Jim wrote:
Oops just realised this did not go to the user group but to you directly.
I am reposting to user group now.
My apologise for direct email
No worries.
The deny_info is performing the exact same actions as a redirector
would. Just without the helper overheads and sending an error code as
the status instead of 302/200.
IE8 not displaying any non-local error messages for CONNECT is a major
bug in IE. Sounds like that feature was a hack to get around the bug in
earlier IE.
The ONLY way to get HTTPS blocked with any kind of reasonable response
is to deny CONNECT to HTTPS ports _before_ the SSL stuff starts to happen.
Once the SSL starts, using a redirect is simply forcing the HTTPS
channel to your non-HTTPS server causes barfs. Working around this by
HTTPS-enabling your error message server will only change the problem
from a plain barf to a security attack warning for all clients (since
you are performing man-in-middle attack now).
Amos
Jim
2009/3/12 Jim <jimothy76@xxxxxxxxx>:
Thanks Amos,
I can already do this correctly usuing an external acl and deny info
as you suggest. However IE8 (which is in final stage before release)
has a problem with squid error pages.
To try to explian. If my external ACL blocks a page it returns a squid
error page. this works fine with http as squid returns a http error
page. However over https if you block the page then squid returns http
content to a https request. Now in IE6 and 7 there is a "feature"
which allows the browser to display the first x bytes of data even if
it is http data to a https request. The value of x is low byt
providing your pages are small it works.
Now IE 8 does NOT do this. If you return a squid http error page to a
https request you get an error and nothing displayed. This is why I am
looking for alternatives and have started looking at converting my
external acls perl scripts to a perl url_rewrite_program but have
again struggled with https (ssl) requests.
I hope this makes sense
Basically I need a way of blocking https requests based on a set of
rules. I can do the blockign with no problem. The issues is returning
an error page to the user because so squid error pages are http and it
appears that redirectors can not redirect https requests to a http
error page
Thanks
2009/3/12 Amos Jeffries <squid3@xxxxxxxxxxxxx>:
Jim wrote:
Hi,
I have a url_rewrite_program that will redirect users to an
accepatable use policy page if they have not agreed to it before. THis
works fine for any URL except for HTTPS requests.
My log file tells me it is being re-written to my new URL but the
browser just shows error page.
I have tried making the redirector divert to a https version of the
error page if it is a https request and a http version if a http
request but with no difference.
One thing I have noticed and not sure if related or not. If the
request is HTTPS then the only thing passed to the rewrite program for
the url is the host and port. No path, scheme (protocol) etc is
passed. I believe this is because squid only has access to the host
for HTTPS requests (because they are encrypted).
Squid does not receive such data for HTTPS. What it pases the redirector is
all it sees.
The CONNECT method is how HTTPS appears in logs and ACLs etc.
Could this be relating to my problem.
The redirector will divert to
302:http(s)www.mydomain.com/filtering/aup_handler.php if the user has
not agreed to the acceptable use policy. As I say fine for http but
can;t get it to work with https.
Can any body help?
HTTPS is not HTTP for Squid.
Your better approach is to use an external ACL + http_access + deny_info
page to do the redirection. That works for any protocol that can display
error pages.
Amos
--
Please be using
Current Stable Squid 2.7.STABLE6 or 3.0.STABLE13
Current Beta Squid 3.1.0.6
--
Please be using
Current Stable Squid 2.7.STABLE6 or 3.0.STABLE13
Current Beta Squid 3.1.0.6