[squid-users] ssl bump and url_rewrite_program (like squidguard)

Edouard Gaulué edouard at e-gaulue.com
Wed Nov 4 22:55:09 UTC 2015

Hi Marcus,

Well that just an URL rewriter program. You can just test it from the 
command line :
echo "URL" | /usr/bin/squidGuard -c /etc/squidguard/squidGuard.conf

Before I understood it was possible to precise the redirect code I got that:
#> echo 
- - GET"|/usr/bin/squidGuard -c /etc/squidguard/squidGuard.conf
#> OK 

After a little change in the squidguard.conf, I get:
#> OK status=302 

It's not so better handled by my browser saying "can't connect to 
https://ad.doubleclick.net" message. But, I don't get the squid message 
anymore regarding http/https.

It may be that rewrite_rule_program come after peek and splice stuff 
leading squid to an unpredictable situation. Is there a way to play on 
order things happen in squid?

Regards, EG

Le 04/11/2015 14:10, Marcus Kool a écrit :
> You need to know what squidGuard actually sends to Squid.
> squidGuard does not have a debug option for this, so you have to set
>    debug_options ALL,1 61,9
> in squid.conf to see what Squid receives.
> I bet that what Squid receives, is what it complains about:
> the URL starts with 'https://http'
> Marcus
> On 11/04/2015 10:55 AM, Edouard Gaulué wrote:
>> Le 04/11/2015 11:00, Amos Jeffries a écrit :
>>> On 4/11/2015 12:48 p.m., Marcus Kool wrote:
>>>> I suspect that the problem is that you redirect a HTTPS-based URL 
>>>> to an
>>>> HTTP URL and Squid does not like that.
>>>> Marcus
>> To give it a try in that direction I now redirect to an https server. 
>> And I get :
>> The following error was encountered while trying to retrieve the URL: 
>> https://https/*
>>     *Unable to determine IP address from host name "https"*
>> The DNS server returned:
>>     Name Error: The domain name does not exist.
>> Moreover this would leads sometimes to HTTP-based URL to an HTTPS URL 
>> and I don't know how much squid likes it either.
>>> No it is apparently the fact that the domain name being redirected 
>>> to is
>>> "http".
>>> As in:"http://http/something"
>> I can assure my rewrite_url looks like 
>> "https://proxyweb.xxxxx.xxxxx/var1=xxxx&...".
>> And this confirm ssl_bump parse this result and get the left part 
>> before the ":". To play with, I have also redirect to 
>> "proxyweb.xxxxx.xxxxx:443/var1=xxxx&..." (ie. I removed the 
>> "https://" and add a
>> ":443") to force the parsing. Then I don't get this message anymore, 
>> but Mozilla gets crazy waiting for the ad.doubleclick.net certificate 
>> and getting the proxyweb.xxxxx.xxxxx one. And of course it
>> breaks my SG configuration and can't be production solution.
>>> Which brings up the question of why you are using SG to block adverts?
>>> squid.conf:
>>>   acl ads dstdomain .doubleclick.net
>>>   http_access deny ads
>>> Amos
>> I don't use SG to specificaly block adverts, I use it to block 90 % 
>> of the web. Here it's just an example with ads but it could be with 
>> so much other things...
>> I just want to try make SG and ssl_bump live together.
>> Is this possible to have a rule like "if it has been rewrite then 
>> don't try to ssl_bump"?
>> Regards, EG
>> _______________________________________________
>> squid-users mailing list
>> squid-users at lists.squid-cache.org
>> http://lists.squid-cache.org/listinfo/squid-users

More information about the squid-users mailing list