[squid-users] deny_info and CONNECT for https request gives SSL error

Amish anon.amish at gmail.com
Tue Oct 16 16:01:54 UTC 2018 


On 16/10/18 9:05 PM, Alex Rousskov wrote:
> On 10/16/2018 06:29 AM, Amish wrote:
>
>> In my opinion correct flow should be like this:
>>
>> 1) Browser sends CONNECT request
>> 2) Check ACL
>> 3) If denied, return with 307 (or 302)
>> 4) If allowed, go ahead with tunneling / bumping as applicable
> Unfortunately, that ideal sequence does not work well in practice
> because popular browsers ignore CONNECT responses other than HTTP 200
> and 407. As a consequence, if you want to redirect "secure" browser
> traffic, Squid has to bump it first.
>
>
> HTH,
>
> Alex.

No thats not correct.

Thing is that squid behaves differently for 2 exactly same CONNECT 
request with only difference being ssl-bump

Case 1:
http_port 8080 #no ssl-bump
acl denyit src all
deny_info http://192.168.1.1/blocked.html denyit
http_access deny denyit

 > curl -ix 192.168.1.1:8080 https://google.com
HTTP/1.1 307 Temporary Redirect
Server: squid/4.3
Mime-Version: 1.0
Date: Tue, 16 Oct 2018 12:01:41 GMT
Content-Type: text/html;charset=utf-8
Content-Length: 0
Location: http://192.168.1.1/blocked.html
X-Squid-Error: 403 Access Denied
X-Cache: MISS from somehost
X-Cache-Lookup: NONE from somehost:8080
Connection: keep-alive


Notice that squid is indeed responding with code other than 200 or 407 
for CONNECT and HTTPS request.

So what you said does not seem to be correct.

Case 2:
http_port 8080 ssl-bump ...
acl denyit src all
deny_info http://192.168.1.1/blocked.html denyit
http_access deny denyit

 > curl -ix 192.168.1.1:8080 https://google.com
HTTP/1.1 200 Connection established

curl: (60) SSL certificate problem: self signed certificate in 
certificate chain
...



Case 1: Browser gives "Proxy connection refused" (or similar error).
Case 2: Browser gives "SSL certificate error".

Case 1 - Browser atleast makes it clear to end user that this is 
something that proxy is not allowing.
Case 2 - End user would be clueless on why SSL error? He will never know 
that its blocked by proxy.

To me case 1 is more appropriate response.

Please give a thought,

Thank you,

Amish.

More information about the squid-users mailing list