Re: [squid-users] TCP_Denied for when requesting IP as URL over SSL using squid proxy server.

From: kevin band <kdband_at_gmail.com>
Date: Tue, 8 Dec 2009 14:06:51 +0000

No, the point is, when the rule :
    http_access allow CONNECT SSL_ports
is in the configuration, ALL SSL requests are permitted, regardless of
any other restrictions. HTTP is restricted correctly.

2009/12/8 Amos Jeffries <squid3_at_treenet.co.nz>:
> kevin band wrote:
>>
>> I've managed to get this working, but I'm not happy because in doing
>> so I've created a different issue.
>>
>> My problems all started a few weeks ago when I was trying to tighten
>> up the rules.
>> Basically we have two squid proxy servers which are supposed to
>> contain the same configuration.
>> I noticed that on one of the servers, there was an extra rule that
>> wasn't there on the other :-
>>
>>    http_access allow CONNECT SSL_ports
>>
>> The net effect of this rule was that anyone requesting any URL via
>> https would be allowed through the squid proxy server regardless of
>> the settings in my whitelist files.
>>
>> I've now put this rule back in place and I now can get to the
>> 63.130.82.113 address using https.
>> The problem is that I can now get to any URL via https, even though I
>> have rules in place which are supposed to only allow access to the
>> websites that I have put into my whitelist files.
>>
>> Is this a bug in the way squid is handling the CONNECT method?
>>
>> Any suggestions as to how I can tighten things up again but still
>> allow through the 63.130.82.113 request via https?  As I've said
>> before the rules work OK for http.
>
> The IP pattern you had was off:
>  .*.63.130.82.113
>
> Redux:
>
>  ** regex assumes all patterns not beginning with ^ have an implicit .*
> prefix.
> Therefore:  .*.63.130.82.113   ==  .63.130.82.113
>
>  ** regex '.' means any character.
>
> Therefore:  .63.130.82.113  ==
> [a-zA-Z0-9\.]163[a-zA-Z0-9\.]130[a-zA-Z0-9\.]82[a-zA-Z0-9\.]113
>
>  ** you have that pattern seeking IP addresses
> Therefore:  .63.130.82.113  ==  [0-9\.]63\.130\.82\.113
>
>
> IMO you need to write the regex as:   ^63\.130\.82\.113
>
> I'm not sure why the raw-IP got through in regular requests. Possibly some
> other pattern or ACL matched and permitted it.
>
> Amos
> --
> Please be using
>  Current Stable Squid 2.7.STABLE7 or 3.0.STABLE20
>  Current Beta Squid 3.1.0.15
>
Received on Tue Dec 08 2009 - 14:06:56 MST

This archive was generated by hypermail 2.2.0 : Tue Dec 08 2009 - 12:00:02 MST