RE: https from Larmour, Jonathan on 1997-10-16 (squid-users)

From: Larmour, Jonathan <Jonathan.Larmour@dont-contact.us>
Date: Thu, 16 Oct 1997 14:48:13 +0100

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Aaarrgh!!! Please NO-ONE do this. It is INCREDIBLY insecure. It
allows people using your proxy to send arbitrary data to arbitrary
ports on arbitrary servers, and it all appears to come from your
proxy server. For example, this would mean they can connect to any
port on the proxy machine, even if ordinarily denied by
ACLs/firewalls/etc. because the request will appear to come from
itself.

If they _really_ want, they could do (untested):
acl secone dstdomain www.security-one.com
acl port2000 port 2000

http_access allow CONNECT secone port2000
http_access deny CONNECT !SSL_ports
[etc.]

for this one exceptional case. But really the fault is with
www.security-one.com running on port 2000 which is non-standard. I
would have thought that what is presumably a security company should
have known better, as most firewalls would have problems with this.
If the original poster is intending to buy computer security stuff
from them, you may want to be careful, as it doesn't sound like they
have a good level of expertise.

Jonathan L.
Origin, 323 Cambridge Science Park,Cambridge,UK. Tel:+44 (1223)
423355
---[ It is impossible to enjoy idling thoroughly unless one has ]---
------------[ plenty of work to do - Jerome K. Jerome ]-------------
Fight spam! http://spam.abuse.net/ These opinions are all my fault

- ----------
From: Oskar Pearson
Sent: 16 October 1997 14:19
To: Edgar Gutierrez
Cc: tom burkart; squid-users@nlanr.net
Subject: Re: https

> Thanks but what I really mean is, when I tried to access
> https://www.security-one.com:2000 , access was denied through our
proxy
> server...when I asked the site admin, he "suspected" that squid
doesn't
> recognize https requests .... is that true? or is it just their
secure
> http server configuration that refuses https requests thru caching
proxy
> servers?

Look at the lines:

acl SSL_ports port 443 563
and
http_access deny CONNECT !SSL_ports
and
acl CONNECT method CONNECT

in your squid.conf

comment them out, kill -1 and you should be fine...

Duane - can't we not put these in the
-----BEGIN PGP SIGNATURE-----
Version: PGP for Personal Privacy 5.0
Charset: noconv

iQA/AwUBNEYZ24YLUv2rigzBEQJnnQCfZjBLSM8QpnUqex17gAJsT1+ChFwAn0/p
35Mdd5UQ/csCorM6ss/0nIgV
=tyfU
-----END PGP SIGNATURE-----
Received on Thu Oct 16 1997 - 06:47:23 MDT

This archive was generated by hypermail pre-2.1.9 : Tue Dec 09 2003 - 16:37:17 MST