[squid-users] "ACCESS DENIED" page by ssl_bump terminate
Alexandr Yatskin
yatskin at wipline.ru
Mon Mar 28 05:59:53 UTC 2016
Directive "deny_info" didn't work when we blocked https site with option
"ssl_bump".
Maybe, is there another method?
--------------------------------------------------------------------
acl blocked_https ssl::server_name "/etc/squid/blocked_https.txt"
acl step1 at_step SslBump1
ssl_bump peek step1
deny_info http://www.example.com blocked_https
ssl_bump terminate blocked_https
--------------------------------------------------------------------
25.03.2016 17:14, Yuri Voinov пишет:
>
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA256
>
> # TAG: deny_info
> # Usage: deny_info err_page_name acl
> # or deny_info http://... acl
> # or deny_info TCP_RESET acl
> #
> # This can be used to return a ERR_ page for requests which
> # do not pass the 'http_access' rules. Squid remembers the last
> # acl it evaluated in http_access, and if a 'deny_info' line exists
> # for that ACL Squid returns a corresponding error page.
> #
> # The acl is typically the last acl on the http_access deny line which
> # denied access. The exceptions to this rule are:
> # - When Squid needs to request authentication credentials. It's then
> # the first authentication related acl encountered
> # - When none of the http_access lines matches. It's then the last
> # acl processed on the last http_access line.
> # - When the decision to deny access was made by an adaptation service,
> # the acl name is the corresponding eCAP or ICAP service_name.
> #
> # NP: If providing your own custom error pages with error_directory
> # you may also specify them by your custom file name:
> # Example: deny_info ERR_CUSTOM_ACCESS_DENIED bad_guys
> #
> # By defaut Squid will send "403 Forbidden". A different 4xx or 5xx
> # may be specified by prefixing the file name with the code and a
> colon.
> # e.g. 404:ERR_CUSTOM_ACCESS_DENIED
> #
> # Alternatively you can tell Squid to reset the TCP connection
> # by specifying TCP_RESET.
> #
> # Or you can specify an error URL or URL pattern. The browsers will
> # get redirected to the specified URL after formatting tags have
> # been replaced. Redirect will be done with 302 or 307 according to
> # HTTP/1.1 specs. A different 3xx code may be specified by prefixing
> # the URL. e.g. 303:http://example.com/
> #
> # URL FORMAT TAGS:
> # %a - username (if available. Password NOT included)
> # %B - FTP path URL
> # %e - Error number
> # %E - Error description
> # %h - Squid hostname
> # %H - Request domain name
> # %i - Client IP Address
> # %M - Request Method
> # %o - Message result from external ACL helper
> # %p - Request Port number
> # %P - Request Protocol name
> # %R - Request URL path
> # %T - Timestamp in RFC 1123 format
> # %U - Full canonical URL from client
> # (HTTPS URLs terminate with *)
> # %u - Full canonical URL from client
> # %w - Admin email from squid.conf
> # %x - Error name
> # %% - Literal percent (%) code
> #
> #Default:
> # none
>
> ?
>
> 25.03.16 16:15, Alexandr Yatskin пишет:
> > Hello everyone! > How redirect users to "Access Denied" page when they go to blocked
> https sites? > Now users only can see such error:
> "ERR_CONNECTION_CLOSED". > > There are several lines from our config:
> > ------------------------------------------ > acl blocked_https
> ssl::server_name "/etc/squid/blocked_https.txt" > ssl_bump terminate
> blocked_https > ------------------------------------------ > Thanks in
> advance. > > > > _______________________________________________ >
> squid-users mailing list > squid-users at lists.squid-cache.org >
> http://lists.squid-cache.org/listinfo/squid-users
>
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v2
>
> iQEcBAEBCAAGBQJW9UfKAAoJENNXIZxhPexG2KMH/1ACiOlqrvMRngV3K5xTKTQ+
> ryx1oFWqH7sbn9vsAALZ8QBeVzucrH0XjDGRqbH7ehUd4a9XS0s03KsyGcDj5YAE
> 1uq5SYB+oSHpOYTEPN2uMUUTiMy1m3ZUq/Z9AONHEVu3avmRwliGpb7xMGMB7ORn
> Oy/du+I8YsB9r7O2zIDTStmdafdpu/7Xf0NqWB1awxUyU3v9Q2gTckOiQcWKnCFG
> 3xY0sh9xAxayh0x1O7IuIbyhHRnFIhVbVI1fD3RDd5TqhkP61vtQyDsXMtC8Rxa1
> HJSjttjN2Y3kgVGK57rJOaT1spR2B6Rfy98ZhXK/TI81cXmtgnM0987EB4p8OGw=
> =kPrb
> -----END PGP SIGNATURE-----
>
>
>
> _______________________________________________
> squid-users mailing list
> squid-users at lists.squid-cache.org
> http://lists.squid-cache.org/listinfo/squid-users
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.squid-cache.org/pipermail/squid-users/attachments/20160328/25542ae0/attachment.html>
More information about the squid-users
mailing list