Just to clarify... If i do a .. http_access deny CONNECT Then this happens before any ssl stuff and therefore I can return a http page to a ssl request? You also say that deny_info does same as redirects but just sends error code rather than 302: redirects. If you use deny_info and specify a http://www.mydomain.com as the page to go to if denied does this send cause squid to issue a 302 type redirect. Reason I ask is that I can redirect to a customised squid error page for https requests by using something like http_access deny CONNECT deny_info ERR_ACCESS_DENIED connect but if I use http_access deny CONNECT deny_info http://www.mydomain.com/error_page.php connect Fails which makes me think that specifiying a URL in deny info triggers a 302 styles redirect (which does not work with https) If only php was supported by the error pages my problems would all be solved!!! ANy chance :) Jim 2009/3/13 Amos Jeffries <squid3@xxxxxxxxxxxxx>: > Jim wrote: >> >> Oops just realised this did not go to the user group but to you directly. >> >> I am reposting to user group now. >> >> My apologise for direct email > > No worries. > > The deny_info is performing the exact same actions as a redirector would. > Just without the helper overheads and sending an error code as the status > instead of 302/200. > > IE8 not displaying any non-local error messages for CONNECT is a major bug > in IE. Sounds like that feature was a hack to get around the bug in earlier > IE. > > The ONLY way to get HTTPS blocked with any kind of reasonable response is to > deny CONNECT to HTTPS ports _before_ the SSL stuff starts to happen. > > Once the SSL starts, using a redirect is simply forcing the HTTPS channel to > your non-HTTPS server causes barfs. Working around this by HTTPS-enabling > your error message server will only change the problem from a plain barf to > a security attack warning for all clients (since you are performing > man-in-middle attack now). > > Amos >> >> Jim >> >> 2009/3/12 Jim <jimothy76@xxxxxxxxx>: >>> >>> Thanks Amos, >>> >>> I can already do this correctly usuing an external acl and deny info >>> as you suggest. However IE8 (which is in final stage before release) >>> has a problem with squid error pages. >>> >>> To try to explian. If my external ACL blocks a page it returns a squid >>> error page. this works fine with http as squid returns a http error >>> page. However over https if you block the page then squid returns http >>> content to a https request. Now in IE6 and 7 there is a "feature" >>> which allows the browser to display the first x bytes of data even if >>> it is http data to a https request. The value of x is low byt >>> providing your pages are small it works. >>> >>> Now IE 8 does NOT do this. If you return a squid http error page to a >>> https request you get an error and nothing displayed. This is why I am >>> looking for alternatives and have started looking at converting my >>> external acls perl scripts to a perl url_rewrite_program but have >>> again struggled with https (ssl) requests. >>> >>> I hope this makes sense >>> >>> Basically I need a way of blocking https requests based on a set of >>> rules. I can do the blockign with no problem. The issues is returning >>> an error page to the user because so squid error pages are http and it >>> appears that redirectors can not redirect https requests to a http >>> error page >>> >>> Thanks >>> >>> 2009/3/12 Amos Jeffries <squid3@xxxxxxxxxxxxx>: >>>> >>>> Jim wrote: >>>>> >>>>> Hi, >>>>> I have a url_rewrite_program that will redirect users to an >>>>> accepatable use policy page if they have not agreed to it before. THis >>>>> works fine for any URL except for HTTPS requests. >>>>> >>>>> My log file tells me it is being re-written to my new URL but the >>>>> browser just shows error page. >>>>> >>>>> I have tried making the redirector divert to a https version of the >>>>> error page if it is a https request and a http version if a http >>>>> request but with no difference. >>>>> >>>>> One thing I have noticed and not sure if related or not. If the >>>>> request is HTTPS then the only thing passed to the rewrite program for >>>>> the url is the host and port. No path, scheme (protocol) etc is >>>>> passed. I believe this is because squid only has access to the host >>>>> for HTTPS requests (because they are encrypted). >>>> >>>> Squid does not receive such data for HTTPS. What it pases the redirector >>>> is >>>> all it sees. >>>> The CONNECT method is how HTTPS appears in logs and ACLs etc. >>>> >>>>> Could this be relating to my problem. >>>>> >>>>> The redirector will divert to >>>>> 302:http(s)www.mydomain.com/filtering/aup_handler.php if the user has >>>>> not agreed to the acceptable use policy. As I say fine for http but >>>>> can;t get it to work with https. >>>>> >>>>> Can any body help? >>>> >>>> HTTPS is not HTTP for Squid. >>>> >>>> Your better approach is to use an external ACL + http_access + deny_info >>>> page to do the redirection. That works for any protocol that can display >>>> error pages. >>>> >>>> Amos >>>> -- >>>> Please be using >>>> Current Stable Squid 2.7.STABLE6 or 3.0.STABLE13 >>>> Current Beta Squid 3.1.0.6 >>>> > > > -- > Please be using > Current Stable Squid 2.7.STABLE6 or 3.0.STABLE13 > Current Beta Squid 3.1.0.6 >
