[squid-users] ssl-bump does not redirect to block page
Alex Rousskov
rousskov at measurement-factory.com
Mon Feb 11 02:28:24 UTC 2019
On 2/6/19 12:57 PM, Amos Jeffries wrote:
> On 7/02/19 3:52 am, leo messi wrote:
>> My squid config is something like this:
>> acl blk ssl::server_name .google.com
>> http_access deny blk
>> http_access allow all
>> ssl_bump peek step1
>> ssl_bump splice all
>> My problem is when i block some pages like google.com,my firefox browser
>> show "secure connection failed",but i want it to show block page or
>> warning page, how can i do this?
> To cause anything at all to display in the browser you require fully
> decrypting the traffic.
Correct.
> aka the 'bump' action.
This part is misleading: Modern Squids _automatically_ bump connections
to report [access denied] errors -- no explicit bump action is required
(or even desirable). I do not know whether
* that bumping does not happen for leo (e.g., due to Squid bugs), or
* it does happen, but the browser refuses to show the error page anyway
(because of certificate pinning and/or because Squid did not have enough
information to properly bump the client connection using just step1
knowledge).
A packet capture or an ALL,2 cache.log may distinguish those two cases.
Alex.
More information about the squid-users
mailing list