Default connect_port to 443 only

renaudallard · renaudallard · commit cd90a77bddda · 2026-03-19T11:42:59.000+01:00
CONNECT tunnels are restricted to port 443 by default.  HTTP
forwarding (GET/POST) is unaffected.  Config entries replace
the default.
diff --git a/README.md b/README.md
@@ -116,7 +116,7 @@ See `thinproxy.conf.example` for a full example.
 | Directive | Description | Default |
 |-----------|-------------|---------|
 | `deny_private <yes\|no>` | Block connections to private/reserved addresses | `yes` |
-| `connect_port <port>` | Allowed CONNECT port (whitelist, repeatable) | all |
+| `connect_port <port>` | Allowed CONNECT port (whitelist, repeatable) | `443` |
 | `allow <ip[/prefix]>` | Allow source address (whitelist mode) | |
 | `deny <ip[/prefix]>` | Deny source address (blacklist mode) | |
 
diff --git a/thinproxy.8 b/thinproxy.8
@@ -130,7 +130,8 @@ When any
 .Cm connect_port
 directive is present, CONNECT requests to unlisted ports are denied
 with 403 Forbidden.
-If omitted, all ports are allowed.
+The default allows port 443 only.
+Config entries replace the defaults.
 .It Cm allow Ar address Ns Op / Ns Ar prefix
 Allow connections from
 .Ar address .
diff --git a/thinproxy.c b/thinproxy.c
@@ -159,8 +159,8 @@ static int			nacl;
 
 /* CONNECT port whitelist */
 #define MAX_CONNECT_PORTS	64
-static int			connect_ports[MAX_CONNECT_PORTS];
-static int			nconnect_ports;
+static int			connect_ports[MAX_CONNECT_PORTS] = { 443 };
+static int			nconnect_ports = 1;
 
 /* forward declarations */
 static void	conn_close(struct conn *);
@@ -736,6 +736,7 @@ parse_config(const char *path, int must_exist)
 			}
 			cfg_deny_private = b;
 		} else if (strcasecmp(key, "connect_port") == 0) {
+			static int connect_port_seen;
 			int n = atoi(val);
 			if (n <= 0 || n > 65535) {
 				logmsg(LOG_ERR,
@@ -744,6 +745,10 @@ parse_config(const char *path, int must_exist)
 				fclose(fp);
 				return -1;
 			}
+			if (!connect_port_seen) {
+				nconnect_ports = 0;
+				connect_port_seen = 1;
+			}
 			if (nconnect_ports >= MAX_CONNECT_PORTS) {
 				logmsg(LOG_ERR,
 				    "%s:%d: too many connect_port entries",
diff --git a/thinproxy.conf.example b/thinproxy.conf.example
@@ -30,8 +30,9 @@ port 8080
 # Prevents SSRF by denying RFC 1918, loopback, link-local, etc.
 #deny_private yes
 
-# Restrict CONNECT method to specific ports (default: all ports allowed)
+# Restrict CONNECT method to specific ports (default: 443)
 # When set, CONNECT to unlisted ports is denied with 403.
+# Config entries replace the defaults.
 #connect_port 443
 #connect_port 8443
 
