deny_info and CONNECT for https request gives SSL error

Amish <anon.amish@xxxxxxxxx> · Tue, 16 Oct 2018 17:05:18 +0530



    Hello

    
    I have this simplified ACL in squid.conf

    
    acl denyit src all

    deny_info http://192.168.1.1/blocked.html denyit

    http_access deny denyit

    
    The purpose is to block everything and redirect to
    http://192.168.1.1/blocked.html

    
    It works fine with http (non-secure) CONNECT request ...

    
    > curl -ix 192.168.1.1:8080 http://google.com

    HTTP/1.1 302 Found

    Server: squid/4.3

    Mime-Version: 1.0

    Date: Tue, 16 Oct 2018 11:02:05 GMT

    Content-Type: text/html;charset=utf-8

    Content-Length: 0

    Location: http://192.168.1.1/blocked.html

    X-Squid-Error: 403 Access Denied

    X-Cache: MISS from somehost

    X-Cache-Lookup: NONE from somehost:8080

    Connection: keep-alive

    
     ... but gives certificate error with https CONNECT request.

    
    > curl -ix 192.168.1.1:8080 https://google.com

    HTTP/1.1 200 Connection established

    
    curl: (60) SSL certificate problem: self signed certificate in
    certificate chain

    More details here: https://curl.haxx.se/docs/sslcerts.html

    
    curl failed to verify the legitimacy of the server and therefore
    could not

    establish a secure connection to it. To learn more about this
    situation and

    how to fix it, please visit the web page mentioned above.

    
    I believe this is because squid first gives 200 status and hence
    browser thinks connection is established expects Google's
    certificate.

    
    Can squid not return with 302/307 on CONNECT HTTPs requests for
    deny_info?

    
    Like instead of HTTP/1.1 200 Connection established - it returns:

    
    HTTP/1.1 307 Redirect

    Location: http://192.168.1.1/blocked.html

    (...)

    
    RFC 7231 https://tools.ietf.org/html/rfc7231#section-4.3.6 states
    that:

    Any response other than a successful response
   indicates that the tunnel has not yet been formed and that the
   connection remains governed by HTTP.
    

    which means HTTP/1.1 307 Redirect should make browser treat
    connection as HTTP and hopefully also follow Location.

    
    Any idea? Or any other workaround (except importing squid
    certificate)

    
    Thanks and regards,

    
    Amish

  
_______________________________________________
squid-users mailing list
squid-users@xxxxxxxxxxxxxxxxxxxxx
http://lists.squid-cache.org/listinfo/squid-users