[squid-users] Problems with HTTPS on Squid
Antony Stone
Antony.Stone at squid.open.source.it
Mon Jul 12 18:23:02 UTC 2021
On Monday 12 July 2021 at 20:12:03, Marcio B. wrote:
> I have the following problem on my Squid 4.6 on Debian 10.
>
> Squid does not redirect the user to the error page when blocking an HTTPS
> url. On HTTP it works correctly.
Short answer - it can't.
Longer answer - browser requests https://thing.example.com
Squid won't allow connection to thing.example.com, and wants to send the
browser to an error page instead.
The error page cannot possibly have the correct certificate for
https://thing.example.com (because that's signed by some genuine CA), so the
browser won't accept the error page as being valid.
Squid cannot even send an HTTP 302 redirect back to the browser, because that
also is HTTPS content, and would need to have the correct certification for the
browser to accept it and follow the redirect.
So, what you want is understandable, but not possible.
The only option I can think of is to add a CA certificate to all your browsers,
and get Squid (somehow; sorry, I don't know how) to issue either a redirect or
a substitute web page, claiming to tbe the original web server, and with a
certificate signed by that CA that your browsers now trust.
I suspect that involves transparent interception, but someone might know how /
whether it can be done.
Antony.
--
"The future is already here. It's just not evenly distributed yet."
- William Gibson
Please reply to the list;
please *don't* CC me.
More information about the squid-users
mailing list