<html xmlns:v="urn:schemas-microsoft-com:vml" xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" xmlns="http://www.w3.org/TR/REC-html40"><head><meta http-equiv=Content-Type content="text/html; charset=utf-8"><meta name=Generator content="Microsoft Word 15 (filtered medium)"><style><!--
/* Font Definitions */
@font-face
{font-family:"Cambria Math";
panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0cm;
margin-bottom:.0001pt;
text-align:right;
direction:rtl;
unicode-bidi:embed;
font-size:11.0pt;
font-family:"Calibri","sans-serif";}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:#0563C1;
text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
{mso-style-priority:99;
color:#954F72;
text-decoration:underline;}
p.MsoPlainText, li.MsoPlainText, div.MsoPlainText
{mso-style-priority:99;
mso-style-link:"Plain Text Char";
margin:0cm;
margin-bottom:.0001pt;
text-align:right;
direction:rtl;
unicode-bidi:embed;
font-size:11.0pt;
font-family:"Calibri","sans-serif";}
span.PlainTextChar
{mso-style-name:"Plain Text Char";
mso-style-priority:99;
mso-style-link:"Plain Text";
font-family:"Calibri","sans-serif";}
.MsoChpDefault
{mso-style-type:export-only;
font-family:"Calibri","sans-serif";}
@page WordSection1
{size:612.0pt 792.0pt;
margin:72.0pt 90.0pt 72.0pt 90.0pt;}
div.WordSection1
{page:WordSection1;}
--></style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]--></head><body lang=EN-US link="#0563C1" vlink="#954F72"><div class=WordSection1><p class=MsoPlainText style='text-align:left;direction:ltr;unicode-bidi:embed'>Hey Michael,<o:p></o:p></p><p class=MsoPlainText style='text-align:left;direction:ltr;unicode-bidi:embed'><o:p> </o:p></p><p class=MsoPlainText style='text-align:left;direction:ltr;unicode-bidi:embed'>Well I have not tested FreeBSD dependencies and patches and I am not following them daily.<o:p></o:p></p><p class=MsoPlainText style='text-align:left;direction:ltr;unicode-bidi:embed'>The issue itself with SquidGuard and the url_rewrite interface is more of an issue in most cases with CONNECT requests as you mentioned.<o:p></o:p></p><p class=MsoPlainText style='text-align:left;direction:ltr;unicode-bidi:embed'>Since you are not using ssl_bump then you need to deny the traffic\requests in a way that will not leave squid or the clients and the session in an unknown or unexpected situation.<o:p></o:p></p><p class=MsoPlainText style='text-align:left;direction:ltr;unicode-bidi:embed'>When the url_rewrite interface is used to "Deny" something it's not really denying but rather "rewriting" something due to it's nature.<o:p></o:p></p><p class=MsoPlainText style='text-align:left;direction:ltr;unicode-bidi:embed'><o:p> </o:p></p><p class=MsoPlainText style='text-align:left;direction:ltr;unicode-bidi:embed'>On regular plain http requests some mangling to the request(affecting the response) is possible but when handling CONNECT requests it's a whole new story.<o:p></o:p></p><p class=MsoPlainText style='text-align:left;direction:ltr;unicode-bidi:embed'>We don't know how the client will respond to a malformed response or squid to a malformed rewritten request, and it is possible that the client will expect a specific 50x\40x response code.<o:p></o:p></p><p class=MsoPlainText style='text-align:left;direction:ltr;unicode-bidi:embed'><o:p> </o:p></p><p class=MsoPlainText style='text-align:left;direction:ltr;unicode-bidi:embed'>The external_acl interface was built as an ACL extension with the basic ability to overcome the limits of the url_rewrite interface.<o:p></o:p></p><p class=MsoPlainText style='text-align:left;direction:ltr;unicode-bidi:embed'>Content or url filtering is an ACL level operation and not url rewriting\mangling and there for it is better(in squid) to do it in a way that the client can identify(30x).<o:p></o:p></p><p class=MsoPlainText style='text-align:left;direction:ltr;unicode-bidi:embed'><o:p> </o:p></p><p class=MsoPlainText style='text-align:left;direction:ltr;unicode-bidi:embed'>The best possible way to deny such a connection(CONNECT) is using a 50x or 40x code.<br>I do not remember which one is accepted better by browsers and clients and you will be able to find it yourself easily adding couple lines or using the scripts I wrote before.<o:p></o:p></p><p class=MsoPlainText style='text-align:left;direction:ltr;unicode-bidi:embed'><o:p> </o:p></p><p class=MsoPlainText style='text-align:left;direction:ltr;unicode-bidi:embed'>And more directly to the subject, I will say that if these network "issues" are might be because of any squid side of wrongly handling CONNECT requests that was mangled with a url_rewrite.<br>I would say that these specific cases is the proof of the wrongly used interface.<o:p></o:p></p><p class=MsoPlainText style='text-align:left;direction:ltr;unicode-bidi:embed'><o:p> </o:p></p><p class=MsoPlainText style='text-align:left;direction:ltr;unicode-bidi:embed'>The url_rewrite might contain a bug when handling a CONNECT request but the bug is that it is handling these connections at all and not otherwise.