[squid-users] "ACCESS DENIED" page by ssl_bump terminate

Alexandr Yatskin yatskin at wipline.ru
Mon Mar 28 13:29:25 UTC 2016 

I've already checked it. Order of this options doesn't matter.


28.03.2016 15:30, Yuri Voinov пишет:
>
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA256
>
> I suggests the order is important and must be:
>
> ssl_bump terminate blocked_https
> deny_info http://www.example.com blocked_https
>
> 28.03.16 11:59, Alexandr Yatskin пишет:
> > Directive "deny_info" didn't work when we blocked https site with option "ssl_bump". > Maybe, is 
> there another method? > > 
> -------------------------------------------------------------------- > 
> acl blocked_https ssl::server_name "/etc/squid/blocked_https.txt" > 
> acl step1 at_step SslBump1 > ssl_bump peek step1 > > deny_info 
> http://www.example.com blocked_https > ssl_bump terminate 
> blocked_https > 
> -------------------------------------------------------------------- > 
> > > 25.03.2016 17:14, Yuri Voinov пишет: >> > #  TAG: deny_info > #    
> Usage:   deny_info err_page_name acl > #    or       deny_info 
> http://... acl > #    or       deny_info TCP_RESET acl > # > #    This 
> can be used to return a ERR_ page for requests which > #    do not 
> pass the 'http_access' rules.  Squid remembers the last > #    acl it 
> evaluated in http_access, and if a 'deny_info' line exists > #    for 
> that ACL Squid returns a corresponding error page. > # > #    The acl 
> is typically the last acl on the http_access deny line which > #    
> denied access. The exceptions to this rule are: > #    - When Squid 
> needs to request authentication credentials. It's then > #      the 
> first authentication related acl encountered > #    - When none of the 
> http_access lines matches. It's then the last > #      acl processed 
> on the last http_access line. > #    - When the decision to deny 
> access was made by an adaptation service, > #      the acl name is the 
> corresponding eCAP or ICAP service_name. > # > #    NP: If providing 
> your own custom error pages with error_directory > #        you may 
> also specify them by your custom file name: > #        Example: 
> deny_info ERR_CUSTOM_ACCESS_DENIED bad_guys > # > #    By defaut Squid 
> will send "403 Forbidden". A different 4xx or 5xx > #    may be 
> specified by prefixing the file name with the code and a colon. > #    
> e.g. 404:ERR_CUSTOM_ACCESS_DENIED > # > #    Alternatively you can 
> tell Squid to reset the TCP connection > #    by specifying TCP_RESET. 
> > # > #    Or you can specify an error URL or URL pattern. The 
> browsers will > #    get redirected to the specified URL after 
> formatting tags have > #    been replaced. Redirect will be done with 
> 302 or 307 according to > #    HTTP/1.1 specs. A different 3xx code 
> may be specified by prefixing > #    the URL. e.g. 
> 303:http://example.com/ > # > #    URL FORMAT TAGS: > #        %a    - 
> username (if available. Password NOT included) > #        %B    - FTP 
> path URL > #        %e    - Error number > #        %E    - Error 
> description > #        %h    - Squid hostname > #        %H    - 
> Request domain name > #        %i    - Client IP Address > #        
> %M    - Request Method > #        %o    - Message result from external 
> ACL helper > #        %p    - Request Port number > #        %P    - 
> Request Protocol name > #        %R    - Request URL path > #        
> %T    - Timestamp in RFC 1123 format > #        %U    - Full canonical 
> URL from client > #              (HTTPS URLs terminate with *) > 
> #        %u    - Full canonical URL from client > #        %w    - 
> Admin email from squid.conf > #        %x    - Error name > #        
> %%    - Literal percent (%) code > # > #Default: > # none > > ? > > 
> 25.03.16 16:15, Alexandr Yatskin пишет: > > Hello everyone! > >       
> > How redirect users to "Access Denied" page when they go to >       
> blocked https sites? > >       > Now users only can see such error: 
> "ERR_CONNECTION_CLOSED". > > > >       > There are several lines from 
> our config: > >       > ------------------------------------------ > 
> >       > acl blocked_https ssl::server_name >       
> "/etc/squid/blocked_https.txt" > >       > ssl_bump terminate 
> blocked_https > >       > ------------------------------------------ > 
> >       > Thanks in advance. > > > > > > > >       > 
> _______________________________________________ > >       > 
> squid-users mailing list > >       > squid-users at lists.squid-cache.org 
> > >       > http://lists.squid-cache.org/listinfo/squid-users > >> >> 
> >> >> _______________________________________________ >> squid-users 
> mailing list >> squid-users at lists.squid-cache.org >> 
> http://lists.squid-cache.org/listinfo/squid-users >
>
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v2
>
> iQEcBAEBCAAGBQJW+SPZAAoJENNXIZxhPexGn0wIALLPgsRZLfdfo6j2cxRiYU2W
> wREfDnN+i02rLBmboPiP1h9kk59r6wd37Fzbk8Ltp+zpQVv150Uo9ivHEfbOyeCk
> /enX/vaBhnyaIk3BGHkdrmI2FcRMVFV+fh/C+nLixyRfswTq1Xv/cmY9YrkSBtDM
> yt39353FlJFNwcz3wV+xlfibCQeMvJ8vLAa0jVGALeb0KwKgXJ90WlL2AssaiTRC
> G74KCXSnF0eqgj9Mjbh0SN/b9YrINAnjjOBiYAx8epMLD2Rl2VxXNFcWNUKRUiiV
> 0mHOocOe4Q8Wrqh5WS2NUcN921FEoW5bwsKdbItAl0xQs0Ow9Cax8aVIKWDYQyo=
> =FmF4
> -----END PGP SIGNATURE-----
>

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.squid-cache.org/pipermail/squid-users/attachments/20160328/4b5c498e/attachment-0001.html>

More information about the squid-users mailing list