[squid-users] v4.2 url_rewrite Uri.cc line 371 bad URL parsing on SSL
David Touzeau
david at articatech.com
Thu Aug 16 07:34:47 UTC 2018
Thanks Amos for details.
Working like a charm now.
Instead of sending https://192.168.1.122:443/myguard.php?rule-id=0&....
Helper sends 192.168.1.122:443
" url_rewrite_access deny CONNECT" is not a solution because, everything using SSL today ( thanks to Google that wants to encrypt all the Net and make proxies/Firewall/ICAP unusable ) and many Porn/Malwares/Hacking/Hacked websites using SSL.
-----Message d'origine-----
De : squid-users <squid-users-bounces at lists.squid-cache.org> De la part de Amos Jeffries
Envoyé : jeudi 16 août 2018 03:51
À : squid-users at lists.squid-cache.org
Objet : Re: [squid-users] v4.2 url_rewrite Uri.cc line 371 bad URL parsing on SSL
On 16/08/18 11:58, David Touzeau wrote:
> Hi,
>
>
>
> I have written my own url_rewrite helper
>
>
>
> On SSL sites, the helper answering a redirect to a remote denied php page.
>
No your helper *rewrite* the URL without changing any other properties of the request message. This can be seen clearly in the use of "rewrite-url=" instead of "url=".
The difference is important when it comes to the type of message being processed.
>
> With HTTP, no issue but on SSL there is a different behavior
>
> My helper return
>
> rewrite-url= https://192.168.1.122:443/myguard.php?rule-id=0&....
>
> but according to debug, the Uri.cc understand : host='https',
> port='443', path=''
>
> In this case, squid try to connect to an https machine name and return
> bad 503
>
>
...
>
> Did i miss something ???
>
Look at the input received by the helper. HTTPS uses CONNECT requests.
Those messages have authority-form URI not URLs. The above behaviour is what happens when your helpers response is interpreted according to authority-form syntax.
<https://tools.ietf.org/html/rfc7230#section-5.3.3>
You can prevent the SSL-Bump CONNECT messages being sent to the re-writer with:
url_rewrite_access deny CONNECT
OR,
you can try to do a proper redirect by having the helper send:
OK status=302 url=...
The latter *might* work. Depending on whether the client handles redirection on CONNECT requests. Browsers don't support anything other than 200 status. Other clients have a mix of behaviours so its somewhat unreliable.
Amos
_______________________________________________
squid-users mailing list
squid-users at lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users
More information about the squid-users
mailing list