[squid-users] v4.2 url_rewrite Uri.cc line 371 bad URL parsing on SSL

Amos Jeffries squid3 at treenet.co.nz
Thu Aug 16 10:14:45 UTC 2018


On 16/08/18 19:34, David Touzeau wrote:
> Thanks Amos for details.
> 
> Working like a charm now.
> 
> Instead of sending https://192.168.1.122:443/myguard.php?rule-id=0&.... 
> 
> Helper sends 192.168.1.122:443 
> 

That is only useful if the server at that IP:port can present the client
with a TLS certificate valid for the server the client thinks it is
connected to. ie all the SSL-Bump equivalent logics are in that server.

In which case there is likely no point to having the traffic NAT'ed to
Squid. Just have your NAT and/or routing send it directly into that server.

> 
> " url_rewrite_access deny CONNECT" is not a solution because, everything using SSL today ( thanks to Google that wants to encrypt all the Net and make proxies/Firewall/ICAP unusable )  and many Porn/Malwares/Hacking/Hacked websites using SSL.
> 

If you are SSL-Bump'ing in Squid then you need to not rewrite the
initial CONNECT message (or two) - doing so will interfere the server
which bumping is interacting with.

IIRC the at_step ACL type can be used in the *_access rules as well to
skip ("deny CONNECT foo") the helper query until the ssl_bump processing
is expected to be completed.

Amos


More information about the squid-users mailing list