[squid-users] Chrome auto-HTTPS-upgrade - not falling to http
Loučanský Lukáš
technik at kjj.cz
Wed Apr 3 07:59:03 UTC 2024
My effort so far:
acl SquidTLSErrorConnect ssl_error SQUID_TLS_ERR_CONNECT
##############################
#unsupported protocol definice
##############################
# define what Squid errors indicate receiving non-HTTP traffic:
acl foreignProtocol squid_error ERR_PROTOCOL_UNKNOWN ERR_TOO_BIG
# define what Squid errors indicate receiving nothing:
acl serverTalksFirstProtocol squid_error ERR_REQUEST_START_TIMEOUT
acl SquidSecureConnectFail squid_error ERR_SECURE_CONNECT_FAIL
# tunnel everything that does not look like HTTP:
on_unsupported_protocol tunnel foreignProtocol
# tunnel if we think the client waits for the server to talk first:
on_unsupported_protocol tunnel serverTalksFirstProtocol
#tunnel all for connection errors
on_unsupported_protocol tunnel SquidTLSErrorConnect
on_unsupported_protocol tunnel SquidSecureConnectFail
# in all other error cases, just send an HTTP "error page" response:
on_unsupported_protocol respond all
This is how it changed the behaviour (checked only with
redir.netcentrum.cz so far)
1712126917.823 0 10.0.0.1 NONE_NONE/503 13605 GET
https://redir.netcentrum.cz/favicon.ico - HIER_NONE/- text/html
redir.netcentrum.cz
1712126918.842 23 10.0.0.1 NONE_NONE_ABORTED/000 0 CONNECT
46.255.231.158:443 - HIER_NONE/- - redir.netcentrum.cz
1712126918.881 0 10.0.0.1 NONE_NONE/503 13605 GET
https://redir.netcentrum.cz/favicon.ico - HIER_NONE/- text/html
redir.netcentrum.cz
1712126919.116 21 10.0.0.1 NONE_NONE_ABORTED/000 0 CONNECT
46.255.231.158:443 - HIER_NONE/- - redir.netcentrum.cz
1712126919.156 0 10.0.0.1 NONE_NONE/503 13605 GET
https://redir.netcentrum.cz/favicon.ico - HIER_NONE/- text/html
redir.netcentrum.cz
1712126918.839 19 10.0.0.1 NONE_NONE_ABORTED/000 0 CONNECT
46.255.231.158:443 - HIER_NONE/- - redir.netcentrum.cz
1712126918.845 0 10.0.0.1 NONE_NONE/503 13605 GET
https://redir.netcentrum.cz/? - HIER_NONE/- text/html redir.netcentrum.cz
1712126919.113 19 10.0.0.1 NONE_NONE_ABORTED/000 0 CONNECT
46.255.231.158:443 - HIER_NONE/- - redir.netcentrum.cz
1712126919.119 0 10.0.0.1 NONE_NONE/503 13605 GET
https://redir.netcentrum.cz/? - HIER_NONE/- text/html redir.netcentrum.cz
1712127729.466 66 10.0.0.1 TCP_MISS/200 719 GET
http://redir.netcentrum.cz/? - ORIGINAL_DST/46.255.231.158 text/html -
1712127729.516 9 10.0.0.1 TCP_MISS/403 424 GET
http://redir.netcentrum.cz/favicon.ico - ORIGINAL_DST/46.255.231.158
text/plain -
1712127768.494 8 10.0.0.1 TCP_MISS/200 794 GET
http://redir.netcentrum.cz/? - ORIGINAL_DST/46.255.231.158 text/html -
1712127768.544 7 10.0.0.1 TCP_MISS/403 424 GET
http://redir.netcentrum.cz/favicon.ico - ORIGINAL_DST/46.255.231.158
text/plain -
1712127833.348 9 10.0.0.1 TCP_MISS/200 794 GET
http://redir.netcentrum.cz/? - ORIGINAL_DST/46.255.231.158 text/html -
1712127833.486 15 10.0.0.1 TCP_MISS/403 424 GET
http://redir.netcentrum.cz/favicon.ico - ORIGINAL_DST/46.255.231.158
text/plain -
1712129450.601 27 10.0.0.1 TCP_MISS/200 851 GET
http://redir.netcentrum.cz/? - ORIGINAL_DST/46.255.231.158 text/html -
1712129450.688 8 10.0.0.1 TCP_MISS/403 424 GET
http://redir.netcentrum.cz/favicon.ico - ORIGINAL_DST/46.255.231.158
text/plain -
1712130278.514 54 10.0.0.1 TCP_MISS/200 795 GET
http://redir.netcentrum.cz/? - ORIGINAL_DST/46.255.231.158 text/html -
1712130278.565 9 10.0.0.1 TCP_MISS/403 422 GET
http://redir.netcentrum.cz/favicon.ico - ORIGINAL_DST/46.255.231.158
text/plain -
1712130282.165 9 10.0.0.1 TCP_MISS/200 815 GET
http://redir.netcentrum.cz/? - ORIGINAL_DST/46.255.231.158 text/html -
1712130282.222 8 10.0.0.1 TCP_MISS/403 424 GET
http://redir.netcentrum.cz/favicon.ico - ORIGINAL_DST/46.255.231.158
text/plain -
I can see clear change from GET https to GET http only. I have to check
what else does not work and why. (for example many users complained
about heureka.cz subdomains not openning right with https.) I have to
say - there many less competent admins in the wild with selfsigned or
unmatched certificates on their websites, thinking they did the homework
right. It is tough to explaing to my users that the error page they are
getting is not a result of a faulty local gear - nor an attempt of the
admin to spy on them or to block some sites etc.
