Hey Squid community, I would greatly appreciate a hint on how to configure Squid to achieve the following:
Context ======== Transparent HTTP/S proxy (ideally no TLS re-encryption) Domain allowlist acl Squid v6.13 Goal ======== Have Squid "inspect" HTTPS requests (as much as possible/needed with the actions provided by ssl_bump) and perform the host header forgery check in addition to checking if the host extracted from SNI matches the domain allowlist acl. The configuration should basically prevent this: ]$ curl --insecure --resolve <domain on allowlist>:443:<arbitrary IP not associated with domain> https://<domain on allowlist> It seems like all the necessary tools are provided, and I see hints pointing to this possibility, e.g. https://wiki.squid-cache.org/KnowledgeBase/HostHeaderForgery (the INFO box) but I'm having trouble using them to accomplish the desired effect. The host_verify_strict option seems to solve this for unencrypted HTTP and I got the domain allowlist to work for HTTP + HTTPS - it's just easily circumvented by the curl above in the case of HTTPS. A rough idea about the order/placement of the acls involved (relative to the ssl_bump steps where applicable) would help a lot. Cheers, Adrian
_______________________________________________ squid-users mailing list squid-users@lists.squid-cache.org https://lists.squid-cache.org/listinfo/squid-users