<o:p></o:p></p><p class=MsoPlainText style='text-align:left;direction:ltr;unicode-bidi:embed'>My suggestion is that you would try to see if you can use something like that:<o:p></o:p></p><p class=MsoPlainText style='text-align:left;direction:ltr;unicode-bidi:embed'>## START<o:p></o:p></p><p class=MsoPlainText style='text-align:left;direction:ltr;unicode-bidi:embed'>url_rewrite_program /usr/local/bin/squidGuard url_rewrite_children 8<span dir=RTL></span><span dir=RTL style='font-size:10.5pt;font-family:"Arial","sans-serif"'><span dir=RTL></span> </span>startup=4 idle=4 concurrency=0<o:p></o:p></p><p class=MsoPlainText style='text-align:left;direction:ltr;unicode-bidi:embed'>url_rewrite_access deny CONNECT<o:p></o:p></p><p class=MsoPlainText style='text-align:left;direction:ltr;unicode-bidi:embed'>url_rewrite_access allow all<o:p></o:p></p><p class=MsoPlainText style='text-align:left;direction:ltr;unicode-bidi:embed'>## END<o:p></o:p></p><p class=MsoPlainText style='text-align:left;direction:ltr;unicode-bidi:embed'><o:p> </o:p></p><p class=MsoPlainText style='text-align:left;direction:ltr;unicode-bidi:embed'>And add another external_acl helper with the wrapper I gave you without any special deny_info for the ACL.<br>Squid will be able to handle these probably fine and will deny the connections using some right access deny code(don't expect fancy warning pages without using some level of ssl_bump).<o:p></o:p></p><p class=MsoPlainText style='text-align:left;direction:ltr;unicode-bidi:embed'><o:p> </o:p></p><p class=MsoPlainText style='text-align:left;direction:ltr;unicode-bidi:embed'>I do not know if you need a fast solution or you are planning carefully with the available options.<o:p></o:p></p><p class=MsoPlainText style='text-align:left;direction:ltr;unicode-bidi:embed'>The options are to either use a "fast" solution to mitigate an annoying issue or to find the right path.<o:p></o:p></p><p class=MsoPlainText style='text-align:left;direction:ltr;unicode-bidi:embed'>The solution to either of the options is in your hands..<o:p></o:p></p><p class=MsoPlainText style='text-align:left;direction:ltr;unicode-bidi:embed'>If for your squidGuard setup offers you the right solution from all the right aspects despite to the fact that it's working slower then other solutions then it is the solution for you!!<o:p></o:p></p><p class=MsoPlainText style='text-align:left;direction:ltr;unicode-bidi:embed'><o:p> </o:p></p><p class=MsoPlainText style='text-align:left;direction:ltr;unicode-bidi:embed'>The technology of black and white listing was enhanced in the last decade but not too drastically.<o:p></o:p></p><p class=MsoPlainText style='text-align:left;direction:ltr;unicode-bidi:embed'>The basic concept is that there are query and analysis components which are not forced to be one software.<o:p></o:p></p><p class=MsoPlainText style='text-align:left;direction:ltr;unicode-bidi:embed'>There will always be false positives to this or another way but some categorizing systems are much stricter and sensitive about the subject then others.<o:p></o:p></p><p class=MsoPlainText style='text-align:left;direction:ltr;unicode-bidi:embed'>All this leaving aside the sources of the lists you and since only you have a definition of the wanted\desired results with the available options.<o:p></o:p></p><p class=MsoPlainText style='text-align:left;direction:ltr;unicode-bidi:embed'><o:p> </o:p></p><p class=MsoPlainText style='text-align:left;direction:ltr;unicode-bidi:embed'>You also stated that you have some funding issues, but just as a side note: the wanted result is eventually forcing the final product of work and the expense(any if at all).<o:p></o:p></p><p class=MsoPlainText style='text-align:left;direction:ltr;unicode-bidi:embed'>I mean with these words that if you do not care about false positives and using some product satisfy the desire or need then I think it's ok for your case.<o:p></o:p></p><p class=MsoPlainText style='text-align:left;direction:ltr;unicode-bidi:embed'><o:p> </o:p></p><p class=MsoPlainText style='text-align:left;direction:ltr;unicode-bidi:embed'>I will add that from my tests there are different results to basic pages\objects loading\access speed when using one software or another, and\or one protocol\interface or another.<o:p></o:p></p><p class=MsoPlainText style='text-align:left;direction:ltr;unicode-bidi:embed'><o:p> </o:p></p><p class=MsoPlainText style='text-align:left;direction:ltr;unicode-bidi:embed'>Here if you need more help\advice handling the situation.<o:p></o:p></p><p class=MsoPlainText style='text-align:left;direction:ltr;unicode-bidi:embed'>Eliezer<o:p></o:p></p><p class=MsoPlainText style='text-align:left;direction:ltr;unicode-bidi:embed'><o:p> </o:p></p><p class=MsoPlainText style='text-align:left;direction:ltr;unicode-bidi:embed'><span dir=RTL></span><span lang=HE dir=RTL style='font-size:10.5pt;font-family:"Arial","sans-serif"'><span dir=RTL></span>----<o:p></o:p></span></p><p class=MsoPlainText style='text-align:left;direction:ltr;unicode-bidi:embed'>Eliezer Croitoru<o:p></o:p></p><p class=MsoPlainText style='text-align:left;direction:ltr;unicode-bidi:embed'>Linux System Administrator<o:p></o:p></p><p class=MsoPlainText style='text-align:left;direction:ltr;unicode-bidi:embed'>Mobile: +972-5-28704261<o:p></o:p></p><p class=MsoPlainText style='text-align:left;direction:ltr;unicode-bidi:embed'>Email: