[squid-users] TCP_MISS/502 - audio stream - none default http ports

Amos Jeffries squid3 at treenet.co.nz
Wed Sep 19 02:38:03 UTC 2018


On 19/09/18 1:31 AM, Dörfler, Andreas wrote:
> hey louis,
> 
> thanks for you help and time!
> 
> found the problem, since there are firewalls in between, i forgot check
> a specific point, and well, it was one of the firewalls, no wonder it
> was driving me nuts. 
> one of those double facepalm moments once i realized it.
> 
>> And thank you for the music link, something different then the radio here. ;-) 
> 
> no problem, was the first random google search result ;-)
> 
>> : acl SSL_ports port 443
>> ## PS in your config you did miss to add the extra SSL_Ports also to the Safe_port. 
> 
> na, actualy there are 3 ports configured :D
> 
> 
>> ## And here you missed the "allow localnet" 
> 
> "http_access allow all" makes localnet obsolete, access restrictions are
> handled by a firewall.
> 

This statement is false, and very bad security practice. Squid handles
HTTP-level access controls. Firewalls handle network-layer access
control. Either way multiple layers of security that work together are
better than one - in case that one is compromised.

 ... and by using "allow all" you have explicitly compromised the Squid
layer.


* HTTP is a multiplexing pipelined protocol. One TCP connection can
contain traffic from multiple clients mixed up in arbitrary ways the
firewall will never see.

* As far as the firewall can be aware all traffic leaving Squid is from
*Squid* IP:port's not from the clients.


==> So those details mean any low-privilege client who is trusted just
enough to use the proxy gets automatically and *silently* privilege
escalated at the firewall to maximum privilege level *any* proxy user is
allowed by that firewall. This leaves your network wide open to insider
attacks, client hijacking and viral compromised clients.


You cannot trust firewall alone unless you have a *full* HTTP proxy
built into your firewall to handle the HTTP level control. In which case
your squid.conf is missing settings integrating the two proxies.


Like the other default rules this "deny all" serves multiple purposes -
along with the obvious access control to the network it is about denying
"legitimate" clients trying to make Squid do extremely resource
consuming things which are not permitted by your policy. Such as flood
the internal network with Tbps of traffic, or port-scan services they
are not normally allowed access to by the firewall.

Amos


More information about the squid-users mailing list