SSL on different ports

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
3 messages Options
Reply | Threaded
Open this post in threaded view
|

SSL on different ports

Ronan Lucio
Hi,

By default, Squid accepts SSL connection only to port 443.
Are there any security concerns when need to accept HTTPS connections
on other ports?

Thank you,
Ronan
_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|

Re: SSL on different ports

Amos Jeffries
Administrator
On 7/10/20 2:16 pm, Ronan Lucio wrote:
> Hi,
>
> By default, Squid accepts SSL connection only to port 443.

You are referring to the SSL_ports ACL ?

That does not mean accepting SSL connections. Only that the port is
known to be used primarily for SSL. So that opening opaque CONNECT
tunnels there have lower security risk.


> Are there any security concerns when need to accept HTTPS connections
> on other ports?
>

Anything at all can go through a CONNECT tunnel and all your egress
firewall and other security will be able to tell is that the traffic
came from Squid.

If you are certain the traffic is actually HTTPS and not something else
it should be okay. But do check for that first.

Amos
_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|

Re: SSL on different ports

Ronan Lucio
Hi Amos,

> You are referring to the SSL_ports ACL ?

Yes.
Got your point.

Thanks for the clarification
Ronan


On Wed, Oct 7, 2020 at 4:55 PM Amos Jeffries <[hidden email]> wrote:

>
> On 7/10/20 2:16 pm, Ronan Lucio wrote:
> > Hi,
> >
> > By default, Squid accepts SSL connection only to port 443.
>
> You are referring to the SSL_ports ACL ?
>
> That does not mean accepting SSL connections. Only that the port is
> known to be used primarily for SSL. So that opening opaque CONNECT
> tunnels there have lower security risk.
>
>
> > Are there any security concerns when need to accept HTTPS connections
> > on other ports?
> >
>
> Anything at all can go through a CONNECT tunnel and all your egress
> firewall and other security will be able to tell is that the traffic
> came from Squid.
>
> If you are certain the traffic is actually HTTPS and not something else
> it should be okay. But do check for that first.
>
> Amos
> _______________________________________________
> squid-users mailing list
> [hidden email]
> http://lists.squid-cache.org/listinfo/squid-users
_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users