[squid-users] ICAP and HTTPS

Paul Carew beavatronix at gmail.com
Tue Oct 6 16:14:10 UTC 2015


Hi

Just a quick question regarding SSL bump and ICAP.

I have integrated Squid 3.5.9 with a commercial product that provides
an ICAP service. It works fine for HTTP.

Upon recieving an ICAP query for a blocked HTTP site the following
ICAP response is returned.

ICAP/1.0 200 OK
ISTAG: "PRODUCTNAME"
Attribute: Blocked Sites
Encapsulated: res-hdr=0, null-body=148

HTTP/1.0 302 Moved
Location: http://192.168.0.10/block?session=12345678
Pragma: no-cache
Cache-Control: no-cache

and the block page is correctly displayed in the users browser

However, when accessing a blocked site over HTTPS the following ICAP
response is received:

ICAP/1.0 200 OK
ISTAG: "PRODUCTNAME"
Attribute: Blocked Sites
Encapsulated: res-hdr=0, null-body=533

HTTP/1.0 403 Blocked
Content-Type: text/html
Pragma: no-cache
Cache-Control: no-cache
Location: http://192.168.0.10/block?session=12345678

<html>
  <head>
    <meta http-equiv="refresh"
content="0;url=http://192.168.0.10/block?session=12345678">
    <title>Blocked</title>
  </head>
  <body>
    <h4>You have been blocked.</h4>
    <p>Click <a
href="http://192.168.0.10/block?session=12345678">here</a> for
details</p>
  </body>
</html>

Chrome and IE just error upon receiving this response. In the case of
Chrome I get an ERR_TUNNEL_CONNECTION_FAILED error. I could be wrong
but I would imagine this error is by design, as Chrome will only
respond to a proxy authentication request or SSL handshake in response
to a HTTP CONNECT?

If that's correct, I was wondering if there is a way to get this to
work, with peek and splice possibly or any alternative method?

Thank you

Paul


More information about the squid-users mailing list