[squid-users] HEAD over HTTPS

Dick Visser dick.visser at geant.org
Wed Mar 30 21:36:08 UTC 2016


On 26 February 2016 at 00:38, Amos Jeffries <squid3 at treenet.co.nz> wrote:
> On 26/02/2016 11:47 a.m., Dick Visser wrote:
>> Hi
>>
>> I'm trying to set up an acl to allow a link checker tool to do its
>> work through squid.
>> This tool is a Wordpress plugin.
>> The whole reason I have squid is so that Wordpress itself cannot
>> retrieve random stuff from the Internet.
>>
>> I had come up with the idea of allowing HEAD method, so the link
>> checker plugin can do its job while at the same time not allowing
>> malicious content to be retrieved.
>> This appears to work well.
>>
>> However, when the plugins tries to check HTTPS URLs it uses CONNECT,
>> which is then denied by squid.
>
> The tool is setup to relay TLS "HTTPS" through an *HTTP* proxy. To have
> any more control than what you already found with that particular
> layering will require MITM'ing that traffic with Squid SSL-Bump feature.
>
> However, Squid is capable of recieving TLS connections in its role as
> explicit/forward proxy. If the tool can be updated to use TLS to secure
> its connection to the proxy, then to deliver its https:// messages to
> the proxy over that (instead of using "HTTPS") you will get better
> control without any loss of security.
>

I checked and the tool does not support TLS to the proxy...
It is not a problem here to use SSLbump, but I don't understand how to
configure squid to allow *only* HEAD request on HTTPS.
Because that is done using the CONNECT method.
The HEAD method doesn't go 'inside' the CONNECT method - or am I
mixing things up?

I'll start with using Squid 3.5.x to make sure I have the latest versions.

Thanks

Dick


More information about the squid-users mailing list