[squid-users] v4.2 url_rewrite Uri.cc line 371 bad URL parsing on SSL
Amos Jeffries
squid3 at treenet.co.nz
Thu Aug 16 10:14:45 UTC 2018
On 16/08/18 19:34, David Touzeau wrote:
> Thanks Amos for details.
>
> Working like a charm now.
>
> Instead of sending https://192.168.1.122:443/myguard.php?rule-id=0&....
>
> Helper sends 192.168.1.122:443
>
That is only useful if the server at that IP:port can present the client
with a TLS certificate valid for the server the client thinks it is
connected to. ie all the SSL-Bump equivalent logics are in that server.
In which case there is likely no point to having the traffic NAT'ed to
Squid. Just have your NAT and/or routing send it directly into that server.
>
> " url_rewrite_access deny CONNECT" is not a solution because, everything using SSL today ( thanks to Google that wants to encrypt all the Net and make proxies/Firewall/ICAP unusable ) and many Porn/Malwares/Hacking/Hacked websites using SSL.
>
If you are SSL-Bump'ing in Squid then you need to not rewrite the
initial CONNECT message (or two) - doing so will interfere the server
which bumping is interacting with.
IIRC the at_step ACL type can be used in the *_access rules as well to
skip ("deny CONNECT foo") the helper query until the ssl_bump processing
is expected to be completed.
Amos
More information about the squid-users
mailing list