Deb Heller-Evans wrote:
> 8.2 Security Considerations for CONNECT
>
> A generic TCP tunnel is fraught with security risks. First, such
> authorization should be limited to a small number of known ports.
> The Upgrade: mechanism defined here only requires onward tunneling at
> port 80. Second, since tunneled data is opaque to the proxy, there
> are additional risks to tunneling to other well-known or reserved
> ports. A putative HTTP client CONNECTing to port 25 could relay spam
> via SMTP, for example.
This is a real threat. See below for how it is addressed in Squid.
> As squid is configured today, assuming most defaults in place, with
> modifications for site ACLs, like
>
> acl Safe_ports port nn1
> acl Safe_ports port nn2
>
> acl CONNECT method CONNECT
> http_access deny !Safe_ports
>
> Where port 25, for example is not a Safe_port, then am I correct
> in my assessment that tunnels to/from my squid proxy for port 25
> will be disallowed?
Actually, the default configuration is much more restrictive than so.
There relevant part of the configuration is not Safe_ports but the
smaller SSL_ports acl, and it's connection to the CONNECT method.
acl SSL_ports port 443 563
acl CONNECT method CONNECT
http_access deny CONNECT !SSL_ports
This restrict CONNECT to only port 443 (https) or 563 (snews). Any
attempt to CONNECT to any other port is disallowed unless the
administrator has intentionally allowed access bu changing or disabling
this check.
Regards
Henrik Nordström
Squid Hacker
Received on Thu Nov 15 2001 - 12:26:56 MST
This archive was generated by hypermail pre-2.1.9 : Tue Dec 09 2003 - 17:04:15 MST