On 7/02/19 3:52 am, Paul Doignon wrote: > Thanks, I appreciate your detailed answer. > > > > I'm struggling a lot to configure Squid. To improve the security of my > app in my AWS private subnet, > > > > If it is indeed *your* app; then please alter it not to require the > > interception we see below. Ability to connect to a TLS explicit proxy or > > just sending regular proxy CONNECT tunnel is a leap up in security. > > I wish I could too ! Unfortunately, we use some third party libraries that do > not support proxies (or not well). What a shame : ( > > > > # Hide some reavealing or useless headers > > > forwarded_for delete > > > httpd_suppress_version_string off > > > reply_header_access X-Cache deny all > > > reply_header_access X-Cache-Lookup deny all > > > via off > > > > > > # Tuning > > > max_filedesc 10000 > > > > > > # Disable access to manager > > > http_access deny manager > > > > 2) you are missing the security protections from the default squid.conf... > > I have not hardened Squid yet, but you mean default `acl localnet src [...]` > rules ? I'm not sure about this. >
The defaults that come with a new build or installation: " http_access deny !Safe_ports http_access deny CONNECT !SSL_ports http_access allow localhost manager http_access deny manager ... your rules go here ... http_access deny all " > > Please see <https://wiki.squid-cache.org/Features/SslPeekAndSplice> for > > details on the TLS handshake process and what SSL-Bump does during that. > > Another read was indeed interesting, I think I corrected ssl_bump directives. > However I still can't make it work. > Just for the record, I would like to block everything but some HTTPS websites > for particular URLs. The ssl::server_name acl is not enough for me, I would > like to use url_regex or similar. > Ant that's where it gets wrong, I can't make Squid make the link between > `ssl_bump bump` and url_regex. That is because ssl_bump is the access control governing the TLS handshake process. TLS message/frames do not contain URLs. Even when a client CONNECT request is being processed it only has an authority-URI (not a full URL). The http_access rules are the first point you get access to URL. The https:// URLs start *after* the ssl_bump finishes with a successful 'bump' action. The closest you are going to get to the above is with: * bump everything[1], and * use http_access to check the https:// URLs for your policy * use "deny_info TCP_RESET" [2] on the blocked requests. [1] some things literally cannot be bumped. So a decision needs to be made about what to do then. [2] a regular deny error page will work fine. This TCP_RESET is just closest to the "ssl_bump terminate" behaviour. Amos _______________________________________________ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
