Hi Marcus,
Well that just an URL rewriter program. You can just test it from the
command line :
echo "URL" | /usr/bin/squidGuard -c /etc/squidguard/squidGuard.conf
Before I understood it was possible to precise the redirect code I got that:
#> echo
"https://ad.doubleclick.net/N4061/adi/com.ythome/_default;sz=970x250;tile=1;ssl=1;dc_yt=1;kbsg=HPFR151103;kga=-1;kgg=-1;klg=fr;kmyd=ad_creative_1;ytexp=9406852,9408210,9408502,9417689,9419444,9419802,9420440,9420473,9421645,9421711,9422141,9422865,9423510,9423563,9423789;ord=968558538238386?
- - GET"|/usr/bin/squidGuard -c /etc/squidguard/squidGuard.conf
#> OK
rewrite-url="https://proxyweb.XXXXX.XXXXX/cgi-bin/squidGuard-simple.cgi?clientaddr=-pipo&clientname=&clientuser=&clientgroup=default&targetgroup=unknown&url=https://ad.doubleclick.net/N4061/adi/com.ythome/_default;sz=970x250;tile=1;ssl=1;dc_yt=1;kbsg=HPFR151103;kga=-1;kgg=-1;klg=fr;kmyd=ad_creative_1;ytexp=9406852,9408210,9408502,9417689,9419444,9419802,9420440,9420473,9421645,9421711,9422141,9422865,9423510,9423563,9423789;ord=968558538238386?";
After a little change in the squidguard.conf, I get:
#> OK status=302
url="https://proxyweb.echoppe.lan/cgi-bin/squidGuard-simple.cgi?clientaddr=-pipo&clientname=&clientuser=&clientgroup=default&targetgroup=unknown&url=https://ad.doubleclick.net/N4061/adi/com.ythome/_default;sz=970x250;tile=1;ssl=1;dc_yt=1;kbsg=HPFR151103;kga=-1;kgg=-1;klg=fr;kmyd=ad_creative_1;ytexp=9406852,9408210,9408502,9417689,9419444,9419802,9420440,9420473,9421645,9421711,9422141,9422865,9423510,9423563,9423789;ord=968558538238386?";
It's not so better handled by my browser saying "can't connect to
https://ad.doubleclick.net"; message. But, I don't get the squid message
anymore regarding http/https.
It may be that rewrite_rule_program come after peek and splice stuff
leading squid to an unpredictable situation. Is there a way to play on
order things happen in squid?
Regards, EG
Le 04/11/2015 14:10, Marcus Kool a écrit :
You need to know what squidGuard actually sends to Squid.
squidGuard does not have a debug option for this, so you have to set
debug_options ALL,1 61,9
in squid.conf to see what Squid receives.
I bet that what Squid receives, is what it complains about:
the URL starts with 'https://http'
Marcus
On 11/04/2015 10:55 AM, Edouard Gaulué wrote:
Le 04/11/2015 11:00, Amos Jeffries a écrit :
On 4/11/2015 12:48 p.m., Marcus Kool wrote:
I suspect that the problem is that you redirect a HTTPS-based URL
to an
HTTP URL and Squid does not like that.
Marcus
To give it a try in that direction I now redirect to an https server.
And I get :
The following error was encountered while trying to retrieve the URL:
https://https/*
*Unable to determine IP address from host name "https"*
The DNS server returned:
Name Error: The domain name does not exist.
Moreover this would leads sometimes to HTTP-based URL to an HTTPS URL
and I don't know how much squid likes it either.
No it is apparently the fact that the domain name being redirected
to is
"http".
As in:"http://http/something";
I can assure my rewrite_url looks like
"https://proxyweb.xxxxx.xxxxx/var1=xxxx&...";.
And this confirm ssl_bump parse this result and get the left part
before the ":". To play with, I have also redirect to
"proxyweb.xxxxx.xxxxx:443/var1=xxxx&..." (ie. I removed the
"https://"; and add a
":443") to force the parsing. Then I don't get this message anymore,
but Mozilla gets crazy waiting for the ad.doubleclick.net certificate
and getting the proxyweb.xxxxx.xxxxx one. And of course it
breaks my SG configuration and can't be production solution.
Which brings up the question of why you are using SG to block adverts?
squid.conf:
acl ads dstdomain .doubleclick.net
http_access deny ads
Amos
I don't use SG to specificaly block adverts, I use it to block 90 %
of the web. Here it's just an example with ads but it could be with
so much other things...
I just want to try make SG and ssl_bump live together.
Is this possible to have a rule like "if it has been rewrite then
don't try to ssl_bump"?
Regards, EG
_______________________________________________
squid-users mailing list
squid-users@xxxxxxxxxxxxxxxxxxxxx
http://lists.squid-cache.org/listinfo/squid-users
_______________________________________________
squid-users mailing list
squid-users@xxxxxxxxxxxxxxxxxxxxx
http://lists.squid-cache.org/listinfo/squid-users
