On 15/09/2015 3:13 a.m., Matus UHLAR - fantomas wrote: > Hello, > > we have squidguard on a few servers and I'd like to redirect client's > request > directly to squid's error page, e.g. ERR_ACCESS_DENIED > Is that possible directly through e.g. internal URL, or do I have to play > with special page and acl? > (it should work for CONNECT requests too) > > squid-3.1.20 (debian 7) here > This is a very good example of how SG and tools like it are abusing Squid. The URL-rewrite/redirect interface they are plugged into is intended and designed to mangle the URL. Nothing more. By the time the URL-rewrite helper lookup is sent the access controls have already determined that the request access is *accepted* and *allowed*. It is even almost finished being processed. Far too late to deny it. The right way to perform access authorization is with the http_access or adapted_http_access rules. That is also the only way to *generate* ERR_ACCESS_DENIED. Those rules have an external_acl_type helper interface for performing helper lookups and dont need any fancy trickery with URLs or web servers. deny_info is provided for presenting custom pages (or HTTP redirect URLs) from any ACL results. And yes, doing it the right way will work with CONNECT too. In so far as Squid output is concerned anyway. The popular browsers are still refusing to honour any kind of non-200 response from proxies. Amos _______________________________________________ squid-users mailing list squid-users@xxxxxxxxxxxxxxxxxxxxx http://lists.squid-cache.org/listinfo/squid-users
