Re: [squid-users] Squid and https ports

From: Jerry Murdock <jmurdock@dont-contact.us>
Date: Wed, 21 Aug 2002 15:17:41 -0400

----- Original Message -----
From: "Simon Wright" <diver06@attglobal.net>
To: <squid-users@squid-cache.org>
Sent: Wednesday, August 21, 2002 2:37 PM
Subject: [squid-users] Squid and https ports

> Hi all:
>
> Please forgive what may be a very basic question, but I run
> small Squid (2.4S5 on NT4). This works fine, however one user
> wants to connect to an https server that is using port 8443
> instead of 443 or 563 for his web site admin.
>
> I can add this port to the SSL_Ports acl, however I have no idea
> whether this may cause a problem or allow some theoretical or
> practical vunerability. Would I be better off adding a specific
> access rule for the one IP address/port combination?
>

Assuming your acls are otherwise sane, the only real danger is it's one more
potential port for users to tunnel out on.

I generally have a single acl controlling what sites have access to
non-standard ssl ports.ie:

acl SSL_Domains dstdomain .corp.com .bigmoney.com
acl SSL_ports port 443 563 6100 8320
acl SSL_Domain_Ports port 6100 8320
acl CONNECT method CONNECT
http_access deny CONNECT !SSL_ports
http_access deny CONNECT SSL_Domain_Ports !SSL_Domains

It's been a decent reasonable-to-manage vs a-bunch-of-wide-open-ssl-ports
for me. Of course you do have to use common sense, opening up something
like port 25 would require a very specific rule. Likewise, I wouldn't want
to open up something like ".earthlink.net" to a bunch of extra ports.

Jerry
Received on Wed Aug 21 2002 - 13:17:55 MDT

This archive was generated by hypermail pre-2.1.9 : Tue Dec 09 2003 - 17:09:46 MST