Search squid archive

Re: deny_info and CONNECT for https request gives SSL error

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On 16/10/18 9:05 PM, Alex Rousskov wrote:

On 10/16/2018 06:29 AM, Amish wrote:


In my opinion correct flow should be like this:

1) Browser sends CONNECT request
2) Check ACL
3) If denied, return with 307 (or 302)
4) If allowed, go ahead with tunneling / bumping as applicable

Unfortunately, that ideal sequence does not work well in practice
because popular browsers ignore CONNECT responses other than HTTP 200
and 407. As a consequence, if you want to redirect "secure" browser
traffic, Squid has to bump it first.


HTH,

Alex.


No thats not correct.
Thing is that squid behaves differently for 2 exactly same CONNECT request with only difference being ssl-bump 

Case 1:
http_port 8080 #no ssl-bump
acl denyit src all
deny_info http://192.168.1.1/blocked.html denyit
http_access deny denyit

> curl -ix 192.168.1.1:8080 https://google.com
HTTP/1.1 307 Temporary Redirect
Server: squid/4.3
Mime-Version: 1.0
Date: Tue, 16 Oct 2018 12:01:41 GMT
Content-Type: text/html;charset=utf-8
Content-Length: 0
Location: http://192.168.1.1/blocked.html
X-Squid-Error: 403 Access Denied
X-Cache: MISS from somehost
X-Cache-Lookup: NONE from somehost:8080
Connection: keep-alive
Notice that squid is indeed responding with code other than 200 or 407 for CONNECT and HTTPS request. 

So what you said does not seem to be correct.

Case 2:
http_port 8080 ssl-bump ...
acl denyit src all
deny_info http://192.168.1.1/blocked.html denyit
http_access deny denyit

> curl -ix 192.168.1.1:8080 https://google.com
HTTP/1.1 200 Connection established
curl: (60) SSL certificate problem: self signed certificate in certificate chain 
...



Case 1: Browser gives "Proxy connection refused" (or similar error).
Case 2: Browser gives "SSL certificate error".
Case 1 - Browser atleast makes it clear to end user that this is something that proxy is not allowing. Case 2 - End user would be clueless on why SSL error? He will never know that its blocked by proxy. 

To me case 1 is more appropriate response.

Please give a thought,

Thank you,

Amish.
_______________________________________________
squid-users mailing list
squid-users@xxxxxxxxxxxxxxxxxxxxx
http://lists.squid-cache.org/listinfo/squid-users
[Index of Archives]     [Linux Audio Users]     [Samba]     [Big List of Linux Books]     [Linux USB]     [Yosemite News]

  Powered by Linux