Re: [squid-users] maxconn

From: Jason Greene <jason_at_the-greenes.net>
Date: Mon, 20 Dec 2010 11:15:28 -0600

So what do you recommend as a solution?

The only line I have in my conf that has "ssl" in it is this
acl SSL_ports port 443 563

but I have these port as "safe"
acl Safe_ports port 443 563

How do I allow the connection thru SSL ports but close them down
enough to not get a HTTP Proxy CONNECT Loop DoS show on my scan?

Thanks

Jason

On Fri, Dec 17, 2010 at 11:38 PM, Amos Jeffries <squid3_at_treenet.co.nz> wrote:
> On 18/12/10 04:35, Jason Greene wrote:
>>
>> On Thu, Dec 16, 2010 at 7:41 PM, Amos Jeffries<squid3_at_treenet.co.nz>
>>  wrote:
>>>
>>> On 17/12/10 10:38, Jason Greene wrote:
>>>>
>>>> I m trying to close a security hole
>>>>
>>>>
>>>> I want to use maxconn on ALL IPs
>>>>
>>>> acl limitusercon maxconn 3
>>>> http_access deny all limitusercon
>>>
>>> Testing the "all" there is not useful. That should be just:
>>>
>>>  http_access deny limitusercon
>>>
>>> ... making sure its placed at the top of your access controls so nothing
>>> doing an allow can bypass it. Right after the "deny CONNECT !SSL_Ports"
>>> should do.
>>
>> Thanks, I'll try this out.
>>
>>>
>>>>
>>>> But it doesn't seem to work and the hole still appears on a scan.
>>>
>>> What hole?
>>
>>
>> HTTP Proxy CONNECT Loop DoS
>>
>
> If that is what I think it is you are missing the default "deny CONNECT
> !SSL_Ports" or have opened SSL_Ports too wide.
> Due to:
>  - the proxy listening ports are not SSL/CONNECT safe ports.
>  - port 443 listening is reverse-proxy territory + reverse proxy must not
> accept CONNECT requests (older squid releases allowed it wrongly).
>
> Amos
> --
> Please be using
>  Current Stable Squid 2.7.STABLE9 or 3.1.9
>  Beta testers wanted for 3.2.0.3
>
Received on Mon Dec 20 2010 - 17:15:34 MST

This archive was generated by hypermail 2.2.0 : Thu Dec 23 2010 - 12:00:03 MST