[squid-users] Help with UA filtering in https connections

Matus UHLAR - fantomas uhlar at fantomas.sk
Wed Jan 3 12:52:33 UTC 2018


On 02.01.18 09:06, Alex Rousskov wrote:
>On 01/02/2018 07:08 AM, Matus UHLAR - fantomas wrote:
>> On 02.01.18 06:04, squidnoob wrote:
>>> http_access allow CONNECT safe_ports
>>> http_access deny CONNECT

>> the two lines above unconditionally allow CONNECT anywhere,
>
>This is incorrect. The lines deny CONNECT to unsafe ports.

You miss something.

Those lines unconditionally allow CONNECT requests to safe ports ANYWHERE,
which is apparently not what was wanted/expected.

the first line ALLOWS all CONNECT requests to safe ports in the way they
CAN NOT BE DISABLED later.

the second line denies connect to unsafe ports.

the difference between lines above and the following one:

http_access deny CONNECT !safe_ports

is, that in this case you can deny the connect request later, unlike the
previous example, where the CONNECT was allowed and further checks are done.

However, what Amos proposed and what is in the default config is:

http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports

which denies all access to unsafe ports, and denies CONNECT to non-SSL
ports, but does not allow access anywhere, so it must be allowed further.

-- 
Matus UHLAR - fantomas, uhlar at fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
I wonder how much deeper the ocean would be without sponges. 


More information about the squid-users mailing list