eliezer@ngtech.co.il<o:p></o:p></p><p class=MsoPlainText style='text-align:left;direction:ltr;unicode-bidi:embed'><span lang=HE dir=RTL style='font-size:10.5pt;font-family:"Arial","sans-serif"'><o:p> </o:p></span></p><p class=MsoPlainText style='text-align:left;direction:ltr;unicode-bidi:embed'><o:p> </o:p></p><p class=MsoPlainText style='text-align:left;direction:ltr;unicode-bidi:embed'>-----Original Message-----<br>From: michail.pappas@gmail.com [mailto:michail.pappas@gmail.com] On Behalf Of reqman<br>Sent: Wednesday, June 15, 2016 2:19 PM<br>To: Eliezer Croitoru<br>Cc: squid-users@lists.squid-cache.org<br>Subject: Re: [squid-users] HTTPS issues with squidguard after upgrading from squid 2.7 to 3.5</p><p class=MsoPlainText style='text-align:left;direction:ltr;unicode-bidi:embed'><o:p> </o:p></p><p class=MsoPlainText style='text-align:left;direction:ltr;unicode-bidi:embed'>Hello Eliezer,<o:p></o:p></p><p class=MsoPlainText style='text-align:left;direction:ltr;unicode-bidi:embed'><span lang=HE dir=RTL style='font-size:10.5pt;font-family:"Arial","sans-serif"'><o:p> </o:p></span></p><p class=MsoPlainText style='text-align:left;direction:ltr;unicode-bidi:embed'><span dir=LTR></span><span dir=LTR></span>2016-06-15 11:45 GMT+03:00 Eliezer Croitoru <<a href="mailto:eliezer@ngtech.co.il"><span style='color:windowtext;text-decoration:none'>eliezer@ngtech.co.il</span></a>>:<o:p></o:p></p><p class=MsoPlainText style='text-align:left;direction:ltr;unicode-bidi:embed'>> Hey Michael,<o:p></o:p></p><p class=MsoPlainText style='text-align:left;direction:ltr;unicode-bidi:embed'><span dir=RTL></span><span lang=HE dir=RTL style='font-size:10.5pt;font-family:"Arial","sans-serif"'><span dir=RTL></span>><o:p> </o:p></span></p><p class=MsoPlainText style='text-align:left;direction:ltr;unicode-bidi:embed'><span dir=LTR></span><span dir=LTR></span>> I am missing couple details about the setup which might affect the way we would be able to understand what is causing the issue and how to resolve it.<o:p></o:p></p><p class=MsoPlainText style='text-align:left;direction:ltr;unicode-bidi:embed'>> There are changes from squid 2.7 to 3.5 and to my opinion these are mandatory to resolve and to not go one step back.<o:p></o:p></p><p class=MsoPlainText style='text-align:left;direction:ltr;unicode-bidi:embed'><span lang=HE dir=RTL style='font-size:10.5pt;font-family:"Arial","sans-serif"'><o:p> </o:p></span></p><p class=MsoPlainText style='text-align:left;direction:ltr;unicode-bidi:embed'>Yes, I saw that 3.5 effectively disabled/obsoleted/deactivated various options. I believe I took care in following through those requirements.<o:p></o:p></p><p class=MsoPlainText style='text-align:left;direction:ltr;unicode-bidi:embed'><span lang=HE dir=RTL style='font-size:10.5pt;font-family:"Arial","sans-serif"'><o:p> </o:p></span></p><p class=MsoPlainText style='text-align:left;direction:ltr;unicode-bidi:embed'><span dir=LTR></span><span dir=LTR></span>> What version of SquidGuard 1.4 did you installed? The patched for squid 3.4+ compatibility?<o:p></o:p></p><p class=MsoPlainText style='text-align:left;direction:ltr;unicode-bidi:embed'><span lang=HE dir=RTL style='font-size:10.5pt;font-family:"Arial","sans-serif"'><o:p> </o:p></span></p><p class=MsoPlainText style='text-align:left;direction:ltr;unicode-bidi:embed'>I installed a ready to use package from FreeBSD. I presume that is is ok with squid 3.4, according to its dependencies:<o:p></o:p></p><p class=MsoPlainText style='text-align:left;direction:ltr;unicode-bidi:embed'><span lang=HE dir=RTL style='font-size:10.5pt;font-family:"Arial","sans-serif"'><o:p> </o:p></span></p><p class=MsoPlainText style='text-align:left;direction:ltr;unicode-bidi:embed'><span dir=LTR></span><span dir=LTR></span> # pkg query "%do%dv" squidGuard<o:p></o:p></p><p class=MsoPlainText style='text-align:left;direction:ltr;unicode-bidi:embed'>www/squid3.5.19<o:p></o:p></p><p class=MsoPlainText style='text-align:left;direction:ltr;unicode-bidi:embed'>databases/db55.3.28_3<o:p></o:p></p><p class=MsoPlainText style='text-align:left;direction:ltr;unicode-bidi:embed'><span lang=HE dir=RTL style='font-size:10.5pt;font-family:"Arial","sans-serif"'><o:p> </o:p></span></p><p class=MsoPlainText style='text-align:left;direction:ltr;unicode-bidi:embed'>Other information for squidGuard:<o:p></o:p></p><p class=MsoPlainText style='text-align:left;direction:ltr;unicode-bidi:embed'><span lang=HE dir=RTL style='font-size:10.5pt;font-family:"Arial","sans-serif"'><o:p> </o:p></span></p><p class=MsoPlainText style='text-align:left;direction:ltr;unicode-bidi:embed'><span dir=LTR></span><span dir=LTR></span># pkg info squidGuard<o:p></o:p></p><p class=MsoPlainText style='text-align:left;direction:ltr;unicode-bidi:embed'>squidGuard-1.4_15<o:p></o:p></p><p class=MsoPlainText style='text-align:left;direction:ltr;unicode-bidi:embed'>Name : squidGuard<o:p></o:p></p><p class=MsoPlainText style='text-align:left;direction:ltr;unicode-bidi:embed'>Version : 1.4_15<o:p></o:p></p><p class=MsoPlainText style='text-align:left;direction:ltr;unicode-bidi:embed'>Installed on : Mon May 30 08:24:17 2016 EEST<o:p></o:p></p><p class=MsoPlainText style='text-align:left;direction:ltr;unicode-bidi:embed'>Origin : www/squidguard<o:p></o:p></p><p class=MsoPlainText style='text-align:left;direction:ltr;unicode-bidi:embed'>Architecture : freebsd:10:x86:64<o:p></o:p></p><p class=MsoPlainText style='text-align:left;direction:ltr;unicode-bidi:embed'>Prefix : /usr/local<o:p></o:p></p><p class=MsoPlainText style='text-align:left;direction:ltr;unicode-bidi:embed'>Categories : www<o:p></o:p></p><p class=MsoPlainText style='text-align:left;direction:ltr;unicode-bidi:embed'>Licenses : GPLv2<o:p></o:p></p><p class=MsoPlainText style='text-align:left;direction:ltr;unicode-bidi:embed'>Maintainer : <a href="mailto:garga@FreeBSD.org"><span style='color:windowtext;text-decoration:none'>garga@FreeBSD.org</span></a><o:p></o:p></p><p class=MsoPlainText style='text-align:left;direction:ltr;unicode-bidi:embed'>WWW : <a href="http://www.squidguard.org/"><span style='color:windowtext;text-decoration:none'>http://www.squidguard.org/</span></a><o:p></o:p></p><p class=MsoPlainText style='text-align:left;direction:ltr;unicode-bidi:embed'>Comment : Fast redirector for squid<o:p></o:p></p><p class=MsoPlainText style='text-align:left;direction:ltr;unicode-bidi:embed'>Options :<o:p></o:p></p><p class=MsoPlainText style='text-align:left;direction:ltr;unicode-bidi:embed'> DNS_BL : off<o:p></o:p></p><p class=MsoPlainText style='text-align:left;direction:ltr;unicode-bidi:embed'> DOCS : on<o:p></o:p></p><p class=MsoPlainText style='text-align:left;direction:ltr;unicode-bidi:embed'> EXAMPLES : on<o:p></o:p></p><p class=MsoPlainText style='text-align:left;direction:ltr;unicode-bidi:embed'> LDAP : off<o:p></o:p></p><p class=MsoPlainText style='text-align:left;direction:ltr;unicode-bidi:embed'> QUOTE_STRING : off<o:p></o:p></p><p class=MsoPlainText style='text-align:left;direction:ltr;unicode-bidi:embed'> STRIP_NTDOMAIN : off<o:p></o:p></p><p class=MsoPlainText style='text-align:left;direction:ltr;unicode-bidi:embed'>Shared Libs required:<o:p></o:p></p><p class=MsoPlainText style='text-align:left;direction:ltr;unicode-bidi:embed'> libdb-5.3.so.0<o:p></o:p></p><p class=MsoPlainText style='text-align:left;direction:ltr;unicode-bidi:embed'>Annotations :<o:p></o:p></p><p class=MsoPlainText style='text-align:left;direction:ltr;unicode-bidi:embed'> repo_type : binary<o:p></o:p></p><p class=MsoPlainText style='text-align:left;direction:ltr;unicode-bidi:embed'> repository : FreeBSD<o:p></o:p></p><p class=MsoPlainText style='text-align:left;direction:ltr;unicode-bidi:embed'>Flat size : 2.24MiB<o:p></o:p></p><p class=MsoPlainText style='text-align:left;direction:ltr;unicode-bidi:embed'><span lang=HE dir=RTL style='font-size:10.5pt;font-family:"Arial","sans-serif"'><o:p> </o:p></span></p><p class=MsoPlainText style='text-align:left;direction:ltr;unicode-bidi:embed'><span dir=LTR></span><span dir=LTR></span>> More details about it here: <o:p></o:p></p><p class=MsoPlainText style='text-align:left;direction:ltr;unicode-bidi:embed'>> <a href="http://bugs.squid-cache.org/show_bug.cgi?id=3978"><span style='color:windowtext;text-decoration:none'>http://bugs.squid-cache.org/show_bug.cgi?id=3978</span></a><o:p></o:p></p><p class=MsoPlainText style='text-align:left;direction:ltr;unicode-bidi:embed'>> Now if it is indeed patched and works as expected it from the 3.4+ computability level of things then lets move on.<o:p></o:p></p><p class=MsoPlainText style='text-align:left;direction:ltr;unicode-bidi:embed'><span lang=HE dir=RTL style='font-size:10.5pt;font-family:"Arial","sans-serif"'><o:p> </o:p></span></p><p class=MsoPlainText style='text-align:left;direction:ltr;unicode-bidi:embed'>Checking the bug and if I understand correctly, if my squidGuard was not patched then it wouldn't work. This is not the case. It works ok for http urls, ie blocks fine and the user is correctly redirected to the block page setup for this purpose. It's HTTPS I'm having issues<o:p></o:p></p><p class=MsoPlainText style='text-align:left;direction:ltr;unicode-bidi:embed'>with: according to some talks, if something gets blocked by squidguard, something is miscommunicated (or not communicated at all) with squid. Instead of a block, the users waits endlessly for the page.<o:p></o:p></p><p class=MsoPlainText style='text-align:left;direction:ltr;unicode-bidi:embed'><span lang=HE dir=RTL style='font-size:10.5pt;font-family:"Arial","sans-serif"'><o:p> </o:p></span></p><p class=MsoPlainText style='text-align:left;direction:ltr;unicode-bidi:embed'><span dir=LTR></span><span dir=LTR></span>> Are you using Squid in intercept\transparent\trpoxy mode or is it defined in the browsers directly?<o:p></o:p></p><p class=MsoPlainText style='text-align:left;direction:ltr;unicode-bidi:embed'>> If you are using intercept mode, what have you defined on the FreeBSD pf\ipfw?<o:p></o:p></p><p class=MsoPlainText style='text-align:left;direction:ltr;unicode-bidi:embed'><span lang=HE dir=RTL style='font-size:10.5pt;font-family:"Arial","sans-serif"'><o:p> </o:p></span></p><p class=MsoPlainText style='text-align:left;direction:ltr;unicode-bidi:embed'>Squid operates in normal mode. I've configured a 10year old proxy autodiscovery script, which is published through DHCP. All browsers are set to configure everything automatically.