LL
Dne 03.04.2024 v 8:14 Loučanský Lukáš napsal(a):
>
> Hello,
>
> this has recently started me up more then let it go. For a while
> chrome is upgrading in-page links to https. It is supposed to work
> something like
> https://www.bleepingcomputer.com/news/google/google-chrome-now-auto-upgrades-to-secure-connections-fo
> r-all-users/
>
> But there is a catch for me - my squid returns something like:
>
> (104) Connection reset by peer (TLS code:
> SQUID_TLS_ERR_CONNECT+TLS_IO_ERR=5+errno=104)
> Failed to establish a secure connection: [No Error]
>
> or
>
> [No Error] (TLS code:
> SQUID_TLS_ERR_CONNECT+TLS_LIB_ERR=1408F10B+TLS_IO_ERR=1)
> Failed to establish a secure connection: error:1408F10B:SSL
> routines:ssl3_get_record:wrong version number
>
> to the user - via error page
>
> Log file:
>
> 1712122364.809 1172 10.0.0.1 NONE_NONE_ABORTED/000 0 CONNECT
> 46.255.231.158:443 - HIER_NONE/- - SNI redir.netcentrum.cz BumpMode
> peek - - - ServerNegoTLS - ServerRecTLS - ServerRecVer - ServerNegCiph
> - Error: ERR_SECURE_CONNECT_FAIL |
> SQUID_TLS_ERR_CONNECT+TLS_IO_ERR=5+errno=104
> 1712122366.296 23 10.0.0.1 NONE_NONE_ABORTED/000 0 CONNECT
> 46.255.231.158:443 - HIER_NONE/- - SNI redir.netcentrum.cz BumpMode
> peek - - - ServerNegoTLS - ServerRecTLS - ServerRecVer - ServerNegCiph
> - Error: ERR_SECURE_CONNECT_FAIL |
> SQUID_TLS_ERR_CONNECT+TLS_IO_ERR=5+errno=104
> 1712122366.293 21 10.0.0.1 NONE_NONE_ABORTED/000 0 CONNECT
> 46.255.231.158:443 - HIER_NONE/- - SNI redir.netcentrum.cz BumpMode
> peek - - - ServerNegoTLS - ServerRecTLS - ServerRecVer - ServerNegCiph
> - Error: ERR_SECURE_CONNECT_FAIL |
> SQUID_TLS_ERR_CONNECT+TLS_IO_ERR=5+errno=104
> 1712122367.111 20 10.0.0.1 NONE_NONE_ABORTED/000 0 CONNECT
> 46.255.231.158:443 - HIER_NONE/- - SNI redir.netcentrum.cz BumpMode
> peek - - - ServerNegoTLS - ServerRecTLS - ServerRecVer - ServerNegCiph
> - Error: ERR_SECURE_CONNECT_FAIL |
> SQUID_TLS_ERR_CONNECT+TLS_IO_ERR=5+errno=104
> 1712122367.114 21 10.0.0.1 NONE_NONE_ABORTED/000 0 CONNECT
> 46.255.231.158:443 - HIER_NONE/- - SNI redir.netcentrum.cz BumpMode
> peek - - - ServerNegoTLS - ServerRecTLS - ServerRecVer - ServerNegCiph
> - Error: ERR_SECURE_CONNECT_FAIL |
> SQUID_TLS_ERR_CONNECT+TLS_IO_ERR=5+errno=104
>
> In fact - this seems to be http only sites like -
> https://www.ssllabs.com/ssltest/analyze.html?d=www.jarovnet.org or
> https://www.ssllabs.com/ssltest/analyze.html?d=redir.netcentrum.cz&s=46.255.231.158&latest.
> See this snapshot from centrum web mail page source code "Více
> informací o tomto zapezpečení naleznete v <a
> href="http://napoveda.centrum.cz/index.php?/Knowledgebase/Article/View/18/1/"
> "
>
> So - what is supposed to be happening is chrome should fallback to
> http if there is a problem with https - i think the most obvious
> reason to fall back would be no output at all. So I think my effort
> should target the situation when squid says ERR_SECURE_CONNECT_FAIL |
> SQUID_TLS_ERR_CONNECT+TLS_IO_ERR=5+errno=104 and to remain silent to
> the client.
>
> Is there a way to do it - ie. do not show error page for not able to
> connect to server at all? I'd like every other problems (ie.
> bad/selfsigned/not matched certificate etc.) pushed to the client's
> eyes. I have implemented
> https://www.squid-cache.org/Doc/config/on_unsupported_protocol/ like
> in the example - but it is for an accepted TCP connections. I'd like
> to handle SSL errors - such as not being able to connect at all. -
> could it be done with
> https://www.squid-cache.org/Doc/config/sslproxy_cert_error/?
>
> LL
>
>
>
> _______________________________________________
> squid-users mailing list
> squid-users at lists.squid-cache.org
> https://lists.squid-cache.org/listinfo/squid-users
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.squid-cache.org/pipermail/squid-users/attachments/20240403/2250e3e4/attachment-0001.htm>
More information about the squid-users
mailing list