[squid-dev] [PATCH] Support http_access denials of SslBump "peeked" connections.
Tsantilas Christos
chtsanti at users.sourceforge.net
Tue Dec 9 16:30:52 UTC 2014
Hi all,
If an SSL connection is "peeked", it is currently not possible to
deny it with http_access. For example, the following configuration
denies all plain HTTP requests as expected but allows all CONNECTs (and
all subsequent encrypted/spliced HTTPS requests inside the allowed
CONNECT tunnels):
http_access deny all
ssl_bump peek all
ssl_bump splice all
The bug results in insecure bumping configurations and/or forces admins
to abuse ssl_bump directive (during step1 of bumping) for access control
(as a partial workaround).
This change sends all SSL tunnels (CONNECT and transparent) through
http_access (and adaptation, etc.) checks during bumping step1. If (real
or fake) CONNECT is denied during step1, then Squid does not connect to
the SSL server, but bumps the client connection, and then delivers an
error page (in response to the first decrypted GET). The behavior is
similar to what Squid has already been doing for server certificate
validation errors.
Please read the Technical notes included in patch preamble.
This is a Measurement Factory project
-------------- next part --------------
A non-text attachment was scrubbed...
Name: SQUID-2-deny-peeked-CONNECTs-t4.patch
Type: text/x-patch
Size: 13217 bytes
Desc: not available
URL: <http://lists.squid-cache.org/pipermail/squid-dev/attachments/20141209/5cda5c67/attachment.bin>
More information about the squid-dev
mailing list