Search squid archive

Re: Issue with external check and https

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

On 02.05.2012 06:45, Stephen McGuinness wrote:

I have a configuration where I am using Squid to proxy all internet
bound requests.

I have a custom external ACL that does some checks, and If the check
fails, it pulls a up a custom error page, which is a simple redirect
to a another page. This all works well for http connections. If the
connection request is for https though, the redirect fails. I see the
403 response with the expected HTTP headers, the X-Squid-Error
ERR_CUSTOM is set, but the redirect does not happen. If I do not
define a custom error page, the response page is displayed.

Is there anyway to get this working, and have the redirect work?


You have confused a couple of concepts here.

First concept:
An HTTP *redirect* is a status code starting with digit '3'. Status code '403' does not start with digit '3' and none of the redirect semantics are done by it.
403 is an HTTP client error status code, which all start with digit '4'. error have a body object which gets displayed. 


Second concept:
 There is no HTTPS request being made to Squid.
What *is* being sent to Squid is a CONNECT tunnel request. Simply a request to open a binary tunnel from client to some other IP:port or host:port, with Squid in the middle shoveling bytes in both directions through it. When this tunnel is successfully setup the TLS handshake will go through it, then the real https:// URL requests will go through inside the TLS wrapper. 


Now put those together....

 Open a two-way binary TCP connection -> redirect to alternative URL.
 Perform TLS handshake with said URL.
On success request one or more web pages and resources from said web page URI. 
 ...
Replacing "URL" with "HTML page" ... sounds like garbage instructions to you? the browser thinks so. 


Concept three:
A year or so ago it was revealed that browsers were displaying error messages badly. Who would have thought displaying https://bankofamerica.com/ in the address bar while displaying somebody elses 403 status proxy login page was a bad thing?
So nowdays they simply drop anything even slightly suspicious coming back from CONNECT requests. Static HTML error pages produced by Squid and other server software are pretty safe bets, so *some* browsers still accept them. But only so long as the HTML is actually static with no scripts etc. 

Amos
[Index of Archives]     [Linux Audio Users]     [Samba]     [Big List of Linux Books]     [Linux USB]     [Yosemite News]

  Powered by Linux