From 04c9a9d84713c61b966a70f8f4c51ef14a74b0bb Mon Sep 17 00:00:00 2001
From: Andrea Dell'Amico <andrea.dellamico@isti.cnr.it>
Date: Mon, 30 May 2022 18:28:21 +0200
Subject: [PATCH] Add squid_deny_connect_on_not_safe_ports.

---
 defaults/main.yml       | 2 ++
 templates/squid.conf.j2 | 2 ++
 2 files changed, 4 insertions(+)

diff --git a/defaults/main.yml b/defaults/main.yml
index 1fb5680..179eef7 100644
--- a/defaults/main.yml
+++ b/defaults/main.yml
@@ -17,6 +17,8 @@ squid_safe_ports:
   - 80
   - 443
 
+squid_deny_connect_on_not_safe_ports: true
+
 squidclient_enabled: True
 squidclient_allowed_hosts:
   - '127.0.0.1/8'
diff --git a/templates/squid.conf.j2 b/templates/squid.conf.j2
index e1d8a6b..03f8a95 100644
--- a/templates/squid.conf.j2
+++ b/templates/squid.conf.j2
@@ -34,8 +34,10 @@ http_access allow PURGE squidclientnet
 # Deny requests to certain unsafe ports
 http_access deny !Safe_ports
 
+{% if squid_deny_connect_on_not_safe_ports %}
 # Deny CONNECT to other than secure SSL ports
 http_access deny CONNECT !SSL_ports
+{% endif %}
 
 # Only allow cachemgr access from localhost
 http_access allow localhost manager