[squid-users] ssl bump and url_rewrite_program (like squidguard)
Edouard Gaulué
edouard at e-gaulue.com
Fri Nov 13 09:16:35 UTC 2015
Hi Amos and all,
Learning on HTTP CONNECT, I got
there:http://serverfault.com/questions/727262/how-to-redirect-https-connect-request-with-squid-explicit-proxy
I read on http://wiki.squid-cache.org/Features/MimicSslServerCert in the
"Delayed error responses" chapter:
"When Squid fails to negotiate a secure connection with the origin
server and bump-ssl-server-first is enabled, Squid remembers the error
page and serves it after establishing the secure connection with the
client and receiving the first encrypted client request. The error is
served securely. The same approach is used for Squid redirect messages
configured via deny_info. This error delay is implemented because (a)
browsers like FireFox and Chromium do not display CONNECT errors
correctly and (b) intercepted SSL connections must wait for the first
request to serve an error."
My ideas/questions:
1/ Is there a way to have the same with new peek and splice feature?
2/ Is there a way to say url_rewrite_program not to work on CONNECT
request? This way the CONNECT is not redirected, next request the
browser sends after squid has bumped it should be a kind of GET/POST
one that will be redirected by url_rewrite_program.
3/ Would it works if squidguard were i-cap'ed?
EG
Le 13/11/2015 01:31, Amos Jeffries a écrit :
> On 13/11/2015 1:02 a.m., Edouard Gaulué wrote:
>>
>>
>> Why is the browser not taking account of the redirect?
> Think about *exactly* what is being redirected.
>
> CONNECT is a request to setup a blind packet relaying tunnel.
>
>
>> Why is it redoing the same connect?
> Because its a browser. They do some really weird things when confused.
>
> It was told a TCP relay tunnel existed at
> "https://proxyweb.echoppe.lan/cgi-bin/...". Thats a pretty weird place
> for a network socket to exist.
>
>
>> Why is there no trace at all in the proxy logs of this second CONNECT?
>>
> Only if it was handled would it be logged. It seems it may have been
> read in (or maybe not) but definitely not processed for some reason.
>
> Amos
>
> _______________________________________________
> squid-users mailing list
> squid-users at lists.squid-cache.org
> http://lists.squid-cache.org/listinfo/squid-users
More information about the squid-users
mailing list