[squid-users] Problems with HTTPS on Squid

Antony Stone Antony.Stone at squid.open.source.it
Mon Jul 12 18:23:02 UTC 2021


On Monday 12 July 2021 at 20:12:03, Marcio B. wrote:

> I have the following problem on my Squid 4.6 on Debian 10.
> 
> Squid does not redirect the user to the error page when blocking an HTTPS
> url. On HTTP it works correctly.

Short answer - it can't.

Longer answer - browser requests https://thing.example.com

Squid won't allow connection to thing.example.com, and wants to send the 
browser to an error page instead.

The error page cannot possibly have the correct certificate for 
https://thing.example.com (because that's signed by some genuine CA), so the 
browser won't accept the error page as being valid.

Squid cannot even send an HTTP 302 redirect back to the browser, because that 
also is HTTPS content, and would need to have the correct certification for the 
browser to accept it and follow the redirect.

So, what you want is understandable, but not possible.

The only option I can think of is to add a CA certificate to all your browsers, 
and get Squid (somehow; sorry, I don't know how) to issue either a redirect or 
a substitute web page, claiming to tbe the original web server, and with a 
certificate signed by that CA that your browsers now trust.

I suspect that involves transparent interception, but someone might know how / 
whether it can be done.


Antony.

-- 
"The future is already here.   It's just not evenly distributed yet."

 - William Gibson

                                                   Please reply to the list;
                                                         please *don't* CC me.


More information about the squid-users mailing list