[squid-users] TCP_Denied for when requesting IP as URL over SSL using squid proxy server. from kevin band on 2009-12-07 (squid-users)

From: kevin band <kdband_at_gmail.com>
Date: Mon, 7 Dec 2009 09:30:14 +0000

Hi,

I'm hoping somebody can help me here, because I'm at a loss about what
to do next.

Basically we have squid running as a proxy server to restrict access
to just those sites which we've included in our ACL's
I have noticed recently that it isn't handling HTTPS reqests properly
if the URL contains an IP address instead of a domain name.

The reason this is a particular problem is that although the users can
connect to the page using the domain name, something within that
domain is then forwarding requests to the same web-server using its IP
address.
I'm sure I have my ACL's setup correctly because squid will forward
the request using either URL if I send the requests using HTTP. It
then times out on the web-server because it only allows https, but at
least the request is being forwarded to the web-server rather than
being denied in squid

Here's an extract from the logs that might explain it better :-

    158.41.4.44 - - [04/Dec/2009:15:56:47 +0000] "GET
http://stpaccess.marksandspencer.com/ HTTP/1.1" 504 1024 TCP_MISS:NONE
    158.41.4.44 - - [04/Dec/2009:15:57:02 +0000] "CONNECT
stpaccess.marksandspencer.com:443 HTTP/1.0" 200 7783 TCP_MISS:DIRECT
    158.41.4.44 - - [04/Dec/2009:16:01:53 +0000] "GET
http://63.130.82.113/Citrix/MetaFrameXP/default/login.asp HTTP/1.1"
504 1064 TCP_MISS:NONE
    158.41.4.44 - - [04/Dec/2009:16:03:13 +0000] "CONNECT
63.130.82.113:443 HTTP/1.0" 403 980 TCP_DENIED:NONE

And config extracts:

    acl SSL_ports port 443 563 444
    acl Safe_ports port 80 8002 23142 5481 5181 5281 5381 5481 5581
5400 5500 # http
    acl Safe_ports port 23142 # OPEL project
    acl Safe_ports port 21 # ftp
    acl Safe_ports port 443 444 563 # https, snew#s

acl CONNECT method CONNECT

    acl regex_ms dstdom_regex -i "/home/security/regex_marksandspencer.txt"
    acl urlregex_mands url_regex -i
"/home/security/regex_marksandspencer_ip.txt"
    acl mands_allowed_nets src "/home/security/mands_allowed_nets.txt"

    http_access allow manager localhost
    http_access deny manager
    http_access deny !Safe_ports
    http_access deny CONNECT !SSL_ports

    http_access allow regex_ms mands_allowed_nets
    http_access allow urlregex_mands mands_allowed_nets
    http_access deny all

There are actually a lot more ACL's than this, but these are the only
ones I think are relevant

relevant extracts from files linked to ACLs:
regex_marksandspencer.txt
.*marksandspencer.*com

regex_marksandspencer_ip.txt
.*.63.130.82.113

Thanks for any help.

Kevin,
Received on Mon Dec 07 2009 - 09:30:24 MST

This archive was generated by hypermail 2.2.0 : Mon Dec 07 2009 - 12:00:01 MST