On 21/10/2025 18:59, Dmitry Melekhov wrote:
21.10.2025 09:20, Amos Jeffries пишет:
On 21/10/2025 15:01, Dmitry Melekhov wrote:
There is third way- revert change, which breaks rewrites,
this is what I did.
Sending all "blocked" visitors to whatever server whose DNS name
starts with "http." is not a fix.
If browser expects https and gets http it results in error, not in breach.
Any server could easily respond with HTTPS on port 80 - especially since
the domain "http" is rare and likely crafted to exist by an attacker.
It is breaking things in worse ways that are not visible to you.
All it takes is for Squid to find it has a record for domain "http.*"
and all your so-called blocked visitors will be hijacked by that
server. Silently.
I can't understand which server are you talking about.
Any server where Squid resolves the http.* domain name to point at.
The officially patched Squid is rejecting the CONNECT tunnel (as you
want) and also telling you the helper needs fixing. If the error
message is annoying, do one of the fixes I mentioned earlier.
No, squid passes traffic. This is problem. Errors messages is not a
problem.
Ah, there is the missing piece. Thank you for correcting me.
Amos
_______________________________________________
squid-users mailing list
[email protected]
https://lists.squid-cache.org/listinfo/squid-users
