[squid-users] ICAP and HTTPS
Paul Carew
beavatronix at gmail.com
Tue Oct 6 16:14:10 UTC 2015
Hi
Just a quick question regarding SSL bump and ICAP.
I have integrated Squid 3.5.9 with a commercial product that provides
an ICAP service. It works fine for HTTP.
Upon recieving an ICAP query for a blocked HTTP site the following
ICAP response is returned.
ICAP/1.0 200 OK
ISTAG: "PRODUCTNAME"
Attribute: Blocked Sites
Encapsulated: res-hdr=0, null-body=148
HTTP/1.0 302 Moved
Location: http://192.168.0.10/block?session=12345678
Pragma: no-cache
Cache-Control: no-cache
and the block page is correctly displayed in the users browser
However, when accessing a blocked site over HTTPS the following ICAP
response is received:
ICAP/1.0 200 OK
ISTAG: "PRODUCTNAME"
Attribute: Blocked Sites
Encapsulated: res-hdr=0, null-body=533
HTTP/1.0 403 Blocked
Content-Type: text/html
Pragma: no-cache
Cache-Control: no-cache
Location: http://192.168.0.10/block?session=12345678
<html>
<head>
<meta http-equiv="refresh"
content="0;url=http://192.168.0.10/block?session=12345678">
<title>Blocked</title>
</head>
<body>
<h4>You have been blocked.</h4>
<p>Click <a
href="http://192.168.0.10/block?session=12345678">here</a> for
details</p>
</body>
</html>
Chrome and IE just error upon receiving this response. In the case of
Chrome I get an ERR_TUNNEL_CONNECTION_FAILED error. I could be wrong
but I would imagine this error is by design, as Chrome will only
respond to a proxy authentication request or SSL handshake in response
to a HTTP CONNECT?
If that's correct, I was wondering if there is a way to get this to
work, with peek and splice possibly or any alternative method?
Thank you
Paul
More information about the squid-users
mailing list