[squid-users] Help with UA filtering in https connections

Alex Rousskov rousskov at measurement-factory.com
Wed Jan 3 18:31:39 UTC 2018


On 01/03/2018 10:38 AM, Matus UHLAR - fantomas wrote:

>> In a general case, the admin has to pick between two evils:
>>
>> * Allow TLS handshakes with arbitrary servers on TLS ports (my sketch)
>>
>> * or tell Squid to respond with error pages that the user cannot see
>>  (without bypassing browser security warnings).
>>
>> Which evil is lesser is up to the admin to decide.


>> (*) We should allow CONNECTs to SSL_ports, not Safe_ports. I hope my
>> sketch did not use those ACLs.

> I'm afraid you did.

I did not:
http://lists.squid-cache.org/pipermail/squid-users/2017-December/017268.html

I used toSafePorts which is not one of the default ACLs (but may contain
them). The admin should define the ACLs left out of the sketch
correctly, of course. Moreover, I would rename toSafePorts to
toConnectableDestinations or similar to emphasize that this is the right
place to ban CONNECTs to wrong/dangerous/etc. addresses.


> I'm also afraid that your proposal also prevents us from disabling
> CONNECTs later

If you are saying that my simple sketch does not address all possible
use cases, then I certainly agree! I believe it addressed what OP
requested, but if I misinterpreted his or her desires, I apologize. I
hope the general description quoted at the start of this email combined
with Amos and yours warnings about undesirable CONNECT destinations will
allow them to fix their configuration as needed.

Alex.


More information about the squid-users mailing list