[squid-users] https debug
Amos Jeffries
squid3 at treenet.co.nz
Wed Jan 2 10:01:24 UTC 2019
On 2/01/19 10:30 pm, Sampei wrote:
> About way to use https protocol I think I use connect tunnel, here
When a CONNECT tunnel is being used and not SSL-Bump'ed then all TLS
related issues are problems with one of the endpoint software. Not
related to the proxy at all. Squid is just blindly relaying the TLS
bytes as-is between the endpoints.
That said, some specific configs may encounter issues due to explicitly
telling Squid to do certain things which cannot be done to CONNECT
tunnels (eg. URL-rewrite, ACL checks of path strings), or to deny the
CONNECT which obviously would make the TLS not "work" at all.
I suspect that in your case some other port is involved which you do not
know about and are thus not letting through Squid. The access.log should
show what Squid is dealing with there.
> parttial of my squid.conf
>
>
> acl SSL_ports port 443 # https
> acl SSL_ports port 563 # snews
> ...
> acl Safe_ports port 80 # http
> acl Safe_ports port 21 # ftp
> acl Safe_ports port 443 # https
> ...
> http_access deny CONNECT !SSL_ports
Okay, but should be following the Safe_ports check. The default config
orders these checks by how common it is to encounter the attack types
they exist to prevent.
> http_access deny CONNECT !Safe_ports
The default config uses this instead:
http_access deny !Safe_ports
The purpose of this Safe_ports ACL is to prevent the proxy handling
*any* traffic for protocols whose traffic syntax directly conflicts with
HTTP traffic syntax.
By limiting this check to only CONNECT messages, you are opening your
proxy to most of the attacks the Safe_port ACL was designed to prevent.
> acl test dstdomain example.com
> http_access allow test
> http_access allow CONNECT test
This latter is pointless. "test" was already allowed, so this line is
never reached by any traffic which it can match.
> I think to upgrade 4.x Squid but I'm looking for valid repository for
> Centos 7 which contains this pkg.
The official repositories for CentOS are detailed at
<https://wiki.squid-cache.org/KnowledgeBase/CentOS>
(I see that page needs an update Eliezer now has 4.4 in his main CentOS
repository <http://www1.ngtech.co.il/repo/centos/7/x86_64/>)
Amos
More information about the squid-users
mailing list