Hi all,
I know it's an old subject but I come back on it as I moved my old proxy
server to Debian Buster.
I now have a 4.10 version from git.
Here are my last tests regarding this subject :
* Using c-icap for virus detection works well. I mean if I download a
virus from an HTTPS server like
https://www.blablasecurity.com/wp-content/downloads/eicar_com.zip, I get
redirected to the squidclamav cgi page (even if it is HTTP, I mean HTTPS
redirect to HTTP).
* url_rewrite_program with squidguard using a basic configuration
works well with all non-HTTPS request. With HTTPS, it shows a SQUID
error : *Unable to determine IP address from host name "http"*
* url_rewrite_program with squidguard that is not triggered by the
CONNECT method (through this configuration: url_rewrite_access deny
CONNECT) but by the subsequent one gives a 404 coming from the remote
site. In the log, you see squid get the redirection from the
url_rewrite_program but at the end it forges a request to the remote
HTTPS site with a GET content of the redirection.
So c-icap manages to handle it well but url_rewrite_program doesn't.
Is there any new option since 3.4.8, that I could try to manage it as
good as c-icap redirection?
Best regards, Edouard
Le 04/05/2017 à 11:03, Edouard Gaulué a écrit :
Hi community,
Any news about this?
I've tried 3.5.25 but still observe this behaviour.
I understand it well since I read:
https://serverfault.com/questions/727262/how-to-redirect-https-connect-request-with-squid-explicit-proxy
But how to let the CONNECT request succeed and later block/redirect
next HTTP request coming through this established connection tunnel?
Best Regards,
Le 03/11/2015 à 23:48, Edouard Gaulué a écrit :
Hi community,
I've followed
http://wiki.squid-cache.org/ConfigExamples/Intercept/SslBumpExplicit ; to
set my server. It looks really interesting and it's said to be the more
common configuration.
I often observe (example here withwww.youtube.com) :
***************************
The following error was encountered while trying to retrieve the URL:
https://http/*
*Unable to determine IP address from host name "http"*
The DNS server returned:
Name Error: The domain name does not exist.
****************************
This happens while the navigator (Mozilla) is trying to get a frame at
https://ad.doubleclick.net/N4061/adi/com.ythome/_default;sz=970x250;tile=1;ssl=1;dc_yt=1;kbsg=HPFR151103;kga=-1;kgg=-1;klg=fr;kmyd=ad_creative_1;ytexp=9406852,9408210,9408502,9417689,9419444,9419802,9420440,9420473,9421645,9421711,9422141,9422865,9423510,9423563,9423789;ord=968558538238386?
That's ads so I'm not so fond of it...
But this leads me to the fact I get this behavior each time the site is
banned by squidguard.
Is there something to do to avoid this behavior? I mean, squidguard
should send :
*********************************
Access denied
Supplementary info :
Client address = 192.168.XXX.XXX
Client name = 192.168.XXX.XXX
User ident =
Client group = XXXXXXX
URL = https://ad.doubleclick.net/
Target class = ads
If this is wrong, contact your administrator
**********************************
squidguard is an url_rewrite_program that looks to respect squid
requirements. Redirect looks like this :
http://proxyweb.myserver.mydomain/cgi-bin/squidGuard-simple.cgi?clientaddr=...
I've played arround trying to change the redirect URL and it leads me to
the idea ssl_bump tries to analyse the part until the ":". Is there a
way
to avoid this? Is this just a configuration matter?
Could putting a ssl_bump rule saying "every server that name match
"http" or
"https" should splice" solve the problem?
Regards, EG
_______________________________________________
squid-users mailing list
squid-users@xxxxxxxxxxxxxxxxxxxxx
http://lists.squid-cache.org/listinfo/squid-users
_______________________________________________
squid-users mailing list
squid-users@xxxxxxxxxxxxxxxxxxxxx
http://lists.squid-cache.org/listinfo/squid-users
_______________________________________________
squid-users mailing list
squid-users@xxxxxxxxxxxxxxxxxxxxx
http://lists.squid-cache.org/listinfo/squid-users
