[squid-users] HEAD over HTTPS

Amos Jeffries squid3 at treenet.co.nz
Thu Mar 31 03:54:48 UTC 2016 

On 31/03/2016 10:36 a.m., Dick Visser wrote:
> On 26 February 2016 at 00:38, Amos Jeffries wrote:
>> On 26/02/2016 11:47 a.m., Dick Visser wrote:
>>> Hi
>>>
>>> I'm trying to set up an acl to allow a link checker tool to do its
>>> work through squid.
>>> This tool is a Wordpress plugin.
>>> The whole reason I have squid is so that Wordpress itself cannot
>>> retrieve random stuff from the Internet.
>>>
>>> I had come up with the idea of allowing HEAD method, so the link
>>> checker plugin can do its job while at the same time not allowing
>>> malicious content to be retrieved.
>>> This appears to work well.
>>>
>>> However, when the plugins tries to check HTTPS URLs it uses CONNECT,
>>> which is then denied by squid.
>>
>> The tool is setup to relay TLS "HTTPS" through an *HTTP* proxy. To have
>> any more control than what you already found with that particular
>> layering will require MITM'ing that traffic with Squid SSL-Bump feature.
>>
>> However, Squid is capable of recieving TLS connections in its role as
>> explicit/forward proxy. If the tool can be updated to use TLS to secure
>> its connection to the proxy, then to deliver its https:// messages to
>> the proxy over that (instead of using "HTTPS") you will get better
>> control without any loss of security.
>>
> 
> I checked and the tool does not support TLS to the proxy...
> It is not a problem here to use SSLbump, but I don't understand how to
> configure squid to allow *only* HEAD request on HTTPS.
> Because that is done using the CONNECT method.
> The HEAD method doesn't go 'inside' the CONNECT method - or am I
> mixing things up?

Yes you are mixing things up. The CONNECT is "outside", and the HEAD is
"inside" the encryption layer.

Squid normally only sees the "outside". But SSL-Bump ('bump' action for
full decryption) lets Squid see the "inside" as well.


So for configuration:

 # let the tool send CONNECT requests (only to SSL ports)
 # NP: this is separate from the default "deny CONNECT SSL_ports" line
 #  which should come first.
 acl tool src <ip address of the tool>
 http_access allow CONNECT SSL_ports toolip

 # let HTTPS HEAD requsts happen
 acl HEAD method HEAD
 acl HTTPS proto HTTPS
 https_access allow HEAD HTTPS

 http_access deny all

... plus the usual http_port and ssl_bump settings for bumping.

I used tool IP address and src ACL above to be simple. You may have some
other way to identify the tools CONNECT requests.

Amos

More information about the squid-users mailing list