[squid-users] ssl bump and url_rewrite_program (like squidguard)

Marcus Kool marcus.kool at urlfilterdb.com
Wed Nov 4 13:10:09 UTC 2015


You need to know what squidGuard actually sends to Squid.
squidGuard does not have a debug option for this, so you have to set
    debug_options ALL,1 61,9
in squid.conf to see what Squid receives.
I bet that what Squid receives, is what it complains about:
the URL starts with 'https://http'

Marcus

On 11/04/2015 10:55 AM, Edouard Gaulué wrote:
> Le 04/11/2015 11:00, Amos Jeffries a écrit :
>> On 4/11/2015 12:48 p.m., Marcus Kool wrote:
>>> I suspect that the problem is that you redirect a HTTPS-based URL to an
>>> HTTP URL and Squid does not like that.
>>>
>>> Marcus
> To give it a try in that direction I now redirect to an https server. And I get :
>
> The following error was encountered while trying to retrieve the URL: https://https/*
>
>     *Unable to determine IP address from host name "https"*
>
> The DNS server returned:
>
>     Name Error: The domain name does not exist.
>
>
> Moreover this would leads sometimes to HTTP-based URL to an HTTPS URL and I don't know how much squid likes it either.
>
>> No it is apparently the fact that the domain name being redirected to is
>> "http".
>>
>> As in:"http://http/something"
>>
> I can assure my rewrite_url looks like "https://proxyweb.xxxxx.xxxxx/var1=xxxx&...".
>
> And this confirm ssl_bump parse this result and get the left part before the ":". To play with, I have also redirect to "proxyweb.xxxxx.xxxxx:443/var1=xxxx&..." (ie. I removed the "https://" and add a
> ":443") to force the parsing. Then I don't get this message anymore, but Mozilla gets crazy waiting for the ad.doubleclick.net certificate and getting the proxyweb.xxxxx.xxxxx one. And of course it
> breaks my SG configuration and can't be production solution.
>> Which brings up the question of why you are using SG to block adverts?
>>
>> squid.conf:
>>   acl ads dstdomain .doubleclick.net
>>   http_access deny ads
>>
>> Amos
>>
>>
> I don't use SG to specificaly block adverts, I use it to block 90 % of the web. Here it's just an example with ads but it could be with so much other things...
>
> I just want to try make SG and ssl_bump live together.
>
> Is this possible to have a rule like "if it has been rewrite then don't try to ssl_bump"?
>
> Regards, EG
>
>
> _______________________________________________
> squid-users mailing list
> squid-users at lists.squid-cache.org
> http://lists.squid-cache.org/listinfo/squid-users
>


More information about the squid-users mailing list