<o:p></o:p></p><p class=MsoPlainText style='text-align:left;direction:ltr;unicode-bidi:embed'><span lang=HE dir=RTL style='font-size:10.5pt;font-family:"Arial","sans-serif"'><o:p> </o:p></span></p><p class=MsoPlainText style='text-align:left;direction:ltr;unicode-bidi:embed'><span dir=LTR></span><span dir=LTR></span>> And about the quote from the mailing list:<o:p></o:p></p><p class=MsoPlainText style='text-align:left;direction:ltr;unicode-bidi:embed'>> SquidGuard was written to operate under the url_rewrite interface\protocol and not external_acl.<o:p></o:p></p><p class=MsoPlainText style='text-align:left;direction:ltr;unicode-bidi:embed'><span lang=HE dir=RTL style='font-size:10.5pt;font-family:"Arial","sans-serif"'><o:p> </o:p></span></p><p class=MsoPlainText style='text-align:left;direction:ltr;unicode-bidi:embed'>I've lost you here: why do I need squidGuard to operate under external_acl? Can't I leave it running with url_rewrite?<o:p></o:p></p><p class=MsoPlainText style='text-align:left;direction:ltr;unicode-bidi:embed'><span lang=HE dir=RTL style='font-size:10.5pt;font-family:"Arial","sans-serif"'><o:p> </o:p></span></p><p class=MsoPlainText style='text-align:left;direction:ltr;unicode-bidi:embed'><span dir=LTR></span><span dir=LTR></span>> Due to this it has some disadvantages and the advised details are to modify the helper(SquidGuard or another) to operate in another way.<o:p></o:p></p><p class=MsoPlainText style='text-align:left;direction:ltr;unicode-bidi:embed'>> It is possible to use the patched version of SquidGuard under the external_acl interface and use squid options to deny\redirect the request.<o:p></o:p></p><p class=MsoPlainText style='text-align:left;direction:ltr;unicode-bidi:embed'><span lang=HE dir=RTL style='font-size:10.5pt;font-family:"Arial","sans-serif"'><o:p> </o:p></span></p><p class=MsoPlainText style='text-align:left;direction:ltr;unicode-bidi:embed'>I saw your other email, but I again have to ask. My own squidguard "seems" to work. What are the merits of doing things with external_acl instead of the way I am doing things right now?<o:p></o:p></p><p class=MsoPlainText style='text-align:left;direction:ltr;unicode-bidi:embed'><span lang=HE dir=RTL style='font-size:10.5pt;font-family:"Arial","sans-serif"'><o:p> </o:p></span></p><p class=MsoPlainText style='text-align:left;direction:ltr;unicode-bidi:embed'><span dir=LTR></span><span dir=LTR></span>> It removes some things from the complexity of the issue.<o:p></o:p></p><p class=MsoPlainText style='text-align:left;direction:ltr;unicode-bidi:embed'>> I have just written an example on how to use use my software SquidBlocker under external_acl and here the adapted example that can be used with a patched SquidGuard:<o:p></o:p></p><p class=MsoPlainText style='text-align:left;direction:ltr;unicode-bidi:embed'>> ## START OF SETTINGS<o:p></o:p></p><p class=MsoPlainText style='text-align:left;direction:ltr;unicode-bidi:embed'>> external_acl_type filter_url ipv4 concurrency=0 ttl=3 %URI %SRC/- <o:p></o:p></p><p class=MsoPlainText style='text-align:left;direction:ltr;unicode-bidi:embed'>> %LOGIN %METHOD /usr/local/bin/squidGuard url_rewrite_children acl <o:p></o:p></p><p class=MsoPlainText style='text-align:left;direction:ltr;unicode-bidi:embed'>> filter_url_acl external filter_url deny_info <o:p></o:p></p><p class=MsoPlainText style='text-align:left;direction:ltr;unicode-bidi:embed'>> <a href="http://ngtech.co.il/block_page/?url=%25u&domain=%25H"><span style='color:windowtext;text-decoration:none'>http://ngtech.co.il/block_page/?url=%u&domain=%H</span></a> filter_url_acl #or # <o:p></o:p></p><p class=MsoPlainText style='text-align:left;direction:ltr;unicode-bidi:embed'>> deny_info 302:http://ngtech.co.il/block_page/?url=%u&domain=%H <o:p></o:p></p><p class=MsoPlainText style='text-align:left;direction:ltr;unicode-bidi:embed'>> filter_url_acl http_access deny !filter_url_acl http_access allow <o:p></o:p></p><p class=MsoPlainText style='text-align:left;direction:ltr;unicode-bidi:embed'>> localnet filter_url_acl ## END OF SETTINGS<o:p></o:p></p><p class=MsoPlainText style='text-align:left;direction:ltr;unicode-bidi:embed'><span dir=RTL></span><span lang=HE dir=RTL style='font-size:10.5pt;font-family:"Arial","sans-serif"'><span dir=RTL></span>><o:p> </o:p></span></p><p class=MsoPlainText style='text-align:left;direction:ltr;unicode-bidi:embed'><span dir=LTR></span><span dir=LTR></span>> I have not tested this request format but if it doesn't work this way then a little cosmetics will make it work.<o:p></o:p></p><p class=MsoPlainText style='text-align:left;direction:ltr;unicode-bidi:embed'><span dir=RTL></span><span lang=HE dir=RTL style='font-size:10.5pt;font-family:"Arial","sans-serif"'><span dir=RTL></span>><o:p> </o:p></span></p><p class=MsoPlainText style='text-align:left;direction:ltr;unicode-bidi:embed'><span dir=LTR></span><span dir=LTR></span>> When more information will be available we can try to see where the issue is from.