[squid-users] ssl bump and url_rewrite_program (like squidguard)

Edouard Gaulué listes at e-gaulue.com
Tue Mar 10 09:53:02 UTC 2020 

Hi all,

I know it's an old subject but I come back on it as I moved my old proxy 
server to Debian Buster.

I now have a 4.10 version from git.

Here are my last tests regarding this subject :
  * Using c-icap for virus detection works well. I mean if I download a 
virus from an HTTPS server like 
https://www.blablasecurity.com/wp-content/downloads/eicar_com.zip, I get 
redirected to the squidclamav cgi page (even if it is HTTP, I mean HTTPS 
redirect to HTTP).
  * url_rewrite_program with squidguard using a basic configuration 
works well with all non-HTTPS request. With HTTPS, it shows a SQUID 
error : *Unable to determine IP address from host name "http"*
  * url_rewrite_program with squidguard that is not triggered by the 
CONNECT method (through this configuration: url_rewrite_access deny 
CONNECT) but by the subsequent one gives a 404 coming from the remote 
site. In the log, you see squid get the redirection from the 
url_rewrite_program but at the end it forges a request to the remote 
HTTPS site with a GET content of the redirection.

So c-icap manages to handle it well but url_rewrite_program doesn't.

Is there any new option since 3.4.8, that I could try to manage it as 
good as c-icap redirection?

Best regards, Edouard


Le 04/05/2017 à 11:03, Edouard Gaulué a écrit :
> Hi community,
>
> Any news about this?
>
> I've tried 3.5.25 but still observe this behaviour.
>
> I understand it well since I read: 
> https://serverfault.com/questions/727262/how-to-redirect-https-connect-request-with-squid-explicit-proxy
>
> But how to let the CONNECT request succeed and later block/redirect 
> next HTTP request coming through this established connection tunnel?
>
> Best Regards,
>
> Le 03/11/2015 à 23:48, Edouard Gaulué a écrit :
>> Hi community,
>>
>> I've followed
>> http://wiki.squid-cache.org/ConfigExamples/Intercept/SslBumpExplicit  to
>> set my server. It looks really interesting and it's said to be the more
>> common configuration.
>>
>> I often observe (example here withwww.youtube.com) :
>> ***************************
>> The following error was encountered while trying to retrieve the URL:
>> https://http/*
>>
>>     *Unable to determine IP address from host name "http"*
>>
>> The DNS server returned:
>>
>>     Name Error: The domain name does not exist.
>> ****************************
>>
>> This happens while the navigator (Mozilla) is trying to get a frame at
>> https://ad.doubleclick.net/N4061/adi/com.ythome/_default;sz=970x250;tile=1;ssl=1;dc_yt=1;kbsg=HPFR151103;kga=-1;kgg=-1;klg=fr;kmyd=ad_creative_1;ytexp=9406852,9408210,9408502,9417689,9419444,9419802,9420440,9420473,9421645,9421711,9422141,9422865,9423510,9423563,9423789;ord=968558538238386? 
>>
>>
>> That's ads so I'm not so fond of it...
>>
>> But this leads me to the fact I get this behavior each time the site is
>> banned by squidguard.
>>
>> Is there something to do to avoid this behavior? I mean, squidguard
>> should send :
>>
>> *********************************
>>   Access denied
>>
>> Supplementary info     :
>> Client address     =     192.168.XXX.XXX
>> Client name     =     192.168.XXX.XXX
>> User ident     =
>> Client group     =     XXXXXXX
>> URL     =     https://ad.doubleclick.net/
>> Target class     =     ads
>>
>> If this is wrong, contact your administrator
>> **********************************
>>
>> squidguard is an url_rewrite_program that looks to respect squid
>> requirements. Redirect looks like this :
>> http://proxyweb.myserver.mydomain/cgi-bin/squidGuard-simple.cgi?clientaddr=... 
>>
>>
>> I've played arround trying to change the redirect URL and it leads me to
>> the idea ssl_bump tries to analyse the part until the ":". Is there a 
>> way
>> to avoid this? Is this just a configuration matter?
>>
>> Could putting a ssl_bump rule saying "every server that name match 
>> "http" or
>> "https" should splice" solve the problem?
>>
>> Regards, EG
>>
>>
>> _______________________________________________
>> squid-users mailing list
>> squid-users at lists.squid-cache.org
>> http://lists.squid-cache.org/listinfo/squid-users
>
>
> _______________________________________________
> squid-users mailing list
> squid-users at lists.squid-cache.org
> http://lists.squid-cache.org/listinfo/squid-users

More information about the squid-users mailing list