My effort so far:
acl SquidTLSErrorConnect ssl_error SQUID_TLS_ERR_CONNECT
##############################
#unsupported protocol definice
##############################
# define what Squid errors indicate receiving non-HTTP traffic:
acl foreignProtocol squid_error ERR_PROTOCOL_UNKNOWN ERR_TOO_BIG
# define what Squid errors indicate receiving nothing:
acl serverTalksFirstProtocol squid_error
ERR_REQUEST_START_TIMEOUT
acl SquidSecureConnectFail squid_error ERR_SECURE_CONNECT_FAIL
# tunnel everything that does not look like HTTP:
on_unsupported_protocol tunnel foreignProtocol
# tunnel if we think the client waits for the server to talk
first:
on_unsupported_protocol tunnel serverTalksFirstProtocol
#tunnel all for connection errors
on_unsupported_protocol tunnel SquidTLSErrorConnect
on_unsupported_protocol tunnel SquidSecureConnectFail
# in all other error cases, just send an HTTP "error page"
response:
on_unsupported_protocol respond all
This is how it changed the behaviour (checked only with redir.netcentrum.cz so far)
1712126917.823 0 10.0.0.1 NONE_NONE/503 13605 GET
https://redir.netcentrum.cz/favicon.ico - HIER_NONE/- text/html
redir.netcentrum.cz
1712126918.842 23 10.0.0.1 NONE_NONE_ABORTED/000 0 CONNECT
46.255.231.158:443 - HIER_NONE/- - redir.netcentrum.cz
1712126918.881 0 10.0.0.1 NONE_NONE/503 13605 GET
https://redir.netcentrum.cz/favicon.ico - HIER_NONE/- text/html
redir.netcentrum.cz
1712126919.116 21 10.0.0.1 NONE_NONE_ABORTED/000 0 CONNECT
46.255.231.158:443 - HIER_NONE/- - redir.netcentrum.cz
1712126919.156 0 10.0.0.1 NONE_NONE/503 13605 GET
https://redir.netcentrum.cz/favicon.ico - HIER_NONE/- text/html
redir.netcentrum.cz
1712126918.839 19 10.0.0.1 NONE_NONE_ABORTED/000 0 CONNECT
46.255.231.158:443 - HIER_NONE/- - redir.netcentrum.cz
1712126918.845 0 10.0.0.1 NONE_NONE/503 13605 GET
https://redir.netcentrum.cz/? - HIER_NONE/- text/html
redir.netcentrum.cz
1712126919.113 19 10.0.0.1 NONE_NONE_ABORTED/000 0 CONNECT
46.255.231.158:443 - HIER_NONE/- - redir.netcentrum.cz
1712126919.119 0 10.0.0.1 NONE_NONE/503 13605 GET
https://redir.netcentrum.cz/? - HIER_NONE/- text/html
redir.netcentrum.cz
1712127729.466 66 10.0.0.1 TCP_MISS/200 719 GET
http://redir.netcentrum.cz/? - ORIGINAL_DST/46.255.231.158
text/html -
1712127729.516 9 10.0.0.1 TCP_MISS/403 424 GET
http://redir.netcentrum.cz/favicon.ico -
ORIGINAL_DST/46.255.231.158 text/plain -
1712127768.494 8 10.0.0.1 TCP_MISS/200 794 GET
http://redir.netcentrum.cz/? - ORIGINAL_DST/46.255.231.158
text/html -
1712127768.544 7 10.0.0.1 TCP_MISS/403 424 GET
http://redir.netcentrum.cz/favicon.ico -
ORIGINAL_DST/46.255.231.158 text/plain -
1712127833.348 9 10.0.0.1 TCP_MISS/200 794 GET
http://redir.netcentrum.cz/? - ORIGINAL_DST/46.255.231.158
text/html -
1712127833.486 15 10.0.0.1 TCP_MISS/403 424 GET
http://redir.netcentrum.cz/favicon.ico -
ORIGINAL_DST/46.255.231.158 text/plain -
1712129450.601 27 10.0.0.1 TCP_MISS/200 851 GET
http://redir.netcentrum.cz/? - ORIGINAL_DST/46.255.231.158
text/html -
1712129450.688 8 10.0.0.1 TCP_MISS/403 424 GET
http://redir.netcentrum.cz/favicon.ico -
ORIGINAL_DST/46.255.231.158 text/plain -
1712130278.514 54 10.0.0.1 TCP_MISS/200 795 GET
http://redir.netcentrum.cz/? - ORIGINAL_DST/46.255.231.158
text/html -
1712130278.565 9 10.0.0.1 TCP_MISS/403 422 GET
http://redir.netcentrum.cz/favicon.ico -
ORIGINAL_DST/46.255.231.158 text/plain -
1712130282.165 9 10.0.0.1 TCP_MISS/200 815 GET
http://redir.netcentrum.cz/? - ORIGINAL_DST/46.255.231.158
text/html -
1712130282.222 8 10.0.0.1 TCP_MISS/403 424 GET
http://redir.netcentrum.cz/favicon.ico -
ORIGINAL_DST/46.255.231.158 text/plain -
I can see clear change from GET https to GET http only. I have
to check what else does not work and why. (for example many
users complained about heureka.cz subdomains not openning right
with https.) I have to say - there many less competent admins in
the wild with selfsigned or unmatched certificates on their
websites, thinking they did the homework right. It is tough to
explaing to my users that the error page they are getting is not
a result of a faulty local gear - nor an attempt of the admin to
spy on them or to block some sites etc.