<o:p></o:p></p><p class=MsoPlainText style='text-align:left;direction:ltr;unicode-bidi:embed'><span dir=RTL></span><span lang=HE dir=RTL style='font-size:10.5pt;font-family:"Arial","sans-serif"'><span dir=RTL></span>><o:p> </o:p></span></p><p class=MsoPlainText style='text-align:left;direction:ltr;unicode-bidi:embed'><span dir=LTR></span><span dir=LTR></span>> Eliezer<o:p></o:p></p><p class=MsoPlainText style='text-align:left;direction:ltr;unicode-bidi:embed'><span dir=RTL></span><span lang=HE dir=RTL style='font-size:10.5pt;font-family:"Arial","sans-serif"'><span dir=RTL></span>><o:p> </o:p></span></p><p class=MsoPlainText style='text-align:left;direction:ltr;unicode-bidi:embed'><span lang=HE dir=RTL style='font-size:10.5pt;font-family:"Arial","sans-serif"'>> ----<o:p></o:p></span></p><p class=MsoPlainText style='text-align:left;direction:ltr;unicode-bidi:embed'><span dir=LTR></span><span dir=LTR></span>> Eliezer Croitoru<o:p></o:p></p><p class=MsoPlainText style='text-align:left;direction:ltr;unicode-bidi:embed'>> Linux System Administrator<o:p></o:p></p><p class=MsoPlainText style='text-align:left;direction:ltr;unicode-bidi:embed'>> Mobile: +972-5-28704261<o:p></o:p></p><p class=MsoPlainText style='text-align:left;direction:ltr;unicode-bidi:embed'>> Email: <a href="mailto:eliezer@ngtech.co.il"><span style='color:windowtext;text-decoration:none'>eliezer@ngtech.co.il</span></a><o:p></o:p></p><p class=MsoPlainText style='text-align:left;direction:ltr;unicode-bidi:embed'><span dir=RTL></span><span lang=HE dir=RTL style='font-size:10.5pt;font-family:"Arial","sans-serif"'><span dir=RTL></span>><o:p> </o:p></span></p><p class=MsoPlainText style='text-align:left;direction:ltr;unicode-bidi:embed'><span lang=HE dir=RTL style='font-size:10.5pt;font-family:"Arial","sans-serif"'>><o:p> </o:p></span></p><p class=MsoPlainText style='text-align:left;direction:ltr;unicode-bidi:embed'><span dir=LTR></span><span dir=LTR></span>> -----Original Message-----<o:p></o:p></p><p class=MsoPlainText style='text-align:left;direction:ltr;unicode-bidi:embed'>> From: squid-users [<a href="mailto:squid-users-bounces@lists.squid-cache.org"><span style='color:windowtext;text-decoration:none'>mailto:squid-users-bounces@lists.squid-cache.org</span></a>] <o:p></o:p></p><p class=MsoPlainText style='text-align:left;direction:ltr;unicode-bidi:embed'>> On Behalf Of reqman<o:p></o:p></p><p class=MsoPlainText style='text-align:left;direction:ltr;unicode-bidi:embed'>> Sent: Wednesday, June 15, 2016 10:22 AM<o:p></o:p></p><p class=MsoPlainText style='text-align:left;direction:ltr;unicode-bidi:embed'>> To: <a href="mailto:squid-users@lists.squid-cache.org"><span style='color:windowtext;text-decoration:none'>squid-users@lists.squid-cache.org</span></a><o:p></o:p></p><p class=MsoPlainText style='text-align:left;direction:ltr;unicode-bidi:embed'>> Subject: [squid-users] HTTPS issues with squidguard after upgrading <o:p></o:p></p><p class=MsoPlainText style='text-align:left;direction:ltr;unicode-bidi:embed'>> from squid 2.7 to 3.5<o:p></o:p></p><p class=MsoPlainText style='text-align:left;direction:ltr;unicode-bidi:embed'><span dir=RTL></span><span lang=HE dir=RTL style='font-size:10.5pt;font-family:"Arial","sans-serif"'><span dir=RTL></span>><o:p> </o:p></span></p><p class=MsoPlainText style='text-align:left;direction:ltr;unicode-bidi:embed'><span dir=LTR></span><span dir=LTR></span>> Hello all,<o:p></o:p></p><p class=MsoPlainText style='text-align:left;direction:ltr;unicode-bidi:embed'><span dir=RTL></span><span lang=HE dir=RTL style='font-size:10.5pt;font-family:"Arial","sans-serif"'><span dir=RTL></span>><o:p> </o:p></span></p><p class=MsoPlainText style='text-align:left;direction:ltr;unicode-bidi:embed'><span dir=LTR></span><span dir=LTR></span>> I have been running squid 2.7.X alongside squidguard 1.4 on a FreeBSD 8.x box for years.<o:p></o:p></p><p class=MsoPlainText style='text-align:left;direction:ltr;unicode-bidi:embed'>> Started out some 10 years ago, with a much older squid/squidguard/FreeBSD combination.<o:p></o:p></p><p class=MsoPlainText style='text-align:left;direction:ltr;unicode-bidi:embed'><span dir=RTL></span><span lang=HE dir=RTL style='font-size:10.5pt;font-family:"Arial","sans-serif"'><span dir=RTL></span>><o:p> </o:p></span></p><p class=MsoPlainText style='text-align:left;direction:ltr;unicode-bidi:embed'><span dir=LTR></span><span dir=LTR></span>> Having to upgrade to FreeBSD 10.3, I examined my option regarding squid.<o:p></o:p></p><p class=MsoPlainText style='text-align:left;direction:ltr;unicode-bidi:embed'>> 3.5.19 was available which I assumed would behave the same as 2.7, regarding compatibility.<o:p></o:p></p><p class=MsoPlainText style='text-align:left;direction:ltr;unicode-bidi:embed'>> Squidguard 1.4 was also installed.<o:p></o:p></p><p class=MsoPlainText style='text-align:left;direction:ltr;unicode-bidi:embed'><span dir=RTL></span><span lang=HE dir=RTL style='font-size:10.5pt;font-family:"Arial","sans-serif"'><span dir=RTL></span>><o:p> </o:p></span></p><p class=MsoPlainText style='text-align:left;direction:ltr;unicode-bidi:embed'><span dir=LTR></span><span dir=LTR></span>> - Squid was configured to behave along the lines of what I had on 2.7.<o:p></o:p></p><p class=MsoPlainText style='text-align:left;direction:ltr;unicode-bidi:embed'>> - For squidguard I used the exact same blocklists and configurations.