<html>
<head>
<meta content="text/html; charset=utf-8" http-equiv="Content-Type">
</head>
<body bgcolor="#FFFFFF" text="#000000">
<br>
-----BEGIN PGP SIGNED MESSAGE----- <br>
Hash: SHA256 <br>
<br>
I suggests the order is important and must be:<br>
<br>
ssl_bump terminate blocked_https<br>
deny_info <a class="moz-txt-link-freetext" href="http://www.example.com">http://www.example.com</a> blocked_https<br>
<br>
28.03.16 11:59, Alexandr Yatskin пишет:<br>
<span style="white-space: pre;">> Directive "deny_info" didn't
work when we blocked https site with option "ssl_bump".<br>
> Maybe, is there another method?<br>
><br>
>
--------------------------------------------------------------------<br>
> acl blocked_https ssl::server_name
"/etc/squid/blocked_https.txt"<br>
> acl step1 at_step SslBump1<br>
> ssl_bump peek step1<br>
><br>
> deny_info <a class="moz-txt-link-freetext" href="http://www.example.com">http://www.example.com</a> blocked_https<br>
> ssl_bump terminate blocked_https<br>
>
--------------------------------------------------------------------<br>
><br>
><br>
> 25.03.2016 17:14, Yuri Voinov пишет:<br>
>><br>
> # TAG: deny_info<br>
> # Usage: deny_info err_page_name acl<br>
> # or deny_info <a class="moz-txt-link-freetext" href="http://">http://</a>... acl<br>
> # or deny_info TCP_RESET acl<br>
> #<br>
> # This can be used to return a ERR_ page for requests
which<br>
> # do not pass the 'http_access' rules. Squid remembers
the last<br>
> # acl it evaluated in http_access, and if a 'deny_info'
line exists<br>
> # for that ACL Squid returns a corresponding error page.<br>
> #<br>
> # The acl is typically the last acl on the http_access
deny line which<br>
> # denied access. The exceptions to this rule are:<br>
> # - When Squid needs to request authentication
credentials. It's then<br>
> # the first authentication related acl encountered<br>
> # - When none of the http_access lines matches. It's then
the last<br>
> # acl processed on the last http_access line.<br>
> # - When the decision to deny access was made by an
adaptation service,<br>
> # the acl name is the corresponding eCAP or ICAP
service_name.<br>
> #<br>
> # NP: If providing your own custom error pages with
error_directory<br>
> # you may also specify them by your custom file name:<br>
> # Example: deny_info ERR_CUSTOM_ACCESS_DENIED bad_guys<br>
> #<br>
> # By defaut Squid will send "403 Forbidden". A different
4xx or 5xx<br>
> # may be specified by prefixing the file name with the
code and a colon.<br>
> # e.g. 404:ERR_CUSTOM_ACCESS_DENIED<br>
> #<br>
> # Alternatively you can tell Squid to reset the TCP
connection<br>
> # by specifying TCP_RESET.<br>
> #<br>
> # Or you can specify an error URL or URL pattern. The
browsers will<br>
> # get redirected to the specified URL after formatting
tags have<br>
> # been replaced. Redirect will be done with 302 or 307
according to<br>
> # HTTP/1.1 specs. A different 3xx code may be specified by
prefixing<br>
> # the URL. e.g. 303:<a class="moz-txt-link-freetext" href="http://example.com/">http://example.com/</a><br>
> #<br>
> # URL FORMAT TAGS:<br>
> # %a - username (if available. Password NOT
included)<br>
> # %B - FTP path URL<br>
> # %e - Error number<br>
> # %E - Error description<br>
> # %h - Squid hostname<br>
> # %H - Request domain name<br>
> # %i - Client IP Address<br>
> # %M - Request Method<br>
> # %o - Message result from external ACL helper<br>
> # %p - Request Port number<br>
> # %P - Request Protocol name<br>
> # %R - Request URL path<br>
> # %T - Timestamp in RFC 1123 format<br>
> # %U - Full canonical URL from client<br>
> # (HTTPS URLs terminate with *)<br>
> # %u - Full canonical URL from client<br>
> # %w - Admin email from squid.conf<br>
> # %x - Error name<br>
> # %% - Literal percent (%) code<br>
> #<br>
> #Default:<br>
> # none<br>
><br>
> ?<br>
><br>
> 25.03.16 16:15, Alexandr Yatskin пишет:<br>
> > Hello everyone!<br>
><br>
> > How redirect users to "Access Denied" page when
they go to<br>
> blocked https sites?<br>
><br>
> > Now users only can see such error:
"ERR_CONNECTION_CLOSED".<br>
><br>
><br>
><br>
> > There are several lines from our config:<br>
><br>
> > ------------------------------------------<br>
><br>
> > acl blocked_https ssl::server_name<br>
> "/etc/squid/blocked_https.txt"<br>
><br>
> > ssl_bump terminate blocked_https<br>
><br>
> > ------------------------------------------<br>
><br>
> > Thanks in advance.<br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
> > _______________________________________________<br>
><br>
> > squid-users mailing list<br>
><br>
> > <a class="moz-txt-link-abbreviated" href="mailto:squid-users@lists.squid-cache.org">squid-users@lists.squid-cache.org</a><br>
><br>
> > <a class="moz-txt-link-freetext" href="http://lists.squid-cache.org/listinfo/squid-users">http://lists.squid-cache.org/listinfo/squid-users</a><br>
><br>
>><br>
>><br>
>><br>
>> _______________________________________________<br>
>> squid-users mailing list<br>
>> <a class="moz-txt-link-abbreviated" href="mailto:squid-users@lists.squid-cache.org">squid-users@lists.squid-cache.org</a><br>
>> <a class="moz-txt-link-freetext" href="http://lists.squid-cache.org/listinfo/squid-users">http://lists.squid-cache.org/listinfo/squid-users</a><br>
></span><br>
<br>
-----BEGIN PGP SIGNATURE-----
<br>
Version: GnuPG v2
<br>
<br>
iQEcBAEBCAAGBQJW+SPZAAoJENNXIZxhPexGn0wIALLPgsRZLfdfo6j2cxRiYU2W
<br>
wREfDnN+i02rLBmboPiP1h9kk59r6wd37Fzbk8Ltp+zpQVv150Uo9ivHEfbOyeCk
<br>
/enX/vaBhnyaIk3BGHkdrmI2FcRMVFV+fh/C+nLixyRfswTq1Xv/cmY9YrkSBtDM
<br>
yt39353FlJFNwcz3wV+xlfibCQeMvJ8vLAa0jVGALeb0KwKgXJ90WlL2AssaiTRC
<br>
G74KCXSnF0eqgj9Mjbh0SN/b9YrINAnjjOBiYAx8epMLD2Rl2VxXNFcWNUKRUiiV
<br>
0mHOocOe4Q8Wrqh5WS2NUcN921FEoW5bwsKdbItAl0xQs0Ow9Cax8aVIKWDYQyo=
<br>
=FmF4
<br>
-----END PGP SIGNATURE-----
<br>
<br>
</body>
</html>