Search squid archive

url_rewrite_program, sslbump and CONNECT = broken redirect page?

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Hello,

I have perfectly working SSL bump setup (via proxy CONNECT requests) except when a site is blocked.

I have a rewrite program which blocks say foo.com.

Roughly it does this:

HTTP - non secure
STDIN: GET http://foo.com
STDOUT: rewrite-url="http://127.0.0.1/blocked";

Above works fine as expected, the page is fetched and shown.

But now if it is a CONNECT (https) request:

STDIN: CONNECT foo.com:443
STDOUT: rewrite-url="http://127.0.0.1/blocked";

Then instead of fetching the above page it tries to fetch "CONNECT http:443" and returns ERR_DNS_FAIL page.

The problem code begins here: (client_side_request.cc)
https://github.com/squid-cache/squid/blob/master/src/client_side_request.cc#L1261

which leads to: (AnyP:;Uri parse() function)
https://github.com/squid-cache/squid/blob/master/src/anyp/Uri.cc#L211

which treats CONNECT request differently then what is documented.

It finds domain as something colon number. And looks like ignores urlpath completely.

So in my case it becomes http:443.

And hence redirection breaks.

How do I convert CONNECT requests over ssl bump to GET http://127.0.0.1/blocked

This exact issue was reported earlier too in 2015 but the person who reported it probably couldn't locate the exact reason and bug went unnoticed.

http://lists.squid-cache.org/pipermail/squid-users/2015-August/005170.html

Regards

Amish.
_______________________________________________
squid-users mailing list
squid-users@xxxxxxxxxxxxxxxxxxxxx
http://lists.squid-cache.org/listinfo/squid-users




[Index of Archives]     [Linux Audio Users]     [Samba]     [Big List of Linux Books]     [Linux USB]     [Yosemite News]

  Powered by Linux