<o:p></o:p></p><p class=MsoPlainText style='text-align:left;direction:ltr;unicode-bidi:embed'>> Note that I do not employ an URL rewriting in squidguard, only redirection.<o:p></o:p></p><p class=MsoPlainText style='text-align:left;direction:ltr;unicode-bidi:embed'>> - no SSL-bump or other SSL interception takes place<o:p></o:p></p><p class=MsoPlainText style='text-align:left;direction:ltr;unicode-bidi:embed'>> - the squidguard-related lines on squid are the following:<o:p></o:p></p><p class=MsoPlainText style='text-align:left;direction:ltr;unicode-bidi:embed'><span dir=RTL></span><span lang=HE dir=RTL style='font-size:10.5pt;font-family:"Arial","sans-serif"'><span dir=RTL></span>><o:p> </o:p></span></p><p class=MsoPlainText style='text-align:left;direction:ltr;unicode-bidi:embed'><span dir=LTR></span><span dir=LTR></span>> url_rewrite_program /usr/local/bin/squidGuard url_rewrite_children 8 <o:p></o:p></p><p class=MsoPlainText style='text-align:left;direction:ltr;unicode-bidi:embed'>> startup=4 idle=4 concurrency=0 url_rewrite_access allow all<o:p></o:p></p><p class=MsoPlainText style='text-align:left;direction:ltr;unicode-bidi:embed'><span dir=RTL></span><span lang=HE dir=RTL style='font-size:10.5pt;font-family:"Arial","sans-serif"'><span dir=RTL></span>><o:p> </o:p></span></p><p class=MsoPlainText style='text-align:left;direction:ltr;unicode-bidi:embed'><span dir=LTR></span><span dir=LTR></span>> - In squidGuard.conf, the typical redirect section is like:<o:p></o:p></p><p class=MsoPlainText style='text-align:left;direction:ltr;unicode-bidi:embed'><span dir=RTL></span><span lang=HE dir=RTL style='font-size:10.5pt;font-family:"Arial","sans-serif"'><span dir=RTL></span>><o:p> </o:p></span></p><p class=MsoPlainText style='text-align:left;direction:ltr;unicode-bidi:embed'><span dir=LTR></span><span dir=LTR></span>> default {<o:p></o:p></p><p class=MsoPlainText style='text-align:left;direction:ltr;unicode-bidi:embed'>> pass local-ok !block1 !block2 !blockN all<o:p></o:p></p><p class=MsoPlainText style='text-align:left;direction:ltr;unicode-bidi:embed'>> redirect<o:p></o:p></p><p class=MsoPlainText style='text-align:left;direction:ltr;unicode-bidi:embed'>> 301:http://localsite/block.htm?clientaddr=%a+clientname=%n+clientident=%i+srcclass=%s+targetclass=%t+url=%u<o:p></o:p></p><p class=MsoPlainText style='text-align:left;direction:ltr;unicode-bidi:embed'><span dir=RTL></span><span lang=HE dir=RTL style='font-size:10.5pt;font-family:"Arial","sans-serif"'><span dir=RTL></span>> }<o:p></o:p></span></p><p class=MsoPlainText style='text-align:left;direction:ltr;unicode-bidi:embed'><span lang=HE dir=RTL style='font-size:10.5pt;font-family:"Arial","sans-serif"'>><o:p> </o:p></span></p><p class=MsoPlainText style='text-align:left;direction:ltr;unicode-bidi:embed'><span dir=LTR></span><span dir=LTR></span>> I am now experiencing problems that I did not have. Specifically, access to certain but *not* all HTTPS sites seems to timeout.<o:p></o:p></p><p class=MsoPlainText style='text-align:left;direction:ltr;unicode-bidi:embed'>> Furthermore, I see entries similar to the following in cache.log:<o:p></o:p></p><p class=MsoPlainText style='text-align:left;direction:ltr;unicode-bidi:embed'><span dir=RTL></span><span lang=HE dir=RTL style='font-size:10.5pt;font-family:"Arial","sans-serif"'><span dir=RTL></span>><o:p> </o:p></span></p><p class=MsoPlainText style='text-align:left;direction:ltr;unicode-bidi:embed'><span dir=LTR></span><span dir=LTR></span>> 2016/06/15 09:27:59 kid1| abandoning local=192.168.0.1:3128<o:p></o:p></p><p class=MsoPlainText style='text-align:left;direction:ltr;unicode-bidi:embed'>> remote=192.168.2.239:3446 FD 591 flags=1<o:p></o:p></p><p class=MsoPlainText style='text-align:left;direction:ltr;unicode-bidi:embed'>> 2016/06/15 09:27:59 kid1| abandoning local=192.168.0.1:3128<o:p></o:p></p><p class=MsoPlainText style='text-align:left;direction:ltr;unicode-bidi:embed'>> remote=192.168.2.239:3448 FD 592 flags=1<o:p></o:p></p><p class=MsoPlainText style='text-align:left;direction:ltr;unicode-bidi:embed'>> 2016/06/15 09:27:59 kid1| abandoning local=192.168.0.1:3128<o:p></o:p></p><p class=MsoPlainText style='text-align:left;direction:ltr;unicode-bidi:embed'>> remote=192.168.2.239:3452 FD 594 flags=1<o:p></o:p></p><p class=MsoPlainText style='text-align:left;direction:ltr;unicode-bidi:embed'>> 2016/06/15 09:27:59 kid1| abandoning local=192.168.0.1:3128<o:p></o:p></p><p class=MsoPlainText style='text-align:left;direction:ltr;unicode-bidi:embed'>> remote=192.168.2.239:3456 FD 596 flags=1<o:p></o:p></p><p class=MsoPlainText style='text-align:left;direction:ltr;unicode-bidi:embed'>> 2016/06/15 09:27:59 kid1| abandoning local=192.168.0.1:3128<o:p></o:p></p><p class=MsoPlainText style='text-align:left;direction:ltr;unicode-bidi:embed'>> remote=192.168.2.239:3454 FD 595 flags=1<o:p></o:p></p><p class=MsoPlainText style='text-align:left;direction:ltr;unicode-bidi:embed'>> 2016/06/15 09:27:59 kid1| abandoning local=192.168.0.1:3128<o:p></o:p></p><p class=MsoPlainText style='text-align:left;direction:ltr;unicode-bidi:embed'>> remote=192.168.2.239:3458 FD 597 flags=1<o:p></o:p></p><p class=MsoPlainText style='text-align:left;direction:ltr;unicode-bidi:embed'>> 2016/06/15 09:27:59 kid1| abandoning