On 9/10/2013 3:29 a.m., steve@xxxxxxxxxxx wrote:
Dear all I compiled squid 3.3.9 on debian and are trying to get deny_info working properly. When I go to HTTPS sites, I am getting an error message in firefox/ chrome etc and not redirection. It does work with regular http requests. I have been reading up on quite some data and I found messages saying that if we return 303:URL, is should work. What I see in my log file is in fact not the expected result Log output: 1381242441.978 0 194.78.29.66 TCP_DENIED/303 331 GET http://www.homerecording.be/ - HIER_NONE/- text/html 1381242442.034 8 194.78.29.66 TCP_MISS/302 328 GET http://www.c2root.be/ - HIER_DIRECT/46.18.36.231 text/html 1381242442.069 21 194.78.29.66 TCP_MISS/200 7857 GET http://www.c2root.be/viewpage.php? - HIER_DIRECT/46.18.36.231 text/html 1381242442.349 8 194.78.29.66 TCP_MISS/302 328 GET http://www.c2root.be/ - HIER_DIRECT/46.18.36.231 text/html 1381242442.381 21 194.78.29.66 TCP_MISS/200 7857 GET http://www.c2root.be/viewpage.php? - HIER_DIRECT/46.18.36.231 text/html 1381242463.894 0 194.78.29.66 TCP_DENIED/303 331 CONNECT www.facebook.com:443 - HIER_NONE/- text/html When I have a TCP_DENIED/303 in combination with a CONNECT, I simply get a problem loading page error.
That is a redirect. The request is "rejected" by Squid ACLs with a 303 status message redirecting the client to try somewhere which will be allowed.
Any ideas. My conf has the following modified (and only that) acl whitelist dstdomain .c2root.be .paypal.com .hln.be http_access allow whitelist deny_info 303:http://www.c2root.be CONNECT
CONNECT requests are not requests for URLs. They are requests to open TCP tunnel to a specific server. Sending back a redirect to that request is undefined behaviour in HTTP. Browsers also have a long history of security problems as a result of past attempts to follow what would appear to be the obvious thing, so now they place quite a number of limitations on what responses can be returned to a CONNECT request. 303 is the right status to be using, but it line any status requires the client supports the HTTP feature in the way you are trying to use it.
Amos
