Search squid archive

Fwd: Https blocked sites getting ssl error , with connection abruptly ending - Peek and splice feature

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 







Hi Everyone, 

Have configured squid proxy with https whitelisted sites using ssl bump, peek and splice feature 
in transparent mode.
Although non whitelisted site are getting blocked, but it is not graceful, with 'ssl connect error'  and  no 403 message(using curl). For http, it is working fine with Access denied with 403 http error code.

Using ssl bump 'terminate all' seem to abruptly stop the connection, this might cause issues in our application.

Is there a way to terminate the connection with access denied message gracefully(with 403 error code)  just like it does for Http.

Non Whitelisted site error:

curl -I https://nba.com

curl: (35) SSL connect error


http non whitelisted site:

c5278791@ban-squid-client22 ~]$ curl -I http://nba.com

HTTP/1.1 403 Forbidden

Server: squid/3.5.28

Mime-Version: 1.0

Date: Fri, 25 Jan 2019 17:01:38 GMT

Content-Type: text/html;charset=utf-8

Content-Length: 3574

X-Squid-Error: ERR_ACCESS_DENIED 0

Vary: Accept-Language

Content-Language: en

X-Cache: MISS from squid

Via: 1.1 squid (squid/3.5.28)

Connection: keep-alive


https whitelisted site works fine:

curl -I https://cnn.com

HTTP/1.1 301 Moved Permanently

Server: Varnish

Retry-After: 0

Content-Length: 0

Cache-Control: public, max-age=600

Location: https://www.cnn.com/

Accept-Ranges: bytes

Date: Fri, 25 Jan 2019 17:00:08 GMT

Via: 1.1 varnish

Connection: close

Set-Cookie: countryCode=US; Domain=.cnn.com; Path=/

Set-Cookie: geoData=mountain view|CA|94043|US|NA; Domain=.cnn.com; Path=/

X-Served-By: cache-sea1038-SEA

X-Cache: HIT

X-Cache-Hits: 0






Squid.conf Details:

visible_hostname squid

 

cache deny all

#Handling HTTP requests

http_port 3128 intercept

acl allowed_http_sites dstdomain .amazonaws.com .bbc.com

#acl allowed_http_sites dstdomain [you can add other domains to permit]

http_access allow allowed_http_sites

 

#Handling HTTPS requests

https_port 3130 cert=/etc/pki/tls/certs/squidCA.pem ssl-bump intercept

acl SSL_port port 443

http_access allow SSL_port

acl allowed_https_sites ssl::server_name .amazonaws.com .cnn.com .yahoo.com .bbc.com

#acl allowed_https_sites ssl::server_name [you can add other domains to permit]

acl step1 at_step SslBump1

acl step2 at_step SslBump2

acl step3 at_step SslBump3

ssl_bump peek step1 all

ssl_bump splice allowed_https_sites

#ssl_bump peek step2 all

ssl_bump terminate  all

 

http_access deny all


Squid version:

squid -v

Squid Cache: Version 3.5.28

Service Name: squid


This binary uses OpenSSL 1.0.1e-fips 11 Feb 2013. For legal restrictions on distribution see https://www.openssl.org/source/license.html


configure options:  '--prefix=/usr' '--includedir=/usr/include' '--datadir=/usr/share' '--bindir=/usr/sbin' '--libexecdir=/usr/lib/squid' '--localstatedir=/var' '--sysconfdir=/etc/squid' '--with-logdir=/var/log/squid' '--with-openssl' '--enable-ssl-crtd' --enable-ltdl-convenien


OS version:

cat /etc/redhat-release 

CentOS release 6.10 (Final)


Thanks,

-Bandeep

_______________________________________________
squid-users mailing list
squid-users@xxxxxxxxxxxxxxxxxxxxx
http://lists.squid-cache.org/listinfo/squid-users
[Index of Archives]     [Linux Audio Users]     [Samba]     [Big List of Linux Books]     [Linux USB]     [Yosemite News]

  Powered by Linux