Search squid archive

Re: Squid custom error page

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Please note if you first let the connect tunnel to succeed (forcing bump) and then block the next coming request through that tunnel - you will get the blocked message displayed.

We do it in ICAP (https://docs.diladele.com/faq/squid/cannot_connect_to_site_using_https.html) - other community members may know better if it is possible to do that in Squid directly.

Beware of those using your tunnels to pump non http traffic though. Blocking the connect as it is done now in Squid keeps you on safe side.

Best regards,
Rafael Akchurin

Op 17 mei 2017 om 4:04 PM heeft Amos Jeffries <squid3@xxxxxxxxxxxxx> het volgende geschreven:

On 17/05/17 23:32, chcs wrote:
Firefox 53.0.2 , Chrome 58.3029 y Opera 44 display "Proxy Server Refused
Connection" page, instead of Squid custom error page, when connect to HTTPS
site which blocked by proxy server.
For example we try to connect to https://www.something.com via Squid proxy
server which denied with 403 error this connect and send custom error page
with description of problem in older versions it's worked.
I'm using pfSense 2.4 (actual version squid 3.5.24).

Reproducible: Always

Steps to Reproduce:
1. Configure Firefox to use proxy server (SSL Proxy).
2. HTTPS/SSL Interception , Enable SSL filtering, splice all, CA: Let's
Encript autority
3. Try to connect to HTTPS site, which will be blocked by proxy server

Actual Results:
Firefox will display "Page Load Error" with description "Proxy Server
Refused Connection. Firefox is configured to use a proxy server that is
refusing connections."
If we connect to HTTPS site which not blocked by proxy server OR using CA
self-signed issuer , all works fine.

Expected Results:
Display proxy server error page with deny info.

This is a well-known problem with Browsers, they all refuse to display any response to a CONNECT tunnel message.
<On 17/05/17 23:32, chcs wrote:
Firefox 53.0.2 , Chrome 58.3029 y Opera 44 display "Proxy Server Refused
Connection" page, instead of Squid custom error page, when connect to HTTPS
site which blocked by proxy server.
For example we try to connect to https://www.something.com via Squid proxy
server which denied with 403 error this connect and send custom error page
with description of problem in older versions it's worked.
I'm using pfSense 2.4 (actual version squid 3.5.24).

Reproducible: Always

Steps to Reproduce:
1. Configure Firefox to use proxy server (SSL Proxy).
2. HTTPS/SSL Interception , Enable SSL filtering, splice all, CA: Let's
Encript autority
3. Try to connect to HTTPS site, which will be blocked by proxy server

Actual Results:
Firefox will display "Page Load Error" with description "Proxy Server
Refused Connection. Firefox is configured to use a proxy server that is
refusing connections."
If we connect to HTTPS site which not blocked by proxy server OR using CA
self-signed issuer , all works fine.

Expected Results:
Display proxy server error page with deny info.

This is a well-known problem with Browsers, they all refuse to display any response to a CONNECT tunnel message.
<http://wiki.squid-cache.org/Features/CustomErrors#Custom_error_pages_not_displayed_for_HTTPS>

Use of TLS to secure the connection to the proxy does not affect this browser behaviour on HTTPS traffic. The best you can hope for is to make Squid use a 511 status code with deny_info and hope that it chooses to display something halfway useful.

Amos

_______________________________________________
squid-users mailing list
squid-users@xxxxxxxxxxxxxxxxxxxxx
http://lists.squid-cache.org/listinfo/squid-users
_______________________________________________
squid-users mailing list
squid-users@xxxxxxxxxxxxxxxxxxxxx
http://lists.squid-cache.org/listinfo/squid-users

[Index of Archives]     [Linux Audio Users]     [Samba]     [Big List of Linux Books]     [Linux USB]     [Yosemite News]

  Powered by Linux