[squid-users] Newbie question, How to fully disable/disallow https?
Alex Rousskov
rousskov at measurement-factory.com
Wed Jun 23 15:26:50 UTC 2021
On 6/22/21 5:33 PM, Arctic5824 wrote:
> I am now using: https://paste.gg/p/anonymous/e7d5080091bc400e8a75e8285b3dea77
> instead of "http_access allow all" i replaced that line with "http_access allow all !CONNECT"
>
> and it seems to be working, atleast in my browser, yet i still see some users using https,
> 359 5.253.19.75 TCP_MISS/502 4957 GET https://search.yahoo.com/search? - HIER_DIRECT/212.82.100.137 text/html
> Im not sure how they are doing this, I'd like to prevent this
It looks like they are sending plain text "GET https://..." requests to
your Squid. Popular browsers would not do that, but many other clients
can. As I mentioned earlier, you also need to deny such requests. I am
not sure what the best way to do that is, but you can try something like
this:
acl usesHttpsScheme url_regex -i ^https:
...
http_access deny CONNECT
http_access deny usesHttpsScheme
...
Or you can be even more strict and only allow http: scheme:
acl usesHttpScheme url_regex -i ^http:
...
http_access deny CONNECT
http_access deny !usesHttpScheme
...
None of the above configuration snippets were tested by me. Be careful
with the order of your http_access rules.
HTH,
Alex.
More information about the squid-users
mailing list