[squid-users] Queries on safe_ports

Amos Jeffries squid3 at treenet.co.nz
Thu Jan 7 17:15:23 UTC 2016


On 8/01/2016 4:32 a.m., Anonymous cross wrote:
> Hi All,
> 
> I have basic queries on an usage of safe and SSL_ports in squid.
> 
> Since squid proxies only HTTP packets then why do we need to add different
> protocols in safe ports?

Some protocols particularly the older text based ones that ports 0-1024
were regiestered for can be smuggled through as crafted HTTP headers or
payload. Allowing clients to request proxying to them causes dangerous
problems.

> 
> Our box is configured to redirect only port 80 packets to 3129? Do we need
> to have safe and SSL ports in such a case?

Yes. The ACLs are not about what ports are used to contact Squid but
what ports are permitted to be used in the URLs served by Squid.

> 
> I am trying to understand the need for safe ports in SQUID proxy. Because I
> don't see any use-case for this.

<http://wiki.squid-cache.org/SquidFaq/SecurityPitfalls>

Amos



More information about the squid-users mailing list