On 16/08/18 11:58, David Touzeau wrote: > Hi, > > > > I have written my own url_rewrite helper > > > > On SSL sites, the helper answering a redirect to a remote denied php page. > No your helper *rewrite* the URL without changing any other properties of the request message. This can be seen clearly in the use of "rewrite-url=" instead of "url=". The difference is important when it comes to the type of message being processed. > > With HTTP, no issue but on SSL there is a different behavior > > My helper return > > rewrite-url= https://192.168.1.122:443/myguard.php?rule-id=0&;.... > > but according to debug, the Uri.cc understand : host='https', > port='443', path='' > > In this case, squid try to connect to an https machine name and return > bad 503 > > ... > > Did i miss something ??? > Look at the input received by the helper. HTTPS uses CONNECT requests. Those messages have authority-form URI not URLs. The above behaviour is what happens when your helpers response is interpreted according to authority-form syntax. <https://tools.ietf.org/html/rfc7230#section-5.3.3> You can prevent the SSL-Bump CONNECT messages being sent to the re-writer with: url_rewrite_access deny CONNECT OR, you can try to do a proper redirect by having the helper send: OK status=302 url=... The latter *might* work. Depending on whether the client handles redirection on CONNECT requests. Browsers don't support anything other than 200 status. Other clients have a mix of behaviours so its somewhat unreliable. Amos _______________________________________________ squid-users mailing list squid-users@xxxxxxxxxxxxxxxxxxxxx http://lists.squid-cache.org/listinfo/squid-users
