[squid-users] deny_info and CONNECT for https request gives SSL error
Amish
anon.amish at gmail.com
Tue Oct 16 12:29:24 UTC 2018
Further to this:
I have ssl-bump setup on port 8080.
If I remove ssl-bump squid works just like I mentioned in my earlier e-mail.
> curl -ix 192.168.1.1:8080 https://google.com
HTTP/1.1 307 Temporary Redirect
Server: squid/4.3
Mime-Version: 1.0
Date: Tue, 16 Oct 2018 12:01:41 GMT
Content-Type: text/html;charset=utf-8
Content-Length: 0
Location: http://192.168.1.1/blocked.html
X-Squid-Error: 403 Access Denied
X-Cache: MISS from somehost
X-Cache-Lookup: NONE from somehost:8080
Connection: keep-alive
curl: (56) Received HTTP code 307 from proxy after CONNECT
So then I reactivated ssl-bump and added this at top of squid.conf:
http_port 8080 ssl-bump ...
ssl_bump splice all
i.e. http_port has ssl-bump but squid is not really supposed to bump at all.
But squid still goes ahead and replies with 200 Connection established.
So it means that this is a bug in ssl-bump implementation.
It seems that current algorithm for ssl-bump is:
1) Browser sends CONNECT request
2) Squid sends status 200 Connection Established
3) Check ACL
4) If denied, bump the connection with squid certificate
5) If allowed, go ahead with tunneling / bumping as applicable
In my opinion correct flow should be like this:
1) Browser sends CONNECT request
2) Check ACL
3) If denied, return with 307 (or 302)
4) If allowed, go ahead with tunneling / bumping as applicable
Please test / check,
Thank you,
Amish.
On 16/10/18 5:05 PM, Amish wrote:
> Hello
>
> I have this simplified ACL in squid.conf
>
> acl denyit src all
> deny_info http://192.168.1.1/blocked.html denyit
> http_access deny denyit
>
> The purpose is to block everything and redirect to
> http://192.168.1.1/blocked.html
>
> It works fine with http (non-secure) CONNECT request ...
>
> > curl -ix 192.168.1.1:8080 http://google.com
> HTTP/1.1 302 Found
> Server: squid/4.3
> Mime-Version: 1.0
> Date: Tue, 16 Oct 2018 11:02:05 GMT
> Content-Type: text/html;charset=utf-8
> Content-Length: 0
> Location: http://192.168.1.1/blocked.html
> X-Squid-Error: 403 Access Denied
> X-Cache: MISS from somehost
> X-Cache-Lookup: NONE from somehost:8080
> Connection: keep-alive
>
> ... but gives certificate error with https CONNECT request.
>
> > curl -ix 192.168.1.1:8080 https://google.com
> HTTP/1.1 200 Connection established
>
> curl: (60) SSL certificate problem: self signed certificate in
> certificate chain
> More details here: https://curl.haxx.se/docs/sslcerts.html
>
> curl failed to verify the legitimacy of the server and therefore could not
> establish a secure connection to it. To learn more about this
> situation and
> how to fix it, please visit the web page mentioned above.
>
>
> I believe this is because squid first gives 200 status and hence
> browser thinks connection is established expects Google's certificate.
>
> Can squid not return with 302/307 on CONNECT HTTPs requests for deny_info?
>
> Like instead of HTTP/1.1 200 Connection established - it returns:
>
> HTTP/1.1 307 Redirect
> Location: http://192.168.1.1/blocked.html
> (...)
>
> RFC 7231 https://tools.ietf.org/html/rfc7231#section-4.3.6 states that:
> Any response other than a successful response
> indicates that the tunnel has not yet been formed and that the
> connection remains governed by HTTP.
>
> which means HTTP/1.1 307 Redirect should make browser treat connection
> as HTTP and hopefully also follow Location.
>
> Any idea? Or any other workaround (except importing squid certificate)
>
> Thanks and regards,
>
> Amish
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.squid-cache.org/pipermail/squid-users/attachments/20181016/f3c946a4/attachment.html>
More information about the squid-users
mailing list