Search squid archive

Re: ssl bump and url_rewrite_program (like squidguard)

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Hi Edouard,

To block GET https://www.example.com/foo.html and to pass CONNECT www,example.com you need
a) squid with ssl-bump in peek+bump mode
b) ufdbGuard

ufdbGuard can skip the CONNECT and waits for the GET request
which can be blocked without browser errors.

Since ssl-bump is not easy it is recommended to do this in two steps:
a) make sure that Squid with ssl-bump works fine,
b) then add ufdbGuard.

Marcus


On 04/05/17 06:03, Edouard Gaulué wrote:
Hi community,

Any news about this?

I've tried 3.5.25 but still observe this behaviour.

I understand it well since I read: https://serverfault.com/questions/727262/how-to-redirect-https-connect-request-with-squid-explicit-proxy

But how to let the CONNECT request succeed and later block/redirect next HTTP request coming through this established connection tunnel?

Best Regards,

Le 03/11/2015 à 23:48, Edouard Gaulué a écrit :
Hi community,

I've followed
http://wiki.squid-cache.org/ConfigExamples/Intercept/SslBumpExplicit  to
set my server. It looks really interesting and it's said to be the more
common configuration.

I often observe (example here withwww.youtube.com) :
***************************
The following error was encountered while trying to retrieve the URL:
https://http/*

    *Unable to determine IP address from host name "http"*

The DNS server returned:

    Name Error: The domain name does not exist.
****************************

This happens while the navigator (Mozilla) is trying to get a frame at
https://ad.doubleclick.net/N4061/adi/com.ythome/_default;sz=970x250;tile=1;ssl=1;dc_yt=1;kbsg=HPFR151103;kga=-1;kgg=-1;klg=fr;kmyd=ad_creative_1;ytexp=9406852,9408210,9408502,9417689,9419444,9419802,9420440,9420473,9421645,9421711,9422141,9422865,9423510,9423563,9423789;ord=968558538238386?


That's ads so I'm not so fond of it...

But this leads me to the fact I get this behavior each time the site is
banned by squidguard.

Is there something to do to avoid this behavior? I mean, squidguard
should send :

*********************************
  Access denied

Supplementary info     :
Client address     =     192.168.XXX.XXX
Client name     =     192.168.XXX.XXX
User ident     =
Client group     =     XXXXXXX
URL     =     https://ad.doubleclick.net/
Target class     =     ads

If this is wrong, contact your administrator
**********************************

squidguard is an url_rewrite_program that looks to respect squid
requirements. Redirect looks like this :
http://proxyweb.myserver.mydomain/cgi-bin/squidGuard-simple.cgi?clientaddr=...

I've played arround trying to change the redirect URL and it leads me to
the idea ssl_bump tries to analyse the part until the ":". Is there a way
to avoid this? Is this just a configuration matter?

Could putting a ssl_bump rule saying "every server that name match "http" or
"https" should splice" solve the problem?

Regards, EG


_______________________________________________
squid-users mailing list
squid-users@xxxxxxxxxxxxxxxxxxxxx
http://lists.squid-cache.org/listinfo/squid-users


_______________________________________________
squid-users mailing list
squid-users@xxxxxxxxxxxxxxxxxxxxx
http://lists.squid-cache.org/listinfo/squid-users
_______________________________________________
squid-users mailing list
squid-users@xxxxxxxxxxxxxxxxxxxxx
http://lists.squid-cache.org/listinfo/squid-users




[Index of Archives]     [Linux Audio Users]     [Samba]     [Big List of Linux Books]     [Linux USB]     [Yosemite News]

  Powered by Linux