Fwd: [squid-users] TCP_Denied for when requesting IP as URL over SSL using squid proxy server.

I didn't realise I'd sent this directly to Amos, I meant to reply to
the mailing list.

---------- Forwarded message ----------
From: kevin band <kdband_at_gmail.com>
Date: 2009/12/7
Subject: Re: [squid-users] TCP_Denied for when requesting IP as URL
over SSL using squid proxy server.
To: Amos Jeffries <squid3_at_treenet.co.nz>

Hi Amos,

Thanks for the reply, I'm happy to accept what you say, but is there
anything specific that tells you that it's the remote web-server
rather than the squid-proxy that's rejecting the connection?

Regarding, dstdomain, yes I am familiar with that, but it doesn't meet
our needs in this instance, because there are multiple marks and
spencers domains that we need to allow access to, and they seem to
create a new one every few weeks.
We've been asked to setup a rule that wild-cards anything for
marksandspencer. They have a wide variety of formats in their URLs,
e.g. www.marksandspencer.com, suppliers.marksandspencer.com,
suppliers.marksandspencercate.com, the regex rule was the best
compromise.

Thanks again.

Kevin.

2009/12/7 Amos Jeffries <squid3_at_treenet.co.nz>:
> kevin band wrote:
>>
>> Hi,
>>
>> I'm hoping somebody can help me here, because I'm at a loss about what
>> to do next.
>>
>> Basically we have squid running as a proxy server to restrict access
>> to just those sites which we've included in our ACL's
>> I have noticed recently that it isn't handling HTTPS reqests properly
>> if the URL contains an IP address instead of a domain name.
>>
>> The reason this is a particular problem is that although the users can
>> connect to the page using the domain name, something within that
>> domain is then forwarding requests to the same web-server using its IP
>> address.
>> I'm sure I have my ACL's setup correctly because squid will forward
>> the request using either URL if I send the requests using HTTP.  It
>> then times out on the web-server because it only allows https, but at
>> least the request is being forwarded to the web-server rather than
>> being denied in squid
>
> The remote web server(s) is rejecting the connections. Probably because the
> SSL certificates require a domain name as part of their authentication
> validation.
>
> It's probably a broken client browser or maybe the website itself sending
> funky page URLs with the raw-IP inside. If you care you need to find out
> which and complain to whoever made the broken bits. Squid is just an
> innocent middleman here.
>
>>
>> Here's an extract from the logs that might explain it better :-
>>
>>    158.41.4.44 - - [04/Dec/2009:15:56:47 +0000] "GET
>> http://stpaccess.marksandspencer.com/ HTTP/1.1" 504 1024 TCP_MISS:NONE
>>    158.41.4.44 - - [04/Dec/2009:15:57:02 +0000] "CONNECT
>> stpaccess.marksandspencer.com:443 HTTP/1.0" 200 7783 TCP_MISS:DIRECT
>>    158.41.4.44 - - [04/Dec/2009:16:01:53 +0000] "GET
>> http://63.130.82.113/Citrix/MetaFrameXP/default/login.asp HTTP/1.1"
>> 504 1064 TCP_MISS:NONE
>>    158.41.4.44 - - [04/Dec/2009:16:03:13 +0000] "CONNECT
>> 63.130.82.113:443 HTTP/1.0" 403 980 TCP_DENIED:NONE
>>
>>
>> And config extracts:
>>
>>    acl SSL_ports port 443 563 444
>>    acl Safe_ports port 80 8002 23142 5481 5181 5281 5381 5481 5581
>> 5400 5500       # http
>>    acl Safe_ports port 23142       # OPEL project
>>    acl Safe_ports port 21          # ftp
>>    acl Safe_ports port 443 444 563 # https, snew#s
>>
>>    acl CONNECT method CONNECT
>>
>>    acl regex_ms dstdom_regex   -i
>> "/home/security/regex_marksandspencer.txt"
>>    acl urlregex_mands url_regex -i
>> "/home/security/regex_marksandspencer_ip.txt"
>>    acl mands_allowed_nets  src  "/home/security/mands_allowed_nets.txt"
>>
>>    http_access allow manager localhost
>>    http_access deny manager
>>    http_access deny !Safe_ports
>>    http_access deny CONNECT !SSL_ports
>>
>>    http_access allow regex_ms  mands_allowed_nets
>>    http_access allow urlregex_mands mands_allowed_nets
>>    http_access deny all
>>
>> There are actually a lot more ACL's than this, but these are the only
>> ones I think are relevant
>>
>> relevant extracts from files linked to ACLs:
>>  regex_marksandspencer.txt
>>      .*marksandspencer.*com
>>
>>  regex_marksandspencer_ip.txt
>>      .*.63.130.82.113
>>
>>
>> Thanks for any help.
>>
>> Kevin,
>
> Kevin, meet dstdomain:
>
>  acl markandspencer dstdomain .marksandspencer.com 63.130.82.113
>  http_access allow markandspencer mands_allowed_nets
>
> 10x or more faster than regex. Matching marksandspencer.com, all sub-domains
> and the raw-IP address form.
>
> Amos
> --
> Please be using
>  Current Stable Squid 2.7.STABLE7 or 3.0.STABLE20
>  Current Beta Squid 3.1.0.15
>
Received on Tue Dec 08 2009 - 10:17:43 MST