LL
Hello,
this has recently started me up more then let it go. For a while chrome is upgrading in-page links to https. It is supposed to work something like https://www.bleepingcomputer.com/news/google/google-chrome-now-auto-upgrades-to-secure-connections-fo r-all-users/
But there is a catch for me - my squid returns something like:
(104) Connection reset by peer (TLS code: SQUID_TLS_ERR_CONNECT+TLS_IO_ERR=5+errno=104)
Failed to establish a secure connection: [No Error]
or
[No Error] (TLS code: SQUID_TLS_ERR_CONNECT+TLS_LIB_ERR=1408F10B+TLS_IO_ERR=1)
Failed to establish a secure connection: error:1408F10B:SSL routines:ssl3_get_record:wrong version numberto the user - via error page
Log file:
1712122364.809 1172 10.0.0.1 NONE_NONE_ABORTED/000 0 CONNECT 46.255.231.158:443 - HIER_NONE/- - SNI redir.netcentrum.cz BumpMode peek - - - ServerNegoTLS - ServerRecTLS - ServerRecVer - ServerNegCiph - Error: ERR_SECURE_CONNECT_FAIL | SQUID_TLS_ERR_CONNECT+TLS_IO_ERR=5+errno=104
1712122366.296 23 10.0.0.1 NONE_NONE_ABORTED/000 0 CONNECT 46.255.231.158:443 - HIER_NONE/- - SNI redir.netcentrum.cz BumpMode peek - - - ServerNegoTLS - ServerRecTLS - ServerRecVer - ServerNegCiph - Error: ERR_SECURE_CONNECT_FAIL | SQUID_TLS_ERR_CONNECT+TLS_IO_ERR=5+errno=104
1712122366.293 21 10.0.0.1 NONE_NONE_ABORTED/000 0 CONNECT 46.255.231.158:443 - HIER_NONE/- - SNI redir.netcentrum.cz BumpMode peek - - - ServerNegoTLS - ServerRecTLS - ServerRecVer - ServerNegCiph - Error: ERR_SECURE_CONNECT_FAIL | SQUID_TLS_ERR_CONNECT+TLS_IO_ERR=5+errno=104
1712122367.111 20 10.0.0.1 NONE_NONE_ABORTED/000 0 CONNECT 46.255.231.158:443 - HIER_NONE/- - SNI redir.netcentrum.cz BumpMode peek - - - ServerNegoTLS - ServerRecTLS - ServerRecVer - ServerNegCiph - Error: ERR_SECURE_CONNECT_FAIL | SQUID_TLS_ERR_CONNECT+TLS_IO_ERR=5+errno=104
1712122367.114 21 10.0.0.1 NONE_NONE_ABORTED/000 0 CONNECT 46.255.231.158:443 - HIER_NONE/- - SNI redir.netcentrum.cz BumpMode peek - - - ServerNegoTLS - ServerRecTLS - ServerRecVer - ServerNegCiph - Error: ERR_SECURE_CONNECT_FAIL | SQUID_TLS_ERR_CONNECT+TLS_IO_ERR=5+errno=104
In fact - this seems to be http only sites like - https://www.ssllabs.com/ssltest/analyze.html?d=www.jarovnet.org or https://www.ssllabs.com/ssltest/analyze.html?d=redir.netcentrum.cz&s=46.255.231.158&latest. See this snapshot from centrum web mail page source code "Více informací o tomto zapezpečení naleznete v <a href="" class="moz-txt-link-rfc2396E" href="http://napoveda.centrum.cz/index.php?/Knowledgebase/Article/View/18/1/" moz-do-not-send="true">"http://napoveda.centrum.cz/index.php?/Knowledgebase/Article/View/18/1/" "
So - what is supposed to be happening is chrome should fallback to http if there is a problem with https - i think the most obvious reason to fall back would be no output at all. So I think my effort should target the situation when squid says ERR_SECURE_CONNECT_FAIL | SQUID_TLS_ERR_CONNECT+TLS_IO_ERR=5+errno=104 and to remain silent to the client.
Is there a way to do it - ie. do not show error page for not able to connect to server at all? I'd like every other problems (ie. bad/selfsigned/not matched certificate etc.) pushed to the client's eyes. I have implemented https://www.squid-cache.org/Doc/config/on_unsupported_protocol/ like in the example - but it is for an accepted TCP connections. I'd like to handle SSL errors - such as not being able to connect at all. - could it be done with https://www.squid-cache.org/Doc/config/sslproxy_cert_error/?
LL
_______________________________________________ squid-users mailing list squid-users@xxxxxxxxxxxxxxxxxxxxx https://lists.squid-cache.org/listinfo/squid