[squid-users] Fwd: Https blocked sites getting ssl error , with connection abruptly ending - Peek and splice feature

bandeep2000 bandeep2000 at gmail.com
Fri Jan 25 17:18:51 UTC 2019 

Hi Everyone,

Have configured squid proxy with https whitelisted sites using ssl bump,
peek and splice feature
in transparent mode.
Although non whitelisted site are getting blocked, but it is not graceful,
with 'ssl connect error'  and  no 403 message(using curl). For http, it is
working fine with Access denied with 403 http error code.

Using ssl bump 'terminate all' seem to abruptly stop the connection, this
might cause issues in our application.

Is there a way to terminate the connection with access denied message
gracefully(with 403 error code)  just like it does for Http.

*Non Whitelisted site error:*

curl -I https://nba.com

*curl: (35) SSL connect error*

*http non whitelisted site:*

c5278791 at ban-squid-client22 ~]$ curl -I http://nba.com

HTTP/1.1 403 Forbidden

Server: squid/3.5.28

Mime-Version: 1.0

Date: Fri, 25 Jan 2019 17:01:38 GMT

Content-Type: text/html;charset=utf-8

Content-Length: 3574

X-Squid-Error: ERR_ACCESS_DENIED 0

Vary: Accept-Language

Content-Language: en

X-Cache: MISS from squid

Via: 1.1 squid (squid/3.5.28)

Connection: keep-alive

*https whitelisted site works fine:*

curl -I https://cnn.com

HTTP/1.1 301 Moved Permanently

Server: Varnish

Retry-After: 0

Content-Length: 0

Cache-Control: public, max-age=600

Location: https://www.cnn.com/

Accept-Ranges: bytes

Date: Fri, 25 Jan 2019 17:00:08 GMT

Via: 1.1 varnish

Connection: close

Set-Cookie: countryCode=US; Domain=.cnn.com; Path=/

Set-Cookie: geoData=mountain view|CA|94043|US|NA; Domain=.cnn.com; Path=/

X-Served-By: cache-sea1038-SEA

X-Cache: HIT

X-Cache-Hits: 0





*Squid.conf Details:*

visible_hostname squid



cache deny all

#Handling HTTP requests

http_port 3128 intercept

acl allowed_http_sites dstdomain .amazonaws.com .bbc.com

#acl allowed_http_sites dstdomain [you can add other domains to permit]

http_access allow allowed_http_sites



#Handling HTTPS requests

https_port 3130 cert=/etc/pki/tls/certs/squidCA.pem ssl-bump intercept

acl SSL_port port 443

http_access allow SSL_port

acl allowed_https_sites ssl::server_name .amazonaws.com .cnn.com .yahoo.com
.bbc.com

#acl allowed_https_sites ssl::server_name [you can add other domains to
permit]

acl step1 at_step SslBump1

acl step2 at_step SslBump2

acl step3 at_step SslBump3

ssl_bump peek step1 all

ssl_bump splice allowed_https_sites

#ssl_bump peek step2 all

ssl_bump terminate  all



http_access deny all


*Squid version:*

squid -v

Squid Cache: Version *3.5.28*

Service Name: squid


This binary uses OpenSSL 1.0.1e-fips 11 Feb 2013. For legal restrictions on
distribution see https://www.openssl.org/source/license.html


configure options:  '--prefix=/usr' '--includedir=/usr/include'
'--datadir=/usr/share' '--bindir=/usr/sbin' '--libexecdir=/usr/lib/squid'
'--localstatedir=/var' '--sysconfdir=/etc/squid'
'--with-logdir=/var/log/squid' '--with-openssl' '--enable-ssl-crtd'
--enable-ltdl-convenien


*OS version:*

cat /etc/redhat-release

CentOS release 6.10 (Final)

Thanks,

-Bandeep
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.squid-cache.org/pipermail/squid-users/attachments/20190125/32f83fa5/attachment-0001.html>

More information about the squid-users mailing list