Search squid archive

Re: Blocking Chrome and QUIC

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

FYI, I finally solved my problem!

It turns out the problem was with PRE-ESTABLISHED connections...

In other words, when I turned on my transparent rules, any Chrome tabs I had opened BEFORE turning on my transparent proxy rules, apparently would communicate over a previously opened socket! So the filtering rules would only apply after the port was closed OR after I reopened the browser.

In order to solve it, I simply had to add a FORWARD drop rule for any established connections:
iptables -A FORWARD -p tcp -m tcp --dport 80 -m state --state RELATED,ESTABLISHED -j DROP
iptables -A FORWARD -p tcp -m tcp --dport 443 -m state --state RELATED,ESTABLISHED -j DROP

Hope this will be helpful to someone else!
Luis



On Sat, Feb 7, 2015 at 8:28 PM, Luis Miguel Silva <luismiguelferreirasilva@xxxxxxxxx> wrote:
Ok, I'm using 3.4.9, so I've added that config option to my setup :o)

Thanks for the tip!
Luis

On Sat, Feb 7, 2015 at 6:11 PM, Amos Jeffries <squid3@xxxxxxxxxxxxx> wrote:
On 8/02/2015 5:34 a.m., Luis Miguel Silva wrote:
> I did when you sent it but it seemed to me you were saying I should add
> that "reply_header_access Alternate-Protocol deny all" config parameter
> but, on the other hand, I didn't understand why were you suggesting that,
> seeing that my problem is that Chrome doesn't go through my proxy at all!
> (I'm doing transparent proxying, NOT setting up a proxy in Chrome).
>
> I've now re-read your email and it seemed you were telling me to upgrade to
> 3.5.x (which I hadn't understood the last time I read your email). I
> apologize that I didn't understand what you were saying.
>

No wrries. I was saying both.

> So are you saying I must upgrade to Squid 3.5.x to fix this? Why would that
> header fix it, seeing that my problem is that Chrome is bypassing the proxy
> altogether?

The web server actively tells Chrome to use QUIC on future requests.
Remove that header from traffic and Chrome stops using QUIC (maybe
requires Chrome restart).

The removal is built into 3.4.10+ by default, but the config line I
presented does the same thing in older versions back to 3.2.

Amos



_______________________________________________
squid-users mailing list
squid-users@xxxxxxxxxxxxxxxxxxxxx
http://lists.squid-cache.org/listinfo/squid-users
[Index of Archives]     [Linux Audio Users]     [Samba]     [Big List of Linux Books]     [Linux USB]     [Yosemite News]

  Powered by Linux