[squid-users] how to generate errors when blocking https urls in transparent with peek+splice mode

Jason Haar Jason_Haar at trimble.com
Wed Jan 6 06:46:26 UTC 2016


Hi there

Doing "peek+splice  - but no actual bump" in formal proxy mode works
well when you want to use squid to block https sites via acls: it can
return an error page to the client's CONNECT request and the browser can
show that error to the user. However, in "peek+splice" transparent mode,
squid has no real mechanism to return a nice error page - totally
understandable - to do so would require bump so that an HTTPS page could
be returned.

What I'm seeing (in transparent mode) is clients attempting to connect
to a blocked https website hanging forever - and even after they time
out, I don't see anything in the squid access.log. I have "deny_info"
set to return error pages via my old squidguard CGI - but they will only
work in the CONNECT case of course. Is there any way I could do (say)
TCP_RESET on the transparent case and keep doing nice error messages on
the CONNECT case? I doubt there could be anything better without going
full bump


This is CentOS6 with iptables for transparent 443 and squid-3.5.10

-- 
Cheers

Jason Haar
Corporate Information Security Manager, Trimble Navigation Ltd.
Phone: +1 408 481 8171
PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1



More information about the squid-users mailing list