[prev in list] [next in list] [prev in thread] [next in thread] 

List:       squid-users
Subject:    Re: [squid-users] Reverse proxy with HTTPS
From:       Amos Jeffries <squid3 () treenet ! co ! nz>
Date:       2011-06-24 13:42:24
Message-ID: 4E049440.3090601 () treenet ! co ! nz
[Download RAW message or body]

On 14/06/11 03:14, Alejandro Cabrera Obed wrote:
> Dear, I have a Debian + Squid proxy reverse machine working very well
> for HTTP internal sites.
>
> But now I have to setup a reverse resolution for a HTTPS external site
> in a non-default port:
>
> https://www.company.com:7000
>
>
> Nowadays the Debian+Squid box has http and https proxy setup to get
> Internet sites:
>
> export http_proxy=http://10.1.1.1:3128
> export https_proxy=http://10.1.1.1:3128
>
> (10.1.1.1 is our company proxy)
>
>
> So how can I implement a HTTPS reverse site with Squid in my scenario ???

Assuming you still have the basic security in place your proxy will be 
locked down as to which ports it can blindly relay HTTPS to.

Normally you would just add this:
   acl SSL_ports port 7000

BUT... port 7000 is one of the common ports used by IRC (think botnet 
master C&C servers).
So I will advise a bit more strictness. Like so:

  ...
  acl SSL_ports port 443 7000
  http_access deny CONNECT !SSL_ports   <-- already in squid.conf

  acl ABC dstdomain .example.com
  acl port7000 port 7000
  http_access deny CONNECT port7000 !ABC
  ...


Amos
-- 
Please be using
   Current Stable Squid 2.7.STABLE9 or 3.1.12
   Beta testers wanted for 3.2.0.9 and 3.1.12.3
[prev in list] [next in list] [prev in thread] [next in thread]