[squid-users] ssl bump and url_rewrite_program (like squidguard)

Tue Nov 3 22:48:51 UTC 2015

Hi community,

I've followed
http://wiki.squid-cache.org/ConfigExamples/Intercept/SslBumpExplicit  to
set my server. It looks really interesting and it's said to be the more
common configuration.

I often observe (example here withwww.youtube.com) :
***************************
The following error was encountered while trying to retrieve the URL:
https://http/*

     *Unable to determine IP address from host name "http"*

The DNS server returned:

     Name Error: The domain name does not exist.
****************************

This happens while the navigator (Mozilla) is trying to get a frame at
https://ad.doubleclick.net/N4061/adi/com.ythome/_default;sz=970x250;tile=1;ssl=1;dc_yt=1;kbsg=HPFR151103;kga=-1;kgg=-1;klg=fr;kmyd=ad_creative_1;ytexp=9406852,9408210,9408502,9417689,9419444,9419802,9420440,9420473,9421645,9421711,9422141,9422865,9423510,9423563,9423789;ord=968558538238386?

That's ads so I'm not so fond of it...

But this leads me to the fact I get this behavior each time the site is
banned by squidguard.

Is there something to do to avoid this behavior? I mean, squidguard
should send :

*********************************
   Access denied

Supplementary info 	: 	
Client address 	= 	192.168.XXX.XXX
Client name 	= 	192.168.XXX.XXX
User ident 	= 	
Client group 	= 	XXXXXXX
URL 	= 	https://ad.doubleclick.net/
Target class 	= 	ads

If this is wrong, contact your administrator
**********************************

squidguard is an url_rewrite_program that looks to respect squid
requirements. Redirect looks like this :
http://proxyweb.myserver.mydomain/cgi-bin/squidGuard-simple.cgi?clientaddr=...

I've played arround trying to change the redirect URL and it leads me to
the idea ssl_bump tries to analyse the part until the ":". Is there a way
to avoid this? Is this just a configuration matter?

Could putting a ssl_bump rule saying "every server that name match "http" or
"https" should splice" solve the problem?

Regards, EG