-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 09.01.16 15:45, Marcus Kool пишет: > > > On 01/09/2016 05:07 AM, Darren wrote: >> Hi >> >> I am trying to hack squidguard to allow me to redirect users attempts to connect to blocked https enabled sites. >> >> Some sites are allowed and the bulk are not. Currently I can see the Connect details being handed to SG for processing and if I change this to return a redirect to make it point to a different server >> it breaks and gives me an SSL error (as would be expected) > > indeed, "as expected"... > The HTTP protocol supportly support redirection of URL by sending a 30x status code back to he browser. > HTTPS, which is SSL+HTTP is "safe" encrypted channel where HTTP is inside the channel and > explicitly is designed not to be tampered with. So redirecting a channel to an other website > always will cause a certificate error, unless ... > 1) one uses ssl-bump > 2) installs the Squid fake CA certificate in all browsers > 3) one has a policy for the other protocols (e.g. Skype) that use CONNECT > >> Is there a way I can get this redirection call to squidguard happened earlier in squid before it gets this far down the CONNECT process? Or is there something that I can return from Squidguard that >> would make this work? I notice that the connect attempts are always just the IP address, so something earlier in the processing is doing a reverse DNS lookup, is this the Browser of Squid and if so >> can I get in earlier during the process? > > The above implies that you use Squid in interception mode where it initially can only see the IP address of the server. Note: Squid 3.5 only see IP initially. 3.4 knows full FQDN. Note this. You deal not only 3.5 and above. But _many_ 3.4.x installations. > In ssl-bump mode, Squid can peek in step1 and find the SNI of the server (a.k.a the FQDN) and then the SNI/FQDN can be used in ACLs inside Squid and any URL redirector that can cope with the SNI parameter. Squidguard cannot, the latest ufdbGuard 1.31 cannot, but ufdbGuard 1.32 _can_ and will be released in February. > > Marcus > >> >> I want to maintain the various lists in just squidguard and not put in ACLs in squid.conf >> >> thanks >> >> Darren B. > _______________________________________________ > squid-users mailing list > squid-users@xxxxxxxxxxxxxxxxxxxxx > http://lists.squid-cache.org/listinfo/squid-users -----BEGIN PGP SIGNATURE----- Version: GnuPG v2 iQEcBAEBCAAGBQJWkVuXAAoJENNXIZxhPexG6OYIAI5tDWbOeSuzj6ppKSadE466 7b4YzxownSixeddyVL+diCBRFVPtBbHzvrOmy+jHo+fYgZrTqBg/hh0MKd4eJ+zq JiY78WwNbYGDKat+UGXzT0F7eVePHJo5o/c1z3am1FfdqGtFdKCh+9VZ4E4TrAH5 mjgJtb+x0c7pi5Yen6PJVAQIjoB3MiJ3xoeVAyFUbJdrRAS8PgFgbEdMuqy9+UkH 3yp0KSgKnc3IE5NghWhITJfyHXsPcwnpIqOhTxQrE+DFPj9IREPcnfq3N4+v6tvz 17swFfGHe1FUwGGssfiAsLC+QeeZPkSLlPP0ytgk/WMxR8tfLTJy26b1QzVg/Ko= =InjG -----END PGP SIGNATURE----- _______________________________________________ squid-users mailing list squid-users@xxxxxxxxxxxxxxxxxxxxx http://lists.squid-cache.org/listinfo/squid-users
