[squid-users] url_rewrite_program, sslbump and CONNECT = broken redirect page?
Amish
anon.amish at gmail.com
Tue Mar 19 09:45:52 UTC 2019
Hello,
I have perfectly working SSL bump setup (via proxy CONNECT requests)
except when a site is blocked.
I have a rewrite program which blocks say foo.com.
Roughly it does this:
HTTP - non secure
STDIN: GET http://foo.com
STDOUT: rewrite-url="http://127.0.0.1/blocked"
Above works fine as expected, the page is fetched and shown.
But now if it is a CONNECT (https) request:
STDIN: CONNECT foo.com:443
STDOUT: rewrite-url="http://127.0.0.1/blocked"
Then instead of fetching the above page it tries to fetch "CONNECT
http:443" and returns ERR_DNS_FAIL page.
The problem code begins here: (client_side_request.cc)
https://github.com/squid-cache/squid/blob/master/src/client_side_request.cc#L1261
which leads to: (AnyP:;Uri parse() function)
https://github.com/squid-cache/squid/blob/master/src/anyp/Uri.cc#L211
which treats CONNECT request differently then what is documented.
It finds domain as something colon number. And looks like ignores
urlpath completely.
So in my case it becomes http:443.
And hence redirection breaks.
How do I convert CONNECT requests over ssl bump to GET
http://127.0.0.1/blocked
This exact issue was reported earlier too in 2015 but the person who
reported it probably couldn't locate the exact reason and bug went
unnoticed.
http://lists.squid-cache.org/pipermail/squid-users/2015-August/005170.html
Regards
Amish.
More information about the squid-users
mailing list