Jim wrote:
> Oops just realised this did not go to the user group but to you directly.
>
> I am reposting to user group now.
>
> My apologise for direct email
No worries.
The deny_info is performing the exact same actions as a redirector
would. Just without the helper overheads and sending an error code as
the status instead of 302/200.
IE8 not displaying any non-local error messages for CONNECT is a major
bug in IE. Sounds like that feature was a hack to get around the bug in
earlier IE.
The ONLY way to get HTTPS blocked with any kind of reasonable response
is to deny CONNECT to HTTPS ports _before_ the SSL stuff starts to happen.
Once the SSL starts, using a redirect is simply forcing the HTTPS
channel to your non-HTTPS server causes barfs. Working around this by
HTTPS-enabling your error message server will only change the problem
from a plain barf to a security attack warning for all clients (since
you are performing man-in-middle attack now).
Amos
>
> Jim
>
> 2009/3/12 Jim <jimothy76_at_gmail.com>:
>> Thanks Amos,
>>
>> I can already do this correctly usuing an external acl and deny info
>> as you suggest. However IE8 (which is in final stage before release)
>> has a problem with squid error pages.
>>
>> To try to explian. If my external ACL blocks a page it returns a squid
>> error page. this works fine with http as squid returns a http error
>> page. However over https if you block the page then squid returns http
>> content to a https request. Now in IE6 and 7 there is a "feature"
>> which allows the browser to display the first x bytes of data even if
>> it is http data to a https request. The value of x is low byt
>> providing your pages are small it works.
>>
>> Now IE 8 does NOT do this. If you return a squid http error page to a
>> https request you get an error and nothing displayed. This is why I am
>> looking for alternatives and have started looking at converting my
>> external acls perl scripts to a perl url_rewrite_program but have
>> again struggled with https (ssl) requests.
>>
>> I hope this makes sense
>>
>> Basically I need a way of blocking https requests based on a set of
>> rules. I can do the blockign with no problem. The issues is returning
>> an error page to the user because so squid error pages are http and it
>> appears that redirectors can not redirect https requests to a http
>> error page
>>
>> Thanks
>>
>> 2009/3/12 Amos Jeffries <squid3_at_treenet.co.nz>:
>>> Jim wrote:
>>>> Hi,
>>>> I have a url_rewrite_program that will redirect users to an
>>>> accepatable use policy page if they have not agreed to it before. THis
>>>> works fine for any URL except for HTTPS requests.
>>>>
>>>> My log file tells me it is being re-written to my new URL but the
>>>> browser just shows error page.
>>>>
>>>> I have tried making the redirector divert to a https version of the
>>>> error page if it is a https request and a http version if a http
>>>> request but with no difference.
>>>>
>>>> One thing I have noticed and not sure if related or not. If the
>>>> request is HTTPS then the only thing passed to the rewrite program for
>>>> the url is the host and port. No path, scheme (protocol) etc is
>>>> passed. I believe this is because squid only has access to the host
>>>> for HTTPS requests (because they are encrypted).
>>> Squid does not receive such data for HTTPS. What it pases the redirector is
>>> all it sees.
>>> The CONNECT method is how HTTPS appears in logs and ACLs etc.
>>>
>>>> Could this be relating to my problem.
>>>>
>>>> The redirector will divert to
>>>> 302:http(s)www.mydomain.com/filtering/aup_handler.php if the user has
>>>> not agreed to the acceptable use policy. As I say fine for http but
>>>> can;t get it to work with https.
>>>>
>>>> Can any body help?
>>> HTTPS is not HTTP for Squid.
>>>
>>> Your better approach is to use an external ACL + http_access + deny_info
>>> page to do the redirection. That works for any protocol that can display
>>> error pages.
>>>
>>> Amos
>>> --
>>> Please be using
>>> Current Stable Squid 2.7.STABLE6 or 3.0.STABLE13
>>> Current Beta Squid 3.1.0.6
>>>
-- Please be using Current Stable Squid 2.7.STABLE6 or 3.0.STABLE13 Current Beta Squid 3.1.0.6Received on Fri Mar 13 2009 - 00:40:34 MDT
This archive was generated by hypermail 2.2.0 : Fri Mar 13 2009 - 12:00:03 MDT