[squid-users] Help regarding access controls for TLS connections
Erik Schulz
erikschulz184 at gmail.com
Fri Oct 25 22:18:25 UTC 2024
Hello!
I would like to use squid as an egress proxy, to prevent unauthorized egress.
Let's say that the only allowed egress is 'example.com'.
I can define acl along the lines of:
```
acl allowed_domains ssl::server_name .example.com
http_access allow allowed_domains
```
But can someone help me understand what actually happens?
I want to avoid any DNS egress attack.
The client does not have DNS access.
Am I correct that the client can use HTTPS_PROXY without DNS, such
that the proxy will perform the DNS lookup?
Can you help me understand how the acl checks the server_name?
In order to connect to the server, it must perform a DNS lookup, which
causes a leak.
So the ACL must validate the server_name without a DNS lookup, and
since the server IP is therefore unknown, without connecting to the
server or verifying against its certificate.
I'm assuming the hostname is known in the CONNECT phase of the request?
Is it possible to check against the connect hostname only?
The docs say that
> "The ACL computes server name(s) using such information sources as CONNECT request URI, TLS client SNI, and TLS server certificate subject (CN and SubjectAltName). The computed server name(s) usually change with each SslBump step"
I find this concerning, because I assume the client could perform a
request with an IP, and a forged SNI name that passes the acl.
So I would like to only allow requests that declare FQDN hostname, and
reject IP hostnames.
And, only perform validation against the CONNECT request URI.
Is that possible?
Thanks for any clarification!
/Erik
More information about the squid-users
mailing list