On 29/01/11 02:02, Jason Doran wrote:
RHEL6
squid-3.1.4-1.el6.x86_64
kernel 2.6.32-71.14.1.el6.x86_64
Hi,
I suspect this is not possible, but I thought I would ask anyway. I have:
acl SSL_ports port 443
acl CONNECT method CONNECT
http_access deny CONNECT !SSL_ports
When a user tries a CONNECT to !SSL_ports, the error on browser is some
like:
The proxy server is refusing connections
I have tried to put in a deny_info directive to perhaps give a more
meaningful error to the user to say this this port is
not allowed. I have deny_info working for other acls. Is it possible to
give a custom error message with the CONNECT acl/method?
Regards,
Jason Doran
National University of Ireland, Maynooth
It is both possible and not possible.
No...
Modern browsers have been targeted with attacks sent in the body of such
rejection replies. So they now reject any body data we send.
HTTP 302 status code is also very problematic with CONNECT due to its
handling by browsers. They often drop it as an error to prevent
themselves trouble.
Yes...
In order to get anything useful to happen the deny_info must perform a
URL redirect with a 307 status code. And the browser must support
correct RFC 2616 handling of that status code.
Support for 307 has been added to 3.1 since the last formal package. So
you will need to build one of the recent the 3.1 daily update bundles.
As of this writing Firefox or Iceweasel are the only known browsers to
handle this correctly.
Amos
--
Please be using
Current Stable Squid 2.7.STABLE9 or 3.1.10
Beta testers wanted for 3.2.0.4
