[squid-users] Squid 3.5.15 - ERR_CONNECTION_REFUSED while accessing blocked non-HTTPS pages.
Amos Jeffries
squid3 at treenet.co.nz
Wed Apr 12 16:17:13 UTC 2017
SSL-Bump featres in Squid are still very volatile. What appear to be
minor change can have big behaviour differences and security fixes
between any two releases. It is not worth anyones time (including yours)
re-debugging and re-fixing an older release for things that have already
been fixed.
So, Rule #1 when using those features is to follow new releases. If any
problems are encountered try the very latest to see if it is fixed.
Today that is 3.5.25, or if 3.5 is still affected the 4.0.19 beta.
On 13/04/2017 2:24 a.m., Irakli Gobejishvili wrote:
> Hello everyone.
>
> I am successfully filtering HTTPS traffic with intercept/PBR setup and
> users get my custom ERR_ACCESS_DENIED page from Squid. Permitted pages
> (both HTTP/HTTPS) also work absolutely fine.
>
> The problem is, when users try to access filtered page with HTTP request,
> then they get ERR_CONNECTION_REFUSED in their browsers, instead of seeing
> that custom deny page and I see nothing in access.log, as if Squid never
> even got the request. If I remove that domain from deny ACL or access it
> via HTTPS, then it works fine and can be seen in access.log. What can I do
> to fix this?
What is the exact traffic behaviour that is going on?
"filtering HTTPS traffic with intercept/PBR setup" tells us nothing
about the tiny but critical input details that the security systems huge
differences in correct vs wrong behaviour hinge on.
and what do you think Squid is doing in reaction to that?
>
> Relevant fragment from configuration:
>
> acl CONNECT method CONNECT
> reply_header_access Alternate-Protocol deny all
>
> ssl_bump stare all
> ssl_bump bump all
> sslproxy_cert_error allow all
> sslproxy_flags DONT_VERIFY_PEER
Ah, sure. Things can look like they are working well when you hide all
possible TLS/SSL errors from yourself (and the users).
Anything major could be going on and you simply not seeing it.
>
> acl BADSITES ssl::server_name "/etc/squid/BADSITES"
> acl USERS src 10.10.80.0/24
>
Missing:
http_access deny !Safe_ports
http_access deny CONNECT !SSL_Ports
http_acecss deny !localhost manager
> http_access deny BADSITES USERS
> http_access allow USERS
>
Missing:
http_access deny all
> http_port 3128
> https_port 3130 intercept ssl-bump connection-auth=off
> generate-host-certificates=on dynamic_cert_mem_cache_size=8MB
> cert=/etc/squid/ssl_cert/CA.pem
>
Amos
More information about the squid-users
mailing list