Search squid archive

Re: URL Rewrite for https via Squidguard

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On 01/09/2016 05:07 AM, Darren wrote:

Hi

I am trying to hack squidguard to allow me to redirect users attempts to connect to blocked https enabled sites.

Some sites are allowed and the bulk are not. Currently I can see the Connect details being handed to SG for processing and if I change this to return a redirect to make it point to a different server
it breaks and gives me an SSL error (as would be expected)


indeed, "as expected"...
The HTTP protocol supportly support redirection of URL by sending a 30x status code back to he browser.
HTTPS, which is SSL+HTTP is "safe" encrypted channel where HTTP is inside the channel and
explicitly is designed not to be tampered with.  So redirecting a channel to an other website
always will cause a certificate error, unless ...
   1) one uses ssl-bump
   2) installs the Squid fake CA certificate in all browsers
   3) one has a policy for the other protocols (e.g. Skype) that use CONNECT


Is there a way I can get this redirection call to squidguard happened earlier in squid before it gets this far down the CONNECT process? Or is there something that I can return from Squidguard that
would make this work? I notice that the connect attempts are always just the IP address, so something earlier in the processing is doing a reverse DNS lookup, is this the Browser of Squid and if so
can I get in earlier during the process?


The above implies that you use Squid in interception mode where it initially can only see the IP address of the server.
In ssl-bump mode, Squid can peek in step1 and find the SNI of the server (a.k.a the FQDN) and then the SNI/FQDN can be used in ACLs inside Squid and any URL redirector that can cope with the SNI parameter. Squidguard cannot, the latest ufdbGuard 1.31 cannot, but ufdbGuard 1.32 _can_ and will be released in February. 

Marcus



I want to maintain the various lists in just squidguard and not put in ACLs in squid.conf

thanks

Darren B.

_______________________________________________
squid-users mailing list
squid-users@xxxxxxxxxxxxxxxxxxxxx
http://lists.squid-cache.org/listinfo/squid-users
[Index of Archives]     [Linux Audio Users]     [Samba]     [Big List of Linux Books]     [Linux USB]     [Yosemite News]

  Powered by Linux