[squid-users] url_rewrite_program shows IP addresses instead of domain name when rewriting SSL/HTTPS
Moataz Elmasry
zaza1851983ml at googlemail.com
Tue Jul 5 22:48:10 UTC 2016
Hi all,
I'm trying to create a kind of captive portal when only my domain and
google play are whitelisted and other addresses(http/https) are forwarded
to my domain.
All http requests are landing fine in the url_rewrite program, while the
https requests appear as only the IP address but not the dns name. I'm
aware of http://wiki.squid-cache.org/Features/SslPeekAndSplice and
especially the note that during ssl_bump no dns name is available yet and
instead one should be using the acl ssl::server_name directive, but for
some reason no https address is being sent to my url_rewrite program.
The same SSL certificate used on my domain is also being used with squid at
https_port
I'm using squid 3.5.20 compiled manually with the following directives:
./configure \
--prefix=/usr \
--exec-prefix=/usr \
--includedir=/usr/include \
--datadir=${prefix}/share/squid \
--libdir=/usr/lib64 \
--libexecdir=${prefix}/lib/squid \
--localstatedir=/var \
--sysconfdir=/etc/squid \
--sharedstatedir=/var/lib \
--with-logdir=/var/log/squid \
--with-pidfile=/var/run/squid.pid \
--with-default-user=proxy \
--enable-silent-rules \
--enable-dependency-tracking \
--with-openssl \
--enable-ssl \
--enable-icmp \
--enable-delay-pools \
--enable-useragent-log \
--enable-esi \
--enable-ssl-crtd \
--enable-follow-x-forwarded-for \
--enable-storeid-rewrite-helpers \
--enable-external-acl-helpers
Here's my squid.conf
"
pinger_enable off
acl localnet src 10.0.0.0/8 # RFC1918 possible internal network
acl localnet src 172.16.0.0/12 # RFC1918 possible internal network
acl localnet src 192.168.0.0/16 # RFC1918 possible internal network
acl SSL_ports port 443
acl Safe_ports port 80 # http
acl Safe_ports port 443 # https
acl Safe_ports port 1025-65535 # unregistered ports
acl CONNECT method CONNECT
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
http_access allow localhost manager
http_access deny manager
http_access allow localnet
http_access allow localhost
acl http dstdomain play.google.com mydomain.com
acl https ssl::server_name play.google.com mydomain.com
http_access allow http
http_access allow https
url_rewrite_program /bin/bash -c -l /etc/squid/redirect.bash
url_rewrite_access allow all !http
url_rewrite_access allow all !https
sslcrtd_program /lib/squid/ssl_crtd -s /var/lib/ssl_db -M 4MB
http_access allow all
http_port 3127
http_port 3128 intercept
https_port 3129 intercept cert=mycert.cert key=mykey.key ssl-bump intercept
generate-host-certificates=on version=1
options=NO_SSLv2,NO_SSLv3,SINGLE_DH_USE cafile=Intermediate.crt
always_direct allow all
acl step1 at_step SslBump1
acl step2 at_step SslBump2
acl step3 at_step SslBump3
ssl_bump splice localhost
ssl_bump splice https
ssl_bump peek step1
ssl_bump peek all
coredump_dir /var/cache/squid
"
So any idea why no https urls are being redirected to the url_rewrite
program?
Any alternative solution is also very much welcome
Regards
Moataz
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.squid-cache.org/pipermail/squid-users/attachments/20160706/eed8de86/attachment.html>
More information about the squid-users
mailing list