[squid-users] URL Rewrite for https via Squidguard
Yuri Voinov
yvoinov at gmail.com
Sat Jan 9 19:43:33 UTC 2016
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
10.01.16 1:36, Marcus Kool пишет:
>
>
> On 01/09/2016 09:49 AM, Darren wrote:
>> Hi
>>
>> Thanks Marcus
>>
>> I have been hacking my own branch of Squidguard so I can add support
for the SNI (I hope)
>>
>> How would I get the peek SNI output to the url_rewriter?
>
> using url_rewrite_extras
>
>> I am a bit of a peek new comer.
>>
>> Sounds like there is some hope and a possible way forward.
This is not for new comer, Marcus ;)
>>
>> regards
>>
>> Darren B.
>>
>>
>>
>>
>>
>>
>> Sent from Mailbird
<http://www.getmailbird.com/?utm_source=Mailbird&utm_medium=email&utm_campaign=sent-from-mailbird>
>>>
>>> On 9/01/2016 5:46:36 PM, Marcus Kool <marcus.kool at urlfilterdb.com>
wrote:
>>>
>>>
>>>
>>> On 01/09/2016 05:07 AM, Darren wrote:
>>> > Hi
>>> >
>>> > I am trying to hack squidguard to allow me to redirect users
attempts to connect to blocked https enabled sites.
>>> >
>>> > Some sites are allowed and the bulk are not. Currently I can see
the Connect details being handed to SG for processing and if I change
this to return a redirect to make it point to a different server
>>> > it breaks and gives me an SSL error (as would be expected)
>>>
>>> indeed, "as expected"...
>>> The HTTP protocol supportly support redirection of URL by sending a
30x status code back to he browser.
>>> HTTPS, which is SSL+HTTP is "safe" encrypted channel where HTTP is
inside the channel and
>>> explicitly is designed not to be tampered with. So redirecting a
channel to an other website
>>> always will cause a certificate error, unless ...
>>> 1) one uses ssl-bump
>>> 2) installs the Squid fake CA certificate in all browsers
>>> 3) one has a policy for the other protocols (e.g. Skype) that use
CONNECT
>>>
>>> > Is there a way I can get this redirection call to squidguard
happened earlier in squid before it gets this far down the CONNECT
process? Or is there something that I can return from Squidguard that
>>> > would make this work? I notice that the connect attempts are
always just the IP address, so something earlier in the processing is
doing a reverse DNS lookup, is this the Browser of Squid and if so
>>> > can I get in earlier during the process?
>>>
>>> The above implies that you use Squid in interception mode where it
initially can only see the IP address of the server.
>>> In ssl-bump mode, Squid can peek in step1 and find the SNI of the
server (a.k.a the FQDN) and then the SNI/FQDN can be used in ACLs inside
Squid and any URL redirector that can cope with the SNI
>>> parameter. Squidguard cannot, the latest ufdbGuard 1.31 cannot, but
ufdbGuard 1.32 _can_ and will be released in February.
>>>
>>> Marcus
>>>
>>> >
>>> > I want to maintain the various lists in just squidguard and not
put in ACLs in squid.conf
>>> >
>>> > thanks
>>> >
>>> > Darren B.
>>> _______________________________________________
>>> squid-users mailing list
>>> squid-users at lists.squid-cache.org
>>> http://lists.squid-cache.org/listinfo/squid-users
>>
>>
>> _______________________________________________
>> squid-users mailing list
>> squid-users at lists.squid-cache.org
>> http://lists.squid-cache.org/listinfo/squid-users
>>
> _______________________________________________
> squid-users mailing list
> squid-users at lists.squid-cache.org
> http://lists.squid-cache.org/listinfo/squid-users
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2
iQEcBAEBCAAGBQJWkWLkAAoJENNXIZxhPexGGFAIAI6V/xTDgjH2gYlcPR2+6eUH
rrmWh6Jd5ddF+qx5gdLY53PmHK6IoNCWkPXtu2ZQSLhBVmj+I1vzB1menVi2gEh7
7qtE1bKGmVcajxON+tbIpyHYrKXSl7ewP9hRaO/BbqGSy+LFpzkv9CbrwmmC5dE4
v5DFZVJEn6F3qQdoJKER6t4WKX42H1khFs8rXMn3sdY1R8PVbS18xpDNGv8emmCX
4aWvlGO72sGvpU/oTMa/bJ2EMXzHOqkgI2uTIkIpLK0SlgoPYVJP+jCDdwWWuSif
CNQS8pEmJsqrH4YxRoVhMkenBDw2W58yYWWQSx9HuAXTUp7H0lV3DNfNy10pAcc=
=1H+h
-----END PGP SIGNATURE-----
More information about the squid-users
mailing list