[squid-users] URL Rewrite for https via Squidguard
Yuri Voinov
yvoinov at gmail.com
Sat Jan 9 19:12:23 UTC 2016
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
09.01.16 15:45, Marcus Kool пишет:
>
>
> On 01/09/2016 05:07 AM, Darren wrote:
>> Hi
>>
>> I am trying to hack squidguard to allow me to redirect users attempts
to connect to blocked https enabled sites.
>>
>> Some sites are allowed and the bulk are not. Currently I can see the
Connect details being handed to SG for processing and if I change this
to return a redirect to make it point to a different server
>> it breaks and gives me an SSL error (as would be expected)
>
> indeed, "as expected"...
> The HTTP protocol supportly support redirection of URL by sending a
30x status code back to he browser.
> HTTPS, which is SSL+HTTP is "safe" encrypted channel where HTTP is
inside the channel and
> explicitly is designed not to be tampered with. So redirecting a
channel to an other website
> always will cause a certificate error, unless ...
> 1) one uses ssl-bump
> 2) installs the Squid fake CA certificate in all browsers
> 3) one has a policy for the other protocols (e.g. Skype) that use
CONNECT
>
>> Is there a way I can get this redirection call to squidguard happened
earlier in squid before it gets this far down the CONNECT process? Or is
there something that I can return from Squidguard that
>> would make this work? I notice that the connect attempts are always
just the IP address, so something earlier in the processing is doing a
reverse DNS lookup, is this the Browser of Squid and if so
>> can I get in earlier during the process?
>
> The above implies that you use Squid in interception mode where it
initially can only see the IP address of the server.
Note: Squid 3.5 only see IP initially. 3.4 knows full FQDN. Note this.
You deal not only 3.5 and above. But _many_ 3.4.x installations.
> In ssl-bump mode, Squid can peek in step1 and find the SNI of the server (a.k.a the FQDN) and then
the SNI/FQDN can be used in ACLs inside Squid and any URL redirector
that can cope with the SNI parameter. Squidguard cannot, the latest
ufdbGuard 1.31 cannot, but ufdbGuard 1.32 _can_ and will be released in
February.
>
> Marcus
>
>>
>> I want to maintain the various lists in just squidguard and not put
in ACLs in squid.conf
>>
>> thanks
>>
>> Darren B.
> _______________________________________________
> squid-users mailing list
> squid-users at lists.squid-cache.org
> http://lists.squid-cache.org/listinfo/squid-users
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2
iQEcBAEBCAAGBQJWkVuXAAoJENNXIZxhPexG6OYIAI5tDWbOeSuzj6ppKSadE466
7b4YzxownSixeddyVL+diCBRFVPtBbHzvrOmy+jHo+fYgZrTqBg/hh0MKd4eJ+zq
JiY78WwNbYGDKat+UGXzT0F7eVePHJo5o/c1z3am1FfdqGtFdKCh+9VZ4E4TrAH5
mjgJtb+x0c7pi5Yen6PJVAQIjoB3MiJ3xoeVAyFUbJdrRAS8PgFgbEdMuqy9+UkH
3yp0KSgKnc3IE5NghWhITJfyHXsPcwnpIqOhTxQrE+DFPj9IREPcnfq3N4+v6tvz
17swFfGHe1FUwGGssfiAsLC+QeeZPkSLlPP0ytgk/WMxR8tfLTJy26b1QzVg/Ko=
=InjG
-----END PGP SIGNATURE-----
More information about the squid-users
mailing list