[squid-users] "ACCESS DENIED" page by ssl_bump terminate

Yuri Voinov yvoinov at gmail.com
Mon Mar 28 12:30:18 UTC 2016


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
 
I suggests the order is important and must be:

ssl_bump terminate blocked_https
deny_info http://www.example.com blocked_https

28.03.16 11:59, Alexandr Yatskin пишет:
> Directive "deny_info" didn't work when we blocked https site with option "ssl_bump".
> Maybe, is there another method?
>
> --------------------------------------------------------------------
> acl blocked_https ssl::server_name  "/etc/squid/blocked_https.txt"
> acl step1 at_step SslBump1
> ssl_bump peek step1
>
> deny_info http://www.example.com blocked_https
> ssl_bump terminate blocked_https
> --------------------------------------------------------------------
>
>
> 25.03.2016 17:14, Yuri Voinov пишет:
>>
> #  TAG: deny_info
> #    Usage:   deny_info err_page_name acl
> #    or       deny_info http://... acl
> #    or       deny_info TCP_RESET acl
> #
> #    This can be used to return a ERR_ page for requests which
> #    do not pass the 'http_access' rules.  Squid remembers the last
> #    acl it evaluated in http_access, and if a 'deny_info' line exists
> #    for that ACL Squid returns a corresponding error page.
> #
> #    The acl is typically the last acl on the http_access deny line which
> #    denied access. The exceptions to this rule are:
> #    - When Squid needs to request authentication credentials. It's then
> #      the first authentication related acl encountered
> #    - When none of the http_access lines matches. It's then the last
> #      acl processed on the last http_access line.
> #    - When the decision to deny access was made by an adaptation service,
> #      the acl name is the corresponding eCAP or ICAP service_name.
> #
> #    NP: If providing your own custom error pages with error_directory
> #        you may also specify them by your custom file name:
> #        Example: deny_info ERR_CUSTOM_ACCESS_DENIED bad_guys
> #
> #    By defaut Squid will send "403 Forbidden". A different 4xx or 5xx
> #    may be specified by prefixing the file name with the code and a
colon.
> #    e.g. 404:ERR_CUSTOM_ACCESS_DENIED
> #
> #    Alternatively you can tell Squid to reset the TCP connection
> #    by specifying TCP_RESET.
> #
> #    Or you can specify an error URL or URL pattern. The browsers will
> #    get redirected to the specified URL after formatting tags have
> #    been replaced. Redirect will be done with 302 or 307 according to
> #    HTTP/1.1 specs. A different 3xx code may be specified by prefixing
> #    the URL. e.g. 303:http://example.com/
> #
> #    URL FORMAT TAGS:
> #        %a    - username (if available. Password NOT included)
> #        %B    - FTP path URL
> #        %e    - Error number
> #        %E    - Error description
> #        %h    - Squid hostname
> #        %H    - Request domain name
> #        %i    - Client IP Address
> #        %M    - Request Method
> #        %o    - Message result from external ACL helper
> #        %p    - Request Port number
> #        %P    - Request Protocol name
> #        %R    - Request URL path
> #        %T    - Timestamp in RFC 1123 format
> #        %U    - Full canonical URL from client
> #              (HTTPS URLs terminate with *)
> #        %u    - Full canonical URL from client
> #        %w    - Admin email from squid.conf
> #        %x    - Error name
> #        %%    - Literal percent (%) code
> #
> #Default:
> # none
>
> ?
>
> 25.03.16 16:15, Alexandr Yatskin пишет:
> > Hello everyone!
>
>       > How redirect users to "Access Denied" page when they go to
>       blocked https sites?
>
>       > Now users only can see such error: "ERR_CONNECTION_CLOSED".
>
>
>
>       > There are several lines from our config:
>
>       > ------------------------------------------
>
>       > acl blocked_https ssl::server_name
>       "/etc/squid/blocked_https.txt"
>
>       > ssl_bump terminate blocked_https
>
>       > ------------------------------------------
>
>       > Thanks in advance.
>
>
>
>
>
>
>
>       > _______________________________________________
>
>       > squid-users mailing list
>
>       > squid-users at lists.squid-cache.org
>
>       > http://lists.squid-cache.org/listinfo/squid-users
>
>>
>>
>>
>> _______________________________________________
>> squid-users mailing list
>> squid-users at lists.squid-cache.org
>> http://lists.squid-cache.org/listinfo/squid-users
>

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2
 
iQEcBAEBCAAGBQJW+SPZAAoJENNXIZxhPexGn0wIALLPgsRZLfdfo6j2cxRiYU2W
wREfDnN+i02rLBmboPiP1h9kk59r6wd37Fzbk8Ltp+zpQVv150Uo9ivHEfbOyeCk
/enX/vaBhnyaIk3BGHkdrmI2FcRMVFV+fh/C+nLixyRfswTq1Xv/cmY9YrkSBtDM
yt39353FlJFNwcz3wV+xlfibCQeMvJ8vLAa0jVGALeb0KwKgXJ90WlL2AssaiTRC
G74KCXSnF0eqgj9Mjbh0SN/b9YrINAnjjOBiYAx8epMLD2Rl2VxXNFcWNUKRUiiV
0mHOocOe4Q8Wrqh5WS2NUcN921FEoW5bwsKdbItAl0xQs0Ow9Cax8aVIKWDYQyo=
=FmF4
-----END PGP SIGNATURE-----

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.squid-cache.org/pipermail/squid-users/attachments/20160328/61098fb7/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: 0x613DEC46.asc
Type: application/pgp-keys
Size: 2437 bytes
Desc: not available
URL: <http://lists.squid-cache.org/pipermail/squid-users/attachments/20160328/61098fb7/attachment.key>


More information about the squid-users mailing list