On 15/02/2012 1:24 a.m., Danilo Godec wrote:
Hi,
I needed to block certain web sites with Squid 3.1.12 and I managed
doing so with:
acl dstdomain MYBLOCK blockeddomain.com
http_access deny MYBLOCK
Since my clients are all configured to use proxy and not allowed
direct access to the internet, this works for both 'http' and 'https'.
However - if clients use 'http' to access the prohibited site, they
get a 'nice' informative message that they are being denied the access
But if they use 'https' instead, the browser shows an error (for
example, Chrome shows 'Error 111 (net::ERR_TUNNEL_CONNECTION_FAILED):
Unknown error.', while Firefox shows 'Firefox is configured to use a
proxy server that is refusing connections'). That's not very 'user
friendly' and might lead to false error reports...
Is there a way to have Squid display the 'Access Denied' page for
'https' destinations as well?
You will have to talk to the browser people about that message
inaccuracy. Squid *is* sending back the exact same content and status
codes for both HTTP and HTTPS requests.
The problem is that the browser is not sending https://... to Squid the
way it does for http://...., different protocols after all . It is
sending a CONNECT tunnel request to setup a blind data tunnel to the
domains server, over which is wants at some point to send encrypted
"stuff". That tunnel request is what Squid is rejecting. The browser has
a problem with showing your error page underneath the users requested
URI in the address bar, at the same time, something about phishing ...
For the browsers which handle it properly the 303 status code can be
used to redirect the CONNECT request to a http:// URI which is also
blocked. If the browser does what it is supposed to and fetches that URI
using GET the error page will show up when *that* is blocked. Last time
I checked only Firefox was doing that, but its a while ago now and
things have been progressing fast.
Like so:
acl MYBLOCK dstdomain .example.com
deny_info 303:http://bar.example.com CONNECT
http_access deny MYBLOCK !CONNECT
http_access deny MYBLOCK CONNECT
Amos
