Re: [squid-users] Is it possible to have a deny_info page for CONNECT method/ACL?

From: Amos Jeffries <squid3_at_treenet.co.nz>
Date: Sat, 29 Jan 2011 02:37:38 +1300

On 29/01/11 02:02, Jason Doran wrote:
> RHEL6
> squid-3.1.4-1.el6.x86_64
> kernel 2.6.32-71.14.1.el6.x86_64
>
> Hi,
>
> I suspect this is not possible, but I thought I would ask anyway. I have:
>
> acl SSL_ports port 443
> acl CONNECT method CONNECT
> http_access deny CONNECT !SSL_ports
>
>
> When a user tries a CONNECT to !SSL_ports, the error on browser is some
> like:
>
> The proxy server is refusing connections
>
> I have tried to put in a deny_info directive to perhaps give a more
> meaningful error to the user to say this this port is
> not allowed. I have deny_info working for other acls. Is it possible to
> give a custom error message with the CONNECT acl/method?
>
> Regards,
> Jason Doran
> National University of Ireland, Maynooth
>

It is both possible and not possible.

No...

Modern browsers have been targeted with attacks sent in the body of such
rejection replies. So they now reject any body data we send.

HTTP 302 status code is also very problematic with CONNECT due to its
handling by browsers. They often drop it as an error to prevent
themselves trouble.

Yes...

In order to get anything useful to happen the deny_info must perform a
URL redirect with a 307 status code. And the browser must support
correct RFC 2616 handling of that status code.

Support for 307 has been added to 3.1 since the last formal package. So
you will need to build one of the recent the 3.1 daily update bundles.

As of this writing Firefox or Iceweasel are the only known browsers to
handle this correctly.

Amos

-- 
Please be using
   Current Stable Squid 2.7.STABLE9 or 3.1.10
   Beta testers wanted for 3.2.0.4
Received on Fri Jan 28 2011 - 13:37:49 MST

This archive was generated by hypermail 2.2.0 : Fri Jan 28 2011 - 12:00:04 MST