On 14/06/11 03:14, Alejandro Cabrera Obed wrote:
> Dear, I have a Debian + Squid proxy reverse machine working very well
> for HTTP internal sites.
>
> But now I have to setup a reverse resolution for a HTTPS external site
> in a non-default port:
>
> https://www.company.com:7000
>
>
> Nowadays the Debian+Squid box has http and https proxy setup to get
> Internet sites:
>
> export http_proxy=http://10.1.1.1:3128
> export https_proxy=http://10.1.1.1:3128
>
> (10.1.1.1 is our company proxy)
>
>
> So how can I implement a HTTPS reverse site with Squid in my scenario ???
Assuming you still have the basic security in place your proxy will be
locked down as to which ports it can blindly relay HTTPS to.
Normally you would just add this:
acl SSL_ports port 7000
BUT... port 7000 is one of the common ports used by IRC (think botnet
master C&C servers).
So I will advise a bit more strictness. Like so:
...
acl SSL_ports port 443 7000
http_access deny CONNECT !SSL_ports <-- already in squid.conf
acl ABC dstdomain .example.com
acl port7000 port 7000
http_access deny CONNECT port7000 !ABC
...
Amos
-- Please be using Current Stable Squid 2.7.STABLE9 or 3.1.12 Beta testers wanted for 3.2.0.9 and 3.1.12.3Received on Fri Jun 24 2011 - 13:42:35 MDT
This archive was generated by hypermail 2.2.0 : Fri Jun 24 2011 - 12:00:03 MDT