[squid-users] ssl bump and url_rewrite_program (like squidguard)
marcus.kool at urlfilterdb.com
Wed Nov 4 13:10:09 UTC 2015
You need to know what squidGuard actually sends to Squid.
squidGuard does not have a debug option for this, so you have to set
debug_options ALL,1 61,9
in squid.conf to see what Squid receives.
I bet that what Squid receives, is what it complains about:
the URL starts with 'https://http'
On 11/04/2015 10:55 AM, Edouard Gaulué wrote:
> Le 04/11/2015 11:00, Amos Jeffries a écrit :
>> On 4/11/2015 12:48 p.m., Marcus Kool wrote:
>>> I suspect that the problem is that you redirect a HTTPS-based URL to an
>>> HTTP URL and Squid does not like that.
> To give it a try in that direction I now redirect to an https server. And I get :
> The following error was encountered while trying to retrieve the URL: https://https/*
> *Unable to determine IP address from host name "https"*
> The DNS server returned:
> Name Error: The domain name does not exist.
> Moreover this would leads sometimes to HTTP-based URL to an HTTPS URL and I don't know how much squid likes it either.
>> No it is apparently the fact that the domain name being redirected to is
>> As in:"http://http/something"
> I can assure my rewrite_url looks like "https://proxyweb.xxxxx.xxxxx/var1=xxxx&...".
> And this confirm ssl_bump parse this result and get the left part before the ":". To play with, I have also redirect to "proxyweb.xxxxx.xxxxx:443/var1=xxxx&..." (ie. I removed the "https://" and add a
> ":443") to force the parsing. Then I don't get this message anymore, but Mozilla gets crazy waiting for the ad.doubleclick.net certificate and getting the proxyweb.xxxxx.xxxxx one. And of course it
> breaks my SG configuration and can't be production solution.
>> Which brings up the question of why you are using SG to block adverts?
>> acl ads dstdomain .doubleclick.net
>> http_access deny ads
> I don't use SG to specificaly block adverts, I use it to block 90 % of the web. Here it's just an example with ads but it could be with so much other things...
> I just want to try make SG and ssl_bump live together.
> Is this possible to have a rule like "if it has been rewrite then don't try to ssl_bump"?
> Regards, EG
> squid-users mailing list
> squid-users at lists.squid-cache.org
More information about the squid-users