[squid-users] Blocking CONNECT
Alex Rousskov
rousskov at measurement-factory.com
Thu Aug 1 03:08:19 UTC 2019
On 7/31/19 10:44 PM, johnr wrote:
> acl CONNECT method CONNECT
> acl to_bad_ip dst 55.55.2.3
> http_access deny CONNECT to_bad_ip
> In the above squid config, if I were to try go to https://55.55.2.3:443 I
> would get an ACCESS DENIED but squid would not block the CONNECT (it would
> respond to 200) and then block the subsequent HTTP request.
Yes, that is (currently) intentional.
> Is it possible to tell squid to block the CONNECT?
Not for connections that are subject to SslBump processing AFAIK. There
is a known need for a feature that would make such
bumping-to-deliver-CONNECT-error optional, but that feature has not been
sponsored or donated yet (and its design may require a preliminary
discussion on squid-dev). If I am not missing any workarounds, then your
options are outlined at
https://wiki.squid-cache.org/SquidFaq/AboutSquid#How_to_add_a_new_Squid_feature.2C_enhance.2C_of_fix_something.3F
> I do server-first SSL bump so if I don't block the CONNECT squid will
> reach out to the upstream server which I don't want it to do.
Yes, that is one of the reasons why folks want to make
bumping-to-deliver-CONNECT-error optional.
> I know this would make it impossible to serve the block page
> and have the browser show an error but I don't mind about that.
Yes, thank you for disclosing that understanding.
Alex.
More information about the squid-users
mailing list