[squid-users] deny_info page not shown

Matus UHLAR - fantomas uhlar at fantomas.sk
Fri Aug 28 08:31:41 UTC 2020


>> On 28/08/20 6:22 pm, Janos Dohanics wrote:
>> > Is there a way to have deny_info instruct browsers to reliably
>> > display the desired URL/page?

>On Fri, 28 Aug 2020 18:59:56 +1200
>Amos Jeffries <squid3 at treenet.co.nz> wrote:
>> No there is not. This is a security feature of Browsers not something
>> Squid can workaround.
>>
>> CONNECT is a request to open a TCP connection. Delivering an HTTP
>> page, or even a URL redirect in response to a TCP connection request
>> is completely the wrong type of result.
>>
>> Like asking someone to open a door because you have a load of things
>> needing to go through it - and they instead throw a basket of apples
>> at you. Not want you expected, and more harm than good.

On 28.08.20 04:23, Janos Dohanics wrote:
>Thanks for the explanation - so, the rationale for the http://... acl
>value in the deny_info directive is conditioned on "if the browser is
>willing"?

when you ask via HTTP for HTTP page and get HTTP answer, it is different
than asking via HTTP for CONNECT and getting CONNECT denied via HTTP.

in the latter case it is clear that the request was denied by proxy and
since secure content was requested, the insecure response must not be shown.

That's the security provided.

-- 
Matus UHLAR - fantomas, uhlar at fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
Support bacteria - they're the only culture some people have.


More information about the squid-users mailing list