Re: [squid-users] url_rewrite_program and https (secure) sites

From: Jim <jimothy76_at_gmail.com>
Date: Thu, 12 Mar 2009 13:56:43 +0000

Thanks Amos,

I can already do this correctly usuing an external acl and deny info
as you suggest. However IE8 (which is in final stage before release)
has a problem with squid error pages.

To try to explian. If my external ACL blocks a page it returns a squid
error page. this works fine with http as squid returns a http error
page. However over https if you block the page then squid returns http
content to a https request. Now in IE6 and 7 there is a "feature"
which allows the browser to display the first x bytes of data even if
it is http data to a https request. The value of x is low byt
providing your pages are small it works.

Now IE 8 does NOT do this. If you return a squid http error page to a
https request you get an error and nothing displayed. This is why I am
looking for alternatives and have started looking at converting my
external acls perl scripts to a perl url_rewrite_program but have
again struggled with https (ssl) requests.

I hope this makes sense

Basically I need a way of blocking https requests based on a set of
rules. I can do the blockign with no problem. The issues is returning
an error page to the user because so squid error pages are http and it
appears that redirectors can not redirect https requests to a http
error page

Thanks

2009/3/12 Amos Jeffries <squid3_at_treenet.co.nz>:
> Jim wrote:
>>
>> Hi,
>> I have a url_rewrite_program that will redirect users to an
>> accepatable use policy page if they have not agreed to it before. THis
>> works fine for any URL except for HTTPS requests.
>>
>> My log file tells me it is being re-written to my new URL but the
>> browser just shows error page.
>>
>> I have tried making the redirector divert to a https version of the
>> error page if it is a https request and a http version if a http
>> request but with no difference.
>>
>> One thing I have noticed and not sure if related or not. If the
>> request is HTTPS then the only thing passed to the rewrite program for
>> the url is the host and port. No path, scheme (protocol) etc is
>> passed. I believe this is because squid only has access to the host
>> for HTTPS requests (because they are encrypted).
>
> Squid does not receive such data for HTTPS. What it pases the redirector is
> all it sees.
> The CONNECT method is how HTTPS appears in logs and ACLs etc.
>
>>
>> Could this be relating to my problem.
>>
>> The redirector will divert to
>> 302:http(s)www.mydomain.com/filtering/aup_handler.php if the user has
>> not agreed to the acceptable use policy. As I say fine for http but
>> can;t get it to work with https.
>>
>> Can any body help?
>
> HTTPS is not HTTP for Squid.
>
> Your better approach is to use an external ACL + http_access + deny_info
> page to do the redirection. That works for any protocol that can display
> error pages.
>
> Amos
> --
> Please be using
>  Current Stable Squid 2.7.STABLE6 or 3.0.STABLE13
>  Current Beta Squid 3.1.0.6
>
Received on Thu Mar 12 2009 - 13:56:57 MDT

This archive was generated by hypermail 2.2.0 : Thu Mar 12 2009 - 12:00:02 MDT