[squid-users] ssl bump and url_rewrite_program (like squidguard)

Marcus Kool marcus.kool at urlfilterdb.com
Tue Nov 3 23:48:14 UTC 2015 

I suspect that the problem is that you redirect a HTTPS-based URL to an HTTP URL and Squid does not like that.

Marcus



On 11/03/2015 08:48 PM, Edouard Gaulué wrote:
> Hi community,
>
> I've followed
> http://wiki.squid-cache.org/ConfigExamples/Intercept/SslBumpExplicit  to
> set my server. It looks really interesting and it's said to be the more
> common configuration.
>
> I often observe (example here withwww.youtube.com) :
> ***************************
> The following error was encountered while trying to retrieve the URL:
> https://http/*
>
>      *Unable to determine IP address from host name "http"*
>
> The DNS server returned:
>
>      Name Error: The domain name does not exist.
> ****************************
>
> This happens while the navigator (Mozilla) is trying to get a frame at
> https://ad.doubleclick.net/N4061/adi/com.ythome/_default;sz=970x250;tile=1;ssl=1;dc_yt=1;kbsg=HPFR151103;kga=-1;kgg=-1;klg=fr;kmyd=ad_creative_1;ytexp=9406852,9408210,9408502,9417689,9419444,9419802,9420440,9420473,9421645,9421711,9422141,9422865,9423510,9423563,9423789;ord=968558538238386?
>
>
> That's ads so I'm not so fond of it...
>
> But this leads me to the fact I get this behavior each time the site is
> banned by squidguard.
>
> Is there something to do to avoid this behavior? I mean, squidguard
> should send :
>
> *********************************
>    Access denied
>
> Supplementary info     :
> Client address     =     192.168.XXX.XXX
> Client name     =     192.168.XXX.XXX
> User ident     =
> Client group     =     XXXXXXX
> URL     =     https://ad.doubleclick.net/
> Target class     =     ads
>
> If this is wrong, contact your administrator
> **********************************
>
> squidguard is an url_rewrite_program that looks to respect squid
> requirements. Redirect looks like this :
> http://proxyweb.myserver.mydomain/cgi-bin/squidGuard-simple.cgi?clientaddr=...
>
> I've played arround trying to change the redirect URL and it leads me to
> the idea ssl_bump tries to analyse the part until the ":". Is there a way
> to avoid this? Is this just a configuration matter?
>
> Could putting a ssl_bump rule saying "every server that name match "http" or
> "https" should splice" solve the problem?
>
> Regards, EG
>
>
> _______________________________________________
> squid-users mailing list
> squid-users at lists.squid-cache.org
> http://lists.squid-cache.org/listinfo/squid-users

More information about the squid-users mailing list