[squid-users] ssl-bump does not redirect to block page
Alex Rousskov
rousskov at measurement-factory.com
Wed Feb 13 15:08:26 UTC 2019
On 2/12/19 11:22 PM, leomessi983 at yahoo.com wrote:
> Actually i don't understand if it could be done or not!!
And I do not know what you mean by "it" here.
* Can Squid send a blocking error page to an HTTPS client? Yes.
* Will the browser show that error page to the user without any
additional warnings or questions if you do not install your CA
certificate in the browser? No.
* Does installing your CA certificate in the browser guarantee that the
browser will display the error page without any additional warnings or
questions? No; there are other factors at play here such as certificate
pinning. Installing your CA certificate is necessary but may not be
sufficient in some cases.
> can you show me the correct configuration for blocking HTTPS requests
> with showing access denied page to clients?!
AFAICT, you already have the correct Squid configuration for blocking
HTTPS requests. In fact, your previous email appears to confirm that
your clients are getting the blocking response from Squid!
AFAICT, your current problem is that you want users to see that blocking
response as if it came from the origin server -- without any additional
browser questions or warnings. For that, you have to install your CA
certificate in client browsers (but, again, that may not be sufficient
in some cases).
Alex.
More information about the squid-users
mailing list