[squid-users] ssl bump and url_rewrite_program (like squidguard)

Edouard Gaulué listes at e-gaulue.com
Tue Mar 10 11:43:58 UTC 2020 

Hi,

Sorry for the noise. In fact, it works. It's just squid couldn't connect 
to the local cgi page (while it could for squidclamav), and then did its 
best that was rather strange.

I confirm "url_rewrite_access deny CONNECT" works like a charm to avoid 
redirection during connection establishment and squid getting mad.

Best regards,

Le 10/03/2020 à 10:53, Edouard Gaulué a écrit :
> Hi all,
>
> I know it's an old subject but I come back on it as I moved my old 
> proxy server to Debian Buster.
>
> I now have a 4.10 version from git.
>
> Here are my last tests regarding this subject :
>  * Using c-icap for virus detection works well. I mean if I download a 
> virus from an HTTPS server like 
> https://www.blablasecurity.com/wp-content/downloads/eicar_com.zip, I 
> get redirected to the squidclamav cgi page (even if it is HTTP, I mean 
> HTTPS redirect to HTTP).
>  * url_rewrite_program with squidguard using a basic configuration 
> works well with all non-HTTPS request. With HTTPS, it shows a SQUID 
> error : *Unable to determine IP address from host name "http"*
>  * url_rewrite_program with squidguard that is not triggered by the 
> CONNECT method (through this configuration: url_rewrite_access deny 
> CONNECT) but by the subsequent one gives a 404 coming from the remote 
> site. In the log, you see squid get the redirection from the 
> url_rewrite_program but at the end it forges a request to the remote 
> HTTPS site with a GET content of the redirection.
>
> So c-icap manages to handle it well but url_rewrite_program doesn't.
>
> Is there any new option since 3.4.8, that I could try to manage it as 
> good as c-icap redirection?
>
> Best regards, Edouard
>
>
> Le 04/05/2017 à 11:03, Edouard Gaulué a écrit :
>> Hi community,
>>
>> Any news about this?
>>
>> I've tried 3.5.25 but still observe this behaviour.
>>
>> I understand it well since I read: 
>> https://serverfault.com/questions/727262/how-to-redirect-https-connect-request-with-squid-explicit-proxy
>>
>> But how to let the CONNECT request succeed and later block/redirect 
>> next HTTP request coming through this established connection tunnel?
>>
>> Best Regards,
>>
>> Le 03/11/2015 à 23:48, Edouard Gaulué a écrit :
>>> Hi community,
>>>
>>> I've followed
>>> http://wiki.squid-cache.org/ConfigExamples/Intercept/SslBumpExplicit  
>>> to
>>> set my server. It looks really interesting and it's said to be the more
>>> common configuration.
>>>
>>> I often observe (example here withwww.youtube.com) :
>>> ***************************
>>> The following error was encountered while trying to retrieve the URL:
>>> https://http/*
>>>
>>>     *Unable to determine IP address from host name "http"*
>>>
>>> The DNS server returned:
>>>
>>>     Name Error: The domain name does not exist.
>>> ****************************
>>>
>>> This happens while the navigator (Mozilla) is trying to get a frame at
>>> https://ad.doubleclick.net/N4061/adi/com.ythome/_default;sz=970x250;tile=1;ssl=1;dc_yt=1;kbsg=HPFR151103;kga=-1;kgg=-1;klg=fr;kmyd=ad_creative_1;ytexp=9406852,9408210,9408502,9417689,9419444,9419802,9420440,9420473,9421645,9421711,9422141,9422865,9423510,9423563,9423789;ord=968558538238386? 
>>>
>>>
>>> That's ads so I'm not so fond of it...
>>>
>>> But this leads me to the fact I get this behavior each time the site is
>>> banned by squidguard.
>>>
>>> Is there something to do to avoid this behavior? I mean, squidguard
>>> should send :
>>>
>>> *********************************
>>>   Access denied
>>>
>>> Supplementary info     :
>>> Client address     =     192.168.XXX.XXX
>>> Client name     =     192.168.XXX.XXX
>>> User ident     =
>>> Client group     =     XXXXXXX
>>> URL     =     https://ad.doubleclick.net/
>>> Target class     =     ads
>>>
>>> If this is wrong, contact your administrator
>>> **********************************
>>>
>>> squidguard is an url_rewrite_program that looks to respect squid
>>> requirements. Redirect looks like this :
>>> http://proxyweb.myserver.mydomain/cgi-bin/squidGuard-simple.cgi?clientaddr=... 
>>>
>>>
>>> I've played arround trying to change the redirect URL and it leads 
>>> me to
>>> the idea ssl_bump tries to analyse the part until the ":". Is there 
>>> a way
>>> to avoid this? Is this just a configuration matter?
>>>
>>> Could putting a ssl_bump rule saying "every server that name match 
>>> "http" or
>>> "https" should splice" solve the problem?
>>>
>>> Regards, EG
>>>
>>>
>>> _______________________________________________
>>> squid-users mailing list
>>> squid-users at lists.squid-cache.org
>>> http://lists.squid-cache.org/listinfo/squid-users
>>
>>
>> _______________________________________________
>> squid-users mailing list
>> squid-users at lists.squid-cache.org
>> http://lists.squid-cache.org/listinfo/squid-users
>
>
>
> _______________________________________________
> squid-users mailing list
> squid-users at lists.squid-cache.org
> http://lists.squid-cache.org/listinfo/squid-users

More information about the squid-users mailing list