Jim wrote:
Just to clarify...
If i do a ..
http_access deny CONNECT
Then this happens before any ssl stuff and therefore I can return a
http page to a ssl request?
Yes.
You also say that deny_info does same as redirects but just sends
error code rather than 302: redirects. If you use deny_info and
specify a http://www.mydomain.com as the page to go to if denied does
this send cause squid to issue a 302 type redirect. Reason I ask is
that I can redirect to a customised squid error page for https
requests by using something like
http_access deny CONNECT
deny_info ERR_ACCESS_DENIED connect
but if I use
http_access deny CONNECT
deny_info http://www.mydomain.com/error_page.php connect
Fails which makes me think that specifiying a URL in deny info
triggers a 302 styles redirect (which does not work with https)
case-sensitive names + order-sensitive rules IIRC.
If only php was supported by the error pages my problems would all be solved!!!
ANy chance :)
Jim
2009/3/13 Amos Jeffries <squid3@xxxxxxxxxxxxx>:
Jim wrote:
Oops just realised this did not go to the user group but to you directly.
I am reposting to user group now.
My apologise for direct email
No worries.
The deny_info is performing the exact same actions as a redirector would.
Just without the helper overheads and sending an error code as the status
instead of 302/200.
IE8 not displaying any non-local error messages for CONNECT is a major bug
in IE. Sounds like that feature was a hack to get around the bug in earlier
IE.
The ONLY way to get HTTPS blocked with any kind of reasonable response is to
deny CONNECT to HTTPS ports _before_ the SSL stuff starts to happen.
Once the SSL starts, using a redirect is simply forcing the HTTPS channel to
your non-HTTPS server causes barfs. Working around this by HTTPS-enabling
your error message server will only change the problem from a plain barf to
a security attack warning for all clients (since you are performing
man-in-middle attack now).
Amos
Jim
2009/3/12 Jim <jimothy76@xxxxxxxxx>:
Thanks Amos,
I can already do this correctly usuing an external acl and deny info
as you suggest. However IE8 (which is in final stage before release)
has a problem with squid error pages.
To try to explian. If my external ACL blocks a page it returns a squid
error page. this works fine with http as squid returns a http error
page. However over https if you block the page then squid returns http
content to a https request. Now in IE6 and 7 there is a "feature"
which allows the browser to display the first x bytes of data even if
it is http data to a https request. The value of x is low byt
providing your pages are small it works.
Now IE 8 does NOT do this. If you return a squid http error page to a
https request you get an error and nothing displayed. This is why I am
looking for alternatives and have started looking at converting my
external acls perl scripts to a perl url_rewrite_program but have
again struggled with https (ssl) requests.
I hope this makes sense
Basically I need a way of blocking https requests based on a set of
rules. I can do the blockign with no problem. The issues is returning
an error page to the user because so squid error pages are http and it
appears that redirectors can not redirect https requests to a http
error page
Thanks
2009/3/12 Amos Jeffries <squid3@xxxxxxxxxxxxx>:
Jim wrote:
Hi,
I have a url_rewrite_program that will redirect users to an
accepatable use policy page if they have not agreed to it before. THis
works fine for any URL except for HTTPS requests.
My log file tells me it is being re-written to my new URL but the
browser just shows error page.
I have tried making the redirector divert to a https version of the
error page if it is a https request and a http version if a http
request but with no difference.
One thing I have noticed and not sure if related or not. If the
request is HTTPS then the only thing passed to the rewrite program for
the url is the host and port. No path, scheme (protocol) etc is
passed. I believe this is because squid only has access to the host
for HTTPS requests (because they are encrypted).
Squid does not receive such data for HTTPS. What it pases the redirector
is
all it sees.
The CONNECT method is how HTTPS appears in logs and ACLs etc.
Could this be relating to my problem.
The redirector will divert to
302:http(s)www.mydomain.com/filtering/aup_handler.php if the user has
not agreed to the acceptable use policy. As I say fine for http but
can;t get it to work with https.
Can any body help?
HTTPS is not HTTP for Squid.
Your better approach is to use an external ACL + http_access + deny_info
page to do the redirection. That works for any protocol that can display
error pages.
Amos
--
Please be using
Current Stable Squid 2.7.STABLE6 or 3.0.STABLE13
Current Beta Squid 3.1.0.6