local=192.168.0.1:3128<o:p></o:p></p><p class=MsoPlainText style='text-align:left;direction:ltr;unicode-bidi:embed'>> remote=192.168.2.239:3462 FD 599 flags=1<o:p></o:p></p><p class=MsoPlainText style='text-align:left;direction:ltr;unicode-bidi:embed'><span dir=RTL></span><span lang=HE dir=RTL style='font-size:10.5pt;font-family:"Arial","sans-serif"'><span dir=RTL></span>><o:p> </o:p></span></p><p class=MsoPlainText style='text-align:left;direction:ltr;unicode-bidi:embed'><span dir=LTR></span><span dir=LTR></span>> Searching around, the closest I have come to an answer is the<o:p></o:p></p><p class=MsoPlainText style='text-align:left;direction:ltr;unicode-bidi:embed'>> following: <o:p></o:p></p><p class=MsoPlainText style='text-align:left;direction:ltr;unicode-bidi:embed'>> <a href="http://www.squid-cache.org/mail-archive/squid-users/201211/0165.html"><span style='color:windowtext;text-decoration:none'>http://www.squid-cache.org/mail-archive/squid-users/201211/0165.html</span></a><o:p></o:p></p><p class=MsoPlainText style='text-align:left;direction:ltr;unicode-bidi:embed'>> I am not sure though whether I am plagued by the same issue, considering that the thread refers to a squid version dated 4 years ago. And I definitely do not understand what the is meant by the poster's proposal:<o:p></o:p></p><p class=MsoPlainText style='text-align:left;direction:ltr;unicode-bidi:embed'><span dir=RTL></span><span lang=HE dir=RTL style='font-size:10.5pt;font-family:"Arial","sans-serif"'><span dir=RTL></span>><o:p> </o:p></span></p><p class=MsoPlainText style='text-align:left;direction:ltr;unicode-bidi:embed'><span dir=LTR></span><span dir=LTR></span>> "If you can't alter the re-writer to perform redirection you can work around that by using:<o:p></o:p></p><p class=MsoPlainText style='text-align:left;direction:ltr;unicode-bidi:embed'><span dir=RTL></span><span lang=HE dir=RTL style='font-size:10.5pt;font-family:"Arial","sans-serif"'><span dir=RTL></span>><o:p> </o:p></span></p><p class=MsoPlainText style='text-align:left;direction:ltr;unicode-bidi:embed'><span dir=LTR></span><span dir=LTR></span>> acl foo ... some test to match the re-written URL ...<o:p></o:p></p><p class=MsoPlainText style='text-align:left;direction:ltr;unicode-bidi:embed'>> deny_info 302:%s foo<o:p></o:p></p><p class=MsoPlainText style='text-align:left;direction:ltr;unicode-bidi:embed'>> adapted_http_access deny foo "<o:p></o:p></p><p class=MsoPlainText style='text-align:left;direction:ltr;unicode-bidi:embed'><span dir=RTL></span><span lang=HE dir=RTL style='font-size:10.5pt;font-family:"Arial","sans-serif"'><span dir=RTL></span>><o:p> </o:p></span></p><p class=MsoPlainText style='text-align:left;direction:ltr;unicode-bidi:embed'><span dir=LTR></span><span dir=LTR></span>> Can someone help resolve this?<o:p></o:p></p><p class=MsoPlainText style='text-align:left;direction:ltr;unicode-bidi:embed'>> Is the 2.7 series supported at all?<o:p></o:p></p><p class=MsoPlainText style='text-align:left;direction:ltr;unicode-bidi:embed'>> As is if everything fails, I'll have to go back to it if there's some support.<o:p></o:p></p><p class=MsoPlainText style='text-align:left;direction:ltr;unicode-bidi:embed'><span dir=RTL></span><span lang=HE dir=RTL style='font-size:10.5pt;font-family:"Arial","sans-serif"'><span dir=RTL></span>><o:p> </o:p></span></p><p class=MsoPlainText style='text-align:left;direction:ltr;unicode-bidi:embed'><span dir=LTR></span><span dir=LTR></span>> BR,<o:p></o:p></p><p class=MsoPlainText style='text-align:left;direction:ltr;unicode-bidi:embed'><span dir=RTL></span><span lang=HE dir=RTL style='font-size:10.5pt;font-family:"Arial","sans-serif"'><span dir=RTL></span>><o:p> </o:p></span></p><p class=MsoPlainText style='text-align:left;direction:ltr;unicode-bidi:embed'><span lang=HE dir=RTL style='font-size:10.5pt;font-family:"Arial","sans-serif"'>><o:p> </o:p></span></p><p class=MsoPlainText style='text-align:left;direction:ltr;unicode-bidi:embed'><span dir=LTR></span><span dir=LTR></span>> Michael.-<o:p></o:p></p><p class=MsoPlainText style='text-align:left;direction:ltr;unicode-bidi:embed'><span dir=RTL></span><span lang=HE dir=RTL style='font-size:10.5pt;font-family:"Arial","sans-serif"'><span dir=RTL></span>> _______________________________________________<o:p></o:p></span></p><p class=MsoPlainText style='text-align:left;direction:ltr;unicode-bidi:embed'><span dir=LTR></span><span dir=LTR></span>> squid-users mailing list<o:p></o:p></p><p class=MsoPlainText style='text-align:left;direction:ltr;unicode-bidi:embed'>> <a href="mailto:squid-users@lists.squid-cache.org"><span style='color:windowtext;text-decoration:none'>squid-users@lists.squid-cache.org</span></a><o:p></o:p></p><p class=MsoPlainText style='text-align:left;direction:ltr;unicode-bidi:embed'>> <a href="http://lists.squid-cache.org/listinfo/squid-users"><span style='color:windowtext;text-decoration:none'>http://lists.squid-cache.org/listinfo/squid-users</span></a><o:p></o:p></p><p class=MsoPlainText style='text-align:left;direction:ltr;unicode-bidi:embed'><span dir=RTL></span><span lang=HE dir=RTL style='font-size:10.5pt;font-family:"Arial","sans-serif"'><span dir=RTL></span>></span><o:p> </o:p></p></div></body></html>