[prev in list] [next in list] [prev in thread] [next in thread]
List: squid-users
Subject: Re: [squid-users] Blocking CONNECT
From: Alex Rousskov <rousskov () measurement-factory ! com>
Date: 2019-08-01 3:08:19
Message-ID: ab1692d5-adc6-1b3e-548c-80f99b2d9b51 () measurement-factory ! com
[Download RAW message or body]
On 7/31/19 10:44 PM, johnr wrote:
> acl CONNECT method CONNECT
> acl to_bad_ip dst 55.55.2.3
> http_access deny CONNECT to_bad_ip
> In the above squid config, if I were to try go to https://55.55.2.3:443 I
> would get an ACCESS DENIED but squid would not block the CONNECT (it would
> respond to 200) and then block the subsequent HTTP request.
Yes, that is (currently) intentional.
> Is it possible to tell squid to block the CONNECT?
Not for connections that are subject to SslBump processing AFAIK. There
is a known need for a feature that would make such
bumping-to-deliver-CONNECT-error optional, but that feature has not been
sponsored or donated yet (and its design may require a preliminary
discussion on squid-dev). If I am not missing any workarounds, then your
options are outlined at
https://wiki.squid-cache.org/SquidFaq/AboutSquid#How_to_add_a_new_Squid_feature.2C_enhance.2C_of_fix_something.3F
> I do server-first SSL bump so if I don't block the CONNECT squid will
> reach out to the upstream server which I don't want it to do.
Yes, that is one of the reasons why folks want to make
bumping-to-deliver-CONNECT-error optional.
> I know this would make it impossible to serve the block page
> and have the browser show an error but I don't mind about that.
Yes, thank you for disclosing that understanding.
Alex.
_______________________________________________
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic