[squid-users] deny_info and CONNECT for https request gives SSL error

Amos Jeffries squid3 at treenet.co.nz
Wed Oct 17 05:07:30 UTC 2018


On 17/10/18 3:15 PM, Amish wrote:
> 
> My proposal for would be to add "-n" (nobump) option to deny_info.
> 
> If -n is specified then squid will send 307 directly instead of 200.
> 
> Case 1)
> deny_info http://192.168.1.1/blocked.html denyit
> 
> Return with 200 and bump it (existing behaviour)
> 
> Case 2)
> deny_info 3xx:http://192.168.1.1/blocked.html denyit
> 
> Return with 200 and bump it (existing behaviour)
> 
> Case 3)
> deny_info -n http://192.168.1.1/blocked.html denyit
> 
> Return with 307 Temporary Redirect and Location: header
> 
> Case 4)
> deny_info -n 302:http://192.168.1.1/blocked.html denyit
> 
> Return with 302 Found and Location: header.
> 
> Case 1 and 2 above applicable only for sslbump cases.
> 
> For non-sslbump it already behaves as 3) and 4) above.
> 
> 
> This would not change anything for existing users who want existing
> behaviour.
> 
> But allow people like me to *NOT* bump connection when deny_info is
> activated.
> 

IMO the deny_info is very much the wrong place to be making such
decisions. Its purpose is to supply the *content* of the denial message
itself. Nothing about how that message gets delivered.

If anything this would be an additional ssl-bump option on the port line
to say that traffic is not really being ssl-bump'ed despite the presence
of the ssl-bump setting.

So think about that - why bother putting "ssl-bump" on the port in the
first place if the behaviour that option enables is not wanted to ever
happen?

If your purpose is simply to convert port 443 traffic into HTTP CONNECT
for upstream software to receive there are other far simpler and more
efficient software to be using for that. httptunnel being the popular one.

Amos


More information about the squid-users mailing list