Hi,
Sorry for the noise. In fact, it works. It's just squid couldn't connect
to the local cgi page (while it could for squidclamav), and then did its
best that was rather strange.
I confirm "url_rewrite_access deny CONNECT" works like a charm to avoid
redirection during connection establishment and squid getting mad.
Best regards,
Le 10/03/2020 à 10:53, Edouard Gaulué a écrit :
Hi all,
I know it's an old subject but I come back on it as I moved my old
proxy server to Debian Buster.
I now have a 4.10 version from git.
Here are my last tests regarding this subject :
* Using c-icap for virus detection works well. I mean if I download a
virus from an HTTPS server like
https://www.blablasecurity.com/wp-content/downloads/eicar_com.zip, I
get redirected to the squidclamav cgi page (even if it is HTTP, I mean
HTTPS redirect to HTTP).
* url_rewrite_program with squidguard using a basic configuration
works well with all non-HTTPS request. With HTTPS, it shows a SQUID
error : *Unable to determine IP address from host name "http"*
* url_rewrite_program with squidguard that is not triggered by the
CONNECT method (through this configuration: url_rewrite_access deny
CONNECT) but by the subsequent one gives a 404 coming from the remote
site. In the log, you see squid get the redirection from the
url_rewrite_program but at the end it forges a request to the remote
HTTPS site with a GET content of the redirection.
So c-icap manages to handle it well but url_rewrite_program doesn't.
Is there any new option since 3.4.8, that I could try to manage it as
good as c-icap redirection?
Best regards, Edouard
Le 04/05/2017 à 11:03, Edouard Gaulué a écrit :
Hi community,
Any news about this?
I've tried 3.5.25 but still observe this behaviour.
I understand it well since I read:
https://serverfault.com/questions/727262/how-to-redirect-https-connect-request-with-squid-explicit-proxy
But how to let the CONNECT request succeed and later block/redirect
next HTTP request coming through this established connection tunnel?
Best Regards,
Le 03/11/2015 à 23:48, Edouard Gaulué a écrit :
Hi community,
I've followed
http://wiki.squid-cache.org/ConfigExamples/Intercept/SslBumpExplicit ;
to
set my server. It looks really interesting and it's said to be the more
common configuration.
I often observe (example here withwww.youtube.com) :
***************************
The following error was encountered while trying to retrieve the URL:
https://http/*
*Unable to determine IP address from host name "http"*
The DNS server returned:
Name Error: The domain name does not exist.
****************************
This happens while the navigator (Mozilla) is trying to get a frame at
https://ad.doubleclick.net/N4061/adi/com.ythome/_default;sz=970x250;tile=1;ssl=1;dc_yt=1;kbsg=HPFR151103;kga=-1;kgg=-1;klg=fr;kmyd=ad_creative_1;ytexp=9406852,9408210,9408502,9417689,9419444,9419802,9420440,9420473,9421645,9421711,9422141,9422865,9423510,9423563,9423789;ord=968558538238386?
That's ads so I'm not so fond of it...
But this leads me to the fact I get this behavior each time the site is
banned by squidguard.
Is there something to do to avoid this behavior? I mean, squidguard
should send :
*********************************
Access denied
Supplementary info :
Client address = 192.168.XXX.XXX
Client name = 192.168.XXX.XXX
User ident =
Client group = XXXXXXX
URL = https://ad.doubleclick.net/
Target class = ads
If this is wrong, contact your administrator
**********************************
squidguard is an url_rewrite_program that looks to respect squid
requirements. Redirect looks like this :
http://proxyweb.myserver.mydomain/cgi-bin/squidGuard-simple.cgi?clientaddr=...
I've played arround trying to change the redirect URL and it leads
me to
the idea ssl_bump tries to analyse the part until the ":". Is there
a way
to avoid this? Is this just a configuration matter?
Could putting a ssl_bump rule saying "every server that name match
"http" or
"https" should splice" solve the problem?
Regards, EG
_______________________________________________
squid-users mailing list
squid-users@xxxxxxxxxxxxxxxxxxxxx
http://lists.squid-cache.org/listinfo/squid-users
_______________________________________________
squid-users mailing list
squid-users@xxxxxxxxxxxxxxxxxxxxx
http://lists.squid-cache.org/listinfo/squid-users
_______________________________________________
squid-users mailing list
squid-users@xxxxxxxxxxxxxxxxxxxxx
http://lists.squid-cache.org/listinfo/squid-users
_______________________________________________
squid-users mailing list
squid-users@xxxxxxxxxxxxxxxxxxxxx
http://lists.squid-cache.org/listinfo/squid-users
