Re: [squid-users] url_rewrite_program and https (secure) sites

From: Jim <jimothy76_at_gmail.com>
Date: Fri, 13 Mar 2009 09:52:35 +0000

Just to clarify...

If i do a ..
http_access deny CONNECT

Then this happens before any ssl stuff and therefore I can return a
http page to a ssl request?

You also say that deny_info does same as redirects but just sends
error code rather than 302: redirects. If you use deny_info and
specify a http://www.mydomain.com as the page to go to if denied does
this send cause squid to issue a 302 type redirect. Reason I ask is
that I can redirect to a customised squid error page for https
requests by using something like

http_access deny CONNECT
deny_info ERR_ACCESS_DENIED connect

but if I use
http_access deny CONNECT
deny_info http://www.mydomain.com/error_page.php connect

Fails which makes me think that specifiying a URL in deny info
triggers a 302 styles redirect (which does not work with https)

If only php was supported by the error pages my problems would all be solved!!!

ANy chance :)

Jim

2009/3/13 Amos Jeffries <squid3_at_treenet.co.nz>:
> Jim wrote:
>>
>> Oops just realised this did not go to the user group but to you directly.
>>
>> I am reposting to user group now.
>>
>> My apologise for direct email
>
> No worries.
>
> The deny_info is performing the exact same actions as a redirector would.
> Just without the helper overheads and sending an error code as the status
> instead of 302/200.
>
> IE8 not displaying any non-local error messages for CONNECT is a major bug
> in IE. Sounds like that feature was a hack to get around the bug in earlier
> IE.
>
> The ONLY way to get HTTPS blocked with any kind of reasonable response is to
> deny CONNECT to HTTPS ports _before_ the SSL stuff starts to happen.
>
> Once the SSL starts, using a redirect is simply forcing the HTTPS channel to
> your non-HTTPS server causes barfs. Working around this by HTTPS-enabling
> your error message server will only change the problem from a plain barf to
> a security attack warning for all clients (since you are performing
> man-in-middle attack now).
>
> Amos
>>
>> Jim
>>
>> 2009/3/12 Jim <jimothy76_at_gmail.com>:
>>>
>>> Thanks Amos,
>>>
>>> I can already do this correctly usuing an external acl and deny info
>>> as you suggest. However IE8 (which is in final stage before release)
>>> has a problem with squid error pages.
>>>
>>> To try to explian. If my external ACL blocks a page it returns a squid
>>> error page. this works fine with http as squid returns a http error
>>> page. However over https if you block the page then squid returns http
>>> content to a https request. Now in IE6 and 7 there is a "feature"
>>> which allows the browser to display the first x bytes of data even if
>>> it is http data to a https request. The value of x is low byt
>>> providing your pages are small it works.
>>>
>>> Now IE 8 does NOT do this. If you return a squid http error page to a
>>> https request you get an error and nothing displayed. This is why I am
>>> looking for alternatives and have started looking at converting my
>>> external acls perl scripts to a perl url_rewrite_program but have
>>> again struggled with https (ssl) requests.
>>>
>>> I hope this makes sense
>>>
>>> Basically I need a way of blocking https requests based on a set of
>>> rules. I can do the blockign with no problem. The issues is returning
>>> an error page to the user because so squid error pages are http and it
>>> appears that redirectors can not redirect https requests to a http
>>> error page
>>>
>>> Thanks
>>>
>>> 2009/3/12 Amos Jeffries <squid3_at_treenet.co.nz>:
>>>>
>>>> Jim wrote:
>>>>>
>>>>> Hi,
>>>>> I have a url_rewrite_program that will redirect users to an
>>>>> accepatable use policy page if they have not agreed to it before. THis
>>>>> works fine for any URL except for HTTPS requests.
>>>>>
>>>>> My log file tells me it is being re-written to my new URL but the
>>>>> browser just shows error page.
>>>>>
>>>>> I have tried making the redirector divert to a https version of the
>>>>> error page if it is a https request and a http version if a http
>>>>> request but with no difference.
>>>>>
>>>>> One thing I have noticed and not sure if related or not. If the
>>>>> request is HTTPS then the only thing passed to the rewrite program for
>>>>> the url is the host and port. No path, scheme (protocol) etc is
>>>>> passed. I believe this is because squid only has access to the host
>>>>> for HTTPS requests (because they are encrypted).
>>>>
>>>> Squid does not receive such data for HTTPS. What it pases the redirector
>>>> is
>>>> all it sees.
>>>> The CONNECT method is how HTTPS appears in logs and ACLs etc.
>>>>
>>>>> Could this be relating to my problem.
>>>>>
>>>>> The redirector will divert to
>>>>> 302:http(s)www.mydomain.com/filtering/aup_handler.php if the user has
>>>>> not agreed to the acceptable use policy. As I say fine for http but
>>>>> can;t get it to work with https.
>>>>>
>>>>> Can any body help?
>>>>
>>>> HTTPS is not HTTP for Squid.
>>>>
>>>> Your better approach is to use an external ACL + http_access + deny_info
>>>> page to do the redirection. That works for any protocol that can display
>>>> error pages.
>>>>
>>>> Amos
>>>> --
>>>> Please be using
>>>>  Current Stable Squid 2.7.STABLE6 or 3.0.STABLE13
>>>>  Current Beta Squid 3.1.0.6
>>>>
>
>
> --
> Please be using
>  Current Stable Squid 2.7.STABLE6 or 3.0.STABLE13
>  Current Beta Squid 3.1.0.6
>
Received on Fri Mar 13 2009 - 09:52:46 MDT

This archive was generated by hypermail 2.2.0 : Sun Mar 15 2009 - 12:00:03 MDT