[squid-users] ssl bump and url_rewrite_program (like squidguard)

Marcus Kool marcus.kool at urlfilterdb.com
Thu May 4 11:43:47 UTC 2017 

Hi Edouard,

To block GET https://www.example.com/foo.html and to pass CONNECT www,example.com you need
a) squid with ssl-bump in peek+bump mode
b) ufdbGuard

ufdbGuard can skip the CONNECT and waits for the GET request
which can be blocked without browser errors.

Since ssl-bump is not easy it is recommended to do this in two steps:
a) make sure that Squid with ssl-bump works fine,
b) then add ufdbGuard.

Marcus


On 04/05/17 06:03, Edouard Gaulué wrote:
> Hi community,
>
> Any news about this?
>
> I've tried 3.5.25 but still observe this behaviour.
>
> I understand it well since I read: https://serverfault.com/questions/727262/how-to-redirect-https-connect-request-with-squid-explicit-proxy
>
> But how to let the CONNECT request succeed and later block/redirect next HTTP request coming through this established connection tunnel?
>
> Best Regards,
>
> Le 03/11/2015 à 23:48, Edouard Gaulué a écrit :
>> Hi community,
>>
>> I've followed
>> http://wiki.squid-cache.org/ConfigExamples/Intercept/SslBumpExplicit  to
>> set my server. It looks really interesting and it's said to be the more
>> common configuration.
>>
>> I often observe (example here withwww.youtube.com) :
>> ***************************
>> The following error was encountered while trying to retrieve the URL:
>> https://http/*
>>
>>     *Unable to determine IP address from host name "http"*
>>
>> The DNS server returned:
>>
>>     Name Error: The domain name does not exist.
>> ****************************
>>
>> This happens while the navigator (Mozilla) is trying to get a frame at
>> https://ad.doubleclick.net/N4061/adi/com.ythome/_default;sz=970x250;tile=1;ssl=1;dc_yt=1;kbsg=HPFR151103;kga=-1;kgg=-1;klg=fr;kmyd=ad_creative_1;ytexp=9406852,9408210,9408502,9417689,9419444,9419802,9420440,9420473,9421645,9421711,9422141,9422865,9423510,9423563,9423789;ord=968558538238386?
>>
>>
>> That's ads so I'm not so fond of it...
>>
>> But this leads me to the fact I get this behavior each time the site is
>> banned by squidguard.
>>
>> Is there something to do to avoid this behavior? I mean, squidguard
>> should send :
>>
>> *********************************
>>   Access denied
>>
>> Supplementary info     :
>> Client address     =     192.168.XXX.XXX
>> Client name     =     192.168.XXX.XXX
>> User ident     =
>> Client group     =     XXXXXXX
>> URL     =     https://ad.doubleclick.net/
>> Target class     =     ads
>>
>> If this is wrong, contact your administrator
>> **********************************
>>
>> squidguard is an url_rewrite_program that looks to respect squid
>> requirements. Redirect looks like this :
>> http://proxyweb.myserver.mydomain/cgi-bin/squidGuard-simple.cgi?clientaddr=...
>>
>> I've played arround trying to change the redirect URL and it leads me to
>> the idea ssl_bump tries to analyse the part until the ":". Is there a way
>> to avoid this? Is this just a configuration matter?
>>
>> Could putting a ssl_bump rule saying "every server that name match "http" or
>> "https" should splice" solve the problem?
>>
>> Regards, EG
>>
>>
>> _______________________________________________
>> squid-users mailing list
>> squid-users at lists.squid-cache.org
>> http://lists.squid-cache.org/listinfo/squid-users
>
>
> _______________________________________________
> squid-users mailing list
> squid-users at lists.squid-cache.org
> http://lists.squid-cache.org/listinfo/squid-users

More information about the squid-users mailing list