[squid-users] ssl bump and url_rewrite_program (like squidguard)

Edouard Gaulué listes at e-gaulue.com
Thu May 4 09:03:21 UTC 2017


Hi community,

Any news about this?

I've tried 3.5.25 but still observe this behaviour.

I understand it well since I read: 
https://serverfault.com/questions/727262/how-to-redirect-https-connect-request-with-squid-explicit-proxy

But how to let the CONNECT request succeed and later block/redirect next 
HTTP request coming through this established connection tunnel?

Best Regards,

Le 03/11/2015 à 23:48, Edouard Gaulué a écrit :
> Hi community,
>
> I've followed
> http://wiki.squid-cache.org/ConfigExamples/Intercept/SslBumpExplicit  to
> set my server. It looks really interesting and it's said to be the more
> common configuration.
>
> I often observe (example here withwww.youtube.com) :
> ***************************
> The following error was encountered while trying to retrieve the URL:
> https://http/*
>
>     *Unable to determine IP address from host name "http"*
>
> The DNS server returned:
>
>     Name Error: The domain name does not exist.
> ****************************
>
> This happens while the navigator (Mozilla) is trying to get a frame at
> https://ad.doubleclick.net/N4061/adi/com.ythome/_default;sz=970x250;tile=1;ssl=1;dc_yt=1;kbsg=HPFR151103;kga=-1;kgg=-1;klg=fr;kmyd=ad_creative_1;ytexp=9406852,9408210,9408502,9417689,9419444,9419802,9420440,9420473,9421645,9421711,9422141,9422865,9423510,9423563,9423789;ord=968558538238386? 
>
>
> That's ads so I'm not so fond of it...
>
> But this leads me to the fact I get this behavior each time the site is
> banned by squidguard.
>
> Is there something to do to avoid this behavior? I mean, squidguard
> should send :
>
> *********************************
>   Access denied
>
> Supplementary info     :
> Client address     =     192.168.XXX.XXX
> Client name     =     192.168.XXX.XXX
> User ident     =
> Client group     =     XXXXXXX
> URL     =     https://ad.doubleclick.net/
> Target class     =     ads
>
> If this is wrong, contact your administrator
> **********************************
>
> squidguard is an url_rewrite_program that looks to respect squid
> requirements. Redirect looks like this :
> http://proxyweb.myserver.mydomain/cgi-bin/squidGuard-simple.cgi?clientaddr=... 
>
>
> I've played arround trying to change the redirect URL and it leads me to
> the idea ssl_bump tries to analyse the part until the ":". Is there a way
> to avoid this? Is this just a configuration matter?
>
> Could putting a ssl_bump rule saying "every server that name match 
> "http" or
> "https" should splice" solve the problem?
>
> Regards, EG
>
>
> _______________________________________________
> squid-users mailing list
> squid-users at lists.squid-cache.org
> http://lists.squid-cache.org/listinfo/squid-users




More information about the squid-users mailing list