http_access deny !Safe_ports
> 
> # Deny CONNECT to other than secure SSL ports
> http_access deny CONNECT !SSL_ports
> 
> http_access deny SSL_Ports !CONNECT
> 
> http_access deny http_blacklist
> http_access allow http_whitelist
> 
> http_access deny CONNECT http_blacklist
> http_access allow CONNECT http_whitelist
> 
> http_access deny all
> 
> # disable caching
> cache deny all
> 
> 
> # Squid normally listens to port 3128
> http_port 3128
> visible_hostname squid
> 
> # Uncomment and adjust the following to add a disk cache directory.
> cache_mem 0
> # cache_dir rock /home/josepjones/.local/squid/var/spool 100
> 
> # Leave coredumps in the first cache dir
> coredump_dir /home/josepjones/.local/squid
> 
> -- 
> 
> 
> 
> Joseph M Jones
> 
> 
> 
> _______________________________________________
> squid-users mailing list
> squid-users at lists.squid-cache.org
> http://lists.squid-cache.org/listinfo/squid-users
> 



More information about the squid-users mailing list