[squid-users] ssl bump and url_rewrite_program (like squidguard)
Edouard Gaulué
listes at e-gaulue.com
Thu May 4 09:03:21 UTC 2017
Hi community,
Any news about this?
I've tried 3.5.25 but still observe this behaviour.
I understand it well since I read:
https://serverfault.com/questions/727262/how-to-redirect-https-connect-request-with-squid-explicit-proxy
But how to let the CONNECT request succeed and later block/redirect next
HTTP request coming through this established connection tunnel?
Best Regards,
Le 03/11/2015 à 23:48, Edouard Gaulué a écrit :
> Hi community,
>
> I've followed
> http://wiki.squid-cache.org/ConfigExamples/Intercept/SslBumpExplicit to
> set my server. It looks really interesting and it's said to be the more
> common configuration.
>
> I often observe (example here withwww.youtube.com) :
> ***************************
> The following error was encountered while trying to retrieve the URL:
> https://http/*
>
> *Unable to determine IP address from host name "http"*
>
> The DNS server returned:
>
> Name Error: The domain name does not exist.
> ****************************
>
> This happens while the navigator (Mozilla) is trying to get a frame at
> https://ad.doubleclick.net/N4061/adi/com.ythome/_default;sz=970x250;tile=1;ssl=1;dc_yt=1;kbsg=HPFR151103;kga=-1;kgg=-1;klg=fr;kmyd=ad_creative_1;ytexp=9406852,9408210,9408502,9417689,9419444,9419802,9420440,9420473,9421645,9421711,9422141,9422865,9423510,9423563,9423789;ord=968558538238386?
>
>
> That's ads so I'm not so fond of it...
>
> But this leads me to the fact I get this behavior each time the site is
> banned by squidguard.
>
> Is there something to do to avoid this behavior? I mean, squidguard
> should send :
>
> *********************************
> Access denied
>
> Supplementary info :
> Client address = 192.168.XXX.XXX
> Client name = 192.168.XXX.XXX
> User ident =
> Client group = XXXXXXX
> URL = https://ad.doubleclick.net/
> Target class = ads
>
> If this is wrong, contact your administrator
> **********************************
>
> squidguard is an url_rewrite_program that looks to respect squid
> requirements. Redirect looks like this :
> http://proxyweb.myserver.mydomain/cgi-bin/squidGuard-simple.cgi?clientaddr=...
>
>
> I've played arround trying to change the redirect URL and it leads me to
> the idea ssl_bump tries to analyse the part until the ":". Is there a way
> to avoid this? Is this just a configuration matter?
>
> Could putting a ssl_bump rule saying "every server that name match
> "http" or
> "https" should splice" solve the problem?
>
> Regards, EG
>
>
> _______________________________________________
> squid-users mailing list
> squid-users at lists.squid-cache.org
> http://lists.squid-cache.org/listinfo/squid-users
More information about the squid-users
mailing list