Blocking CONNECT

classic Classic list List threaded Threaded
2 messages Options
Reply | Threaded
Open this post in threaded view
|

Blocking CONNECT

johnr
Hi,

Squid conf:
acl CONNECT method CONNECT
acl to_bad_ip dst 55.55.2.3
http_access deny CONNECT to_bad_ip

In the above squid config, if I were to try go to https://55.55.2.3:443 I
would get an ACCESS DENIED but squid would not block the CONNECT (it would
respond to 200) and then block the subsequent HTTP request. Is it possible
to tell squid to block the CONNECT? I do server-first SSL bump so if I don't
block the CONNECT squid will reach out to the upstream server which I don't
want it to do. I know this would make it impossible to serve the block page
and have the browser show an error but I don't mind about that.  



--
Sent from: http://squid-web-proxy-cache.1019090.n4.nabble.com/Squid-Users-f1019091.html
_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|

Re: Blocking CONNECT

Alex Rousskov
On 7/31/19 10:44 PM, johnr wrote:

> acl CONNECT method CONNECT
> acl to_bad_ip dst 55.55.2.3
> http_access deny CONNECT to_bad_ip

> In the above squid config, if I were to try go to https://55.55.2.3:443 I
> would get an ACCESS DENIED but squid would not block the CONNECT (it would
> respond to 200) and then block the subsequent HTTP request.

Yes, that is (currently) intentional.


> Is it possible to tell squid to block the CONNECT?

Not for connections that are subject to SslBump processing AFAIK. There
is a known need for a feature that would make such
bumping-to-deliver-CONNECT-error optional, but that feature has not been
sponsored or donated yet (and its design may require a preliminary
discussion on squid-dev). If I am not missing any workarounds, then your
options are outlined at

https://wiki.squid-cache.org/SquidFaq/AboutSquid#How_to_add_a_new_Squid_feature.2C_enhance.2C_of_fix_something.3F


> I do server-first SSL bump so if I don't block the CONNECT squid will
> reach out to the upstream server which I don't want it to do.

Yes, that is one of the reasons why folks want to make
bumping-to-deliver-CONNECT-error optional.


> I know this would make it impossible to serve the block page
> and have the browser show an error but I don't mind about that.  

Yes, thank you for disclosing that understanding.

Alex.
_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users