Re: "ACCESS DENIED" page by ssl_bump terminate

Alexandr Yatskin <yatskin@xxxxxxxxxx> · Mon, 28 Mar 2016 08:59:53 +0300



    Directive "deny_info" didn't work when we blocked https site with
    option "ssl_bump". 

    Maybe, is there another method?

    
    --------------------------------------------------------------------

    acl blocked_https ssl::server_name  "/etc/squid/blocked_https.txt"

    acl step1 at_step SslBump1

    ssl_bump peek step1

    
    deny_info http://www.example.com blocked_https

    ssl_bump terminate blocked_https

    --------------------------------------------------------------------

    
    25.03.2016 17:14, Yuri Voinov пишет:

    
      -----BEGIN PGP SIGNED MESSAGE----- 

      Hash: SHA256 

       
      #  TAG: deny_info

      #    Usage:   deny_info err_page_name acl

      #    or       deny_info http://... acl

      #    or       deny_info TCP_RESET acl

      #

      #    This can be used to return a ERR_ page for requests which

      #    do not pass the 'http_access' rules.  Squid remembers the
      last

      #    acl it evaluated in http_access, and if a 'deny_info' line
      exists

      #    for that ACL Squid returns a corresponding error page.

      #

      #    The acl is typically the last acl on the http_access deny
      line which

      #    denied access. The exceptions to this rule are:

      #    - When Squid needs to request authentication credentials.
      It's then

      #      the first authentication related acl encountered

      #    - When none of the http_access lines matches. It's then the
      last

      #      acl processed on the last http_access line.

      #    - When the decision to deny access was made by an adaptation
      service,

      #      the acl name is the corresponding eCAP or ICAP
      service_name.

      #

      #    NP: If providing your own custom error pages with
      error_directory

      #        you may also specify them by your custom file name:

      #        Example: deny_info ERR_CUSTOM_ACCESS_DENIED bad_guys

      #

      #    By defaut Squid will send "403 Forbidden". A different 4xx or
      5xx

      #    may be specified by prefixing the file name with the code and
      a colon.

      #    e.g. 404:ERR_CUSTOM_ACCESS_DENIED

      #

      #    Alternatively you can tell Squid to reset the TCP connection

      #    by specifying TCP_RESET.

      #

      #    Or you can specify an error URL or URL pattern. The browsers
      will

      #    get redirected to the specified URL after formatting tags
      have

      #    been replaced. Redirect will be done with 302 or 307
      according to

      #    HTTP/1.1 specs. A different 3xx code may be specified by
      prefixing

      #    the URL. e.g. 303:http://example.com/

      #

      #    URL FORMAT TAGS:

      #        %a    - username (if available. Password NOT included)

      #        %B    - FTP path URL

      #        %e    - Error number

      #        %E    - Error description

      #        %h    - Squid hostname

      #        %H    - Request domain name

      #        %i    - Client IP Address

      #        %M    - Request Method

      #        %o    - Message result from external ACL helper

      #        %p    - Request Port number

      #        %P    - Request Protocol name

      #        %R    - Request URL path

      #        %T    - Timestamp in RFC 1123 format

      #        %U    - Full canonical URL from client

      #              (HTTPS URLs terminate with *)

      #        %u    - Full canonical URL from client

      #        %w    - Admin email from squid.conf

      #        %x    - Error name

      #        %%    - Literal percent (%) code

      #

      #Default:

      # none

      
      ?

      
      25.03.16 16:15, Alexandr Yatskin пишет:

      > Hello everyone!

      > How redirect users to "Access Denied" page when they go to
      blocked https sites?

      > Now users only can see such error: "ERR_CONNECTION_CLOSED".

      >

      > There are several lines from our config:

      > ------------------------------------------

      > acl blocked_https ssl::server_name 
      "/etc/squid/blocked_https.txt"

      > ssl_bump terminate blocked_https

      > ------------------------------------------

      > Thanks in advance.

      >

      >

      >

      > _______________________________________________

      > squid-users mailing list

      > squid-users@xxxxxxxxxxxxxxxxxxxxx

      > http://lists.squid-cache.org/listinfo/squid-users

      
      -----BEGIN PGP SIGNATURE-----
      

      Version: GnuPG v2
      

      iQEcBAEBCAAGBQJW9UfKAAoJENNXIZxhPexG2KMH/1ACiOlqrvMRngV3K5xTKTQ+
      

      ryx1oFWqH7sbn9vsAALZ8QBeVzucrH0XjDGRqbH7ehUd4a9XS0s03KsyGcDj5YAE
      

      1uq5SYB+oSHpOYTEPN2uMUUTiMy1m3ZUq/Z9AONHEVu3avmRwliGpb7xMGMB7ORn
      

      Oy/du+I8YsB9r7O2zIDTStmdafdpu/7Xf0NqWB1awxUyU3v9Q2gTckOiQcWKnCFG
      

      3xY0sh9xAxayh0x1O7IuIbyhHRnFIhVbVI1fD3RDd5TqhkP61vtQyDsXMtC8Rxa1
      

      HJSjttjN2Y3kgVGK57rJOaT1spR2B6Rfy98ZhXK/TI81cXmtgnM0987EB4p8OGw=
      

      =kPrb
      

      -----END PGP SIGNATURE-----
      

      _______________________________________________
squid-users mailing list
squid-users@xxxxxxxxxxxxxxxxxxxxx
http://lists.squid-cache.org/listinfo/squid-users

    
_______________________________________________
squid-users mailing list
squid-users@xxxxxxxxxxxxxxxxxxxxx
http://lists.squid-cache.org/listinfo/squid-users