Hi Edouard,
To block GET https://www.example.com/foo.html and to pass CONNECT www,example.com you need
a) squid with ssl-bump in peek+bump mode
b) ufdbGuard
ufdbGuard can skip the CONNECT and waits for the GET request
which can be blocked without browser errors.
Since ssl-bump is not easy it is recommended to do this in two steps:
a) make sure that Squid with ssl-bump works fine,
b) then add ufdbGuard.
Marcus
On 04/05/17 06:03, Edouard Gaulué wrote:
Hi community,
Any news about this?
I've tried 3.5.25 but still observe this behaviour.
I understand it well since I read: https://serverfault.com/questions/727262/how-to-redirect-https-connect-request-with-squid-explicit-proxy
But how to let the CONNECT request succeed and later block/redirect next HTTP request coming through this established connection tunnel?
Best Regards,
Le 03/11/2015 à 23:48, Edouard Gaulué a écrit :
Hi community,
I've followed
http://wiki.squid-cache.org/ConfigExamples/Intercept/SslBumpExplicit to
set my server. It looks really interesting and it's said to be the more
common configuration.
I often observe (example here withwww.youtube.com) :
***************************
The following error was encountered while trying to retrieve the URL:
https://http/*
*Unable to determine IP address from host name "http"*
The DNS server returned:
Name Error: The domain name does not exist.
****************************
This happens while the navigator (Mozilla) is trying to get a frame at
https://ad.doubleclick.net/N4061/adi/com.ythome/_default;sz=970x250;tile=1;ssl=1;dc_yt=1;kbsg=HPFR151103;kga=-1;kgg=-1;klg=fr;kmyd=ad_creative_1;ytexp=9406852,9408210,9408502,9417689,9419444,9419802,9420440,9420473,9421645,9421711,9422141,9422865,9423510,9423563,9423789;ord=968558538238386?
That's ads so I'm not so fond of it...
But this leads me to the fact I get this behavior each time the site is
banned by squidguard.
Is there something to do to avoid this behavior? I mean, squidguard
should send :
*********************************
Access denied
Supplementary info :
Client address = 192.168.XXX.XXX
Client name = 192.168.XXX.XXX
User ident =
Client group = XXXXXXX
URL = https://ad.doubleclick.net/
Target class = ads
If this is wrong, contact your administrator
**********************************
squidguard is an url_rewrite_program that looks to respect squid
requirements. Redirect looks like this :
http://proxyweb.myserver.mydomain/cgi-bin/squidGuard-simple.cgi?clientaddr=...
I've played arround trying to change the redirect URL and it leads me to
the idea ssl_bump tries to analyse the part until the ":". Is there a way
to avoid this? Is this just a configuration matter?
Could putting a ssl_bump rule saying "every server that name match "http" or
"https" should splice" solve the problem?
Regards, EG
_______________________________________________
squid-users mailing list
squid-users@xxxxxxxxxxxxxxxxxxxxx
http://lists.squid-cache.org/listinfo/squid-users
_______________________________________________
squid-users mailing list
squid-users@xxxxxxxxxxxxxxxxxxxxx
http://lists.squid-cache.org/listinfo/squid-users
_______________________________________________
squid-users mailing list
squid-users@xxxxxxxxxxxxxxxxxxxxx
http://lists.squid-cache.org/listinfo/squid-users