[squid-users] Help with UA filtering in https connections

Alex Rousskov rousskov at measurement-factory.com
Wed Jan 3 15:55:40 UTC 2018


On 01/03/2018 05:52 AM, Matus UHLAR - fantomas wrote:
> On 02.01.18 09:06, Alex Rousskov wrote:
>> On 01/02/2018 07:08 AM, Matus UHLAR - fantomas wrote:
>>> On 02.01.18 06:04, squidnoob wrote:
>>>> http_access allow CONNECT safe_ports
>>>> http_access deny CONNECT

>>> the two lines above unconditionally allow CONNECT anywhere,

>> This is incorrect. The lines deny CONNECT to unsafe ports.

> Those lines unconditionally allow CONNECT requests to safe ports ANYWHERE,

Yes, or, to be more precise, they (together with ssl_bump rules) allow
fetching of any server certificate from a reasonable(*) port. They do
not allow HTTP requests to arbitrary safe ports. Only Squid-generated
TLS handshakes.


> which is apparently not what was wanted/expected.

Why not?


> that in this case you can[not] deny the connect request later,

Denying CONNECTs at step1 does not really work well in a general case
because, during SslBump step1, Squid does not have enough information to
generate the right certificate for the access denial error page.

In a general case, the admin has to pick between two evils:

* Allow TLS handshakes with arbitrary servers on TLS ports (my sketch)

* or tell Squid to respond with error pages that the user cannot see
  (without bypassing browser security warnings).

Which evil is lesser is up to the admin to decide. Needless to say,
there are environments where both strategies should be used, depending
on the transaction parameters.


(*) We should allow CONNECTs to SSL_ports, not Safe_ports. I hope my
sketch did not use those ACLs.

Alex.


More information about the squid-users mailing list