[squid-users] Transparent intercept Squid 3.5.20: where VPNs go to die.
Alex Rousskov
rousskov at measurement-factory.com
Mon Aug 29 20:07:20 UTC 2016
On 08/29/2016 10:43 AM, Stanford Prescott wrote:
> Is there a way to tell Squid that there may be port 443 connections that
> don't use TLS/SSL so that a useful message could be generated other than
> the "connection failed" message the VPN client gives?
Not quite, but we are slowly getting there:
Recent Squids have on_unsupported_protocol feature that is usually
triggered when Squid receives a request using the wrong protocol,
including receiving non-SSL bytes instead of SSL Hello. You can
configure Squid to respond with an error response in that case (in fact,
that is the default behavior).
In theory, you can also configure Squid to customize that error response
using deny_info, but see
http://lists.squid-cache.org/pipermail/squid-users/2016-August/012124.html
(Ideally, we should support a better way of customize error responses
than denying them and using deny_info to customize denied responses!)
Even if deny_info works, there is currently no way to customize an error
response so that it becomes a non-HTTP response, but that (together with
ACLs/code to detect common non-HTTP protocols) would be a welcomed
feature IMO. Ideally, the admin should be able to tell Squid exactly
what bytes to send to the client (as opaque or opaque with placeholders
data) if needed.
HTH,
Alex.
More information about the squid-users
mailing list