22.10.2025 08:17, Amos Jeffries пишет:
On 21/10/2025 18:59, Dmitry Melekhov wrote:
21.10.2025 09:20, Amos Jeffries пишет:
On 21/10/2025 15:01, Dmitry Melekhov wrote:
There is third way- revert change, which breaks rewrites,
this is what I did.
Sending all "blocked" visitors to whatever server whose DNS name
starts with "http." is not a fix.
If browser expects https and gets http it results in error, not in
breach.
Any server could easily respond with HTTPS on port 80 - especially
since the domain "http" is rare and likely crafted to exist by an
attacker.
Sorry, I don't see any real problem here, otherwise all squids before 7
are affected.
It is breaking things in worse ways that are not visible to you.
All it takes is for Squid to find it has a record for domain
"http.*" and all your so-called blocked visitors will be hijacked by
that server. Silently.
I can't understand which server are you talking about.
Any server where Squid resolves the http.* domain name to point at.
The officially patched Squid is rejecting the CONNECT tunnel (as you
want) and also telling you the helper needs fixing. If the error
message is annoying, do one of the fixes I mentioned earlier.
No, squid passes traffic. This is problem. Errors messages is not a
problem.
Ah, there is the missing piece. Thank you for correcting me.
I think this should be corrected, but this is feature now.
Very strange, imho.
_______________________________________________
squid-users mailing list
[email protected]
https://lists.squid-cache.org/listinfo/squid-users
