[squid-users] deny_info and CONNECT for https request gives SSL error
Amish
anon.amish at gmail.com
Tue Oct 16 16:01:54 UTC 2018
On 16/10/18 9:05 PM, Alex Rousskov wrote:
> On 10/16/2018 06:29 AM, Amish wrote:
>
>> In my opinion correct flow should be like this:
>>
>> 1) Browser sends CONNECT request
>> 2) Check ACL
>> 3) If denied, return with 307 (or 302)
>> 4) If allowed, go ahead with tunneling / bumping as applicable
> Unfortunately, that ideal sequence does not work well in practice
> because popular browsers ignore CONNECT responses other than HTTP 200
> and 407. As a consequence, if you want to redirect "secure" browser
> traffic, Squid has to bump it first.
>
>
> HTH,
>
> Alex.
No thats not correct.
Thing is that squid behaves differently for 2 exactly same CONNECT
request with only difference being ssl-bump
Case 1:
http_port 8080 #no ssl-bump
acl denyit src all
deny_info http://192.168.1.1/blocked.html denyit
http_access deny denyit
> curl -ix 192.168.1.1:8080 https://google.com
HTTP/1.1 307 Temporary Redirect
Server: squid/4.3
Mime-Version: 1.0
Date: Tue, 16 Oct 2018 12:01:41 GMT
Content-Type: text/html;charset=utf-8
Content-Length: 0
Location: http://192.168.1.1/blocked.html
X-Squid-Error: 403 Access Denied
X-Cache: MISS from somehost
X-Cache-Lookup: NONE from somehost:8080
Connection: keep-alive
Notice that squid is indeed responding with code other than 200 or 407
for CONNECT and HTTPS request.
So what you said does not seem to be correct.
Case 2:
http_port 8080 ssl-bump ...
acl denyit src all
deny_info http://192.168.1.1/blocked.html denyit
http_access deny denyit
> curl -ix 192.168.1.1:8080 https://google.com
HTTP/1.1 200 Connection established
curl: (60) SSL certificate problem: self signed certificate in
certificate chain
...
Case 1: Browser gives "Proxy connection refused" (or similar error).
Case 2: Browser gives "SSL certificate error".
Case 1 - Browser atleast makes it clear to end user that this is
something that proxy is not allowing.
Case 2 - End user would be clueless on why SSL error? He will never know
that its blocked by proxy.
To me case 1 is more appropriate response.
Please give a thought,
Thank you,
Amish.
More information about the squid-users
mailing list