[squid-users] ssl bump and url_rewrite_program (like squidguard)
edouard at e-gaulue.com
Wed Nov 4 12:55:22 UTC 2015
Le 04/11/2015 11:00, Amos Jeffries a écrit :
> On 4/11/2015 12:48 p.m., Marcus Kool wrote:
>> I suspect that the problem is that you redirect a HTTPS-based URL to an
>> HTTP URL and Squid does not like that.
To give it a try in that direction I now redirect to an https server.
And I get :
The following error was encountered while trying to retrieve the URL:
*Unable to determine IP address from host name "https"*
The DNS server returned:
Name Error: The domain name does not exist.
Moreover this would leads sometimes to HTTP-based URL to an HTTPS URL
and I don't know how much squid likes it either.
> No it is apparently the fact that the domain name being redirected to is
> As in:"http://http/something"
I can assure my rewrite_url looks like
And this confirm ssl_bump parse this result and get the left part before
the ":". To play with, I have also redirect to
"proxyweb.xxxxx.xxxxx:443/var1=xxxx&..." (ie. I removed the "https://"
and add a ":443") to force the parsing. Then I don't get this message
anymore, but Mozilla gets crazy waiting for the ad.doubleclick.net
certificate and getting the proxyweb.xxxxx.xxxxx one. And of course it
breaks my SG configuration and can't be production solution.
> Which brings up the question of why you are using SG to block adverts?
> acl ads dstdomain .doubleclick.net
> http_access deny ads
I don't use SG to specificaly block adverts, I use it to block 90 % of
the web. Here it's just an example with ads but it could be with so much
I just want to try make SG and ssl_bump live together.
Is this possible to have a rule like "if it has been rewrite then don't
try to ssl_bump"?
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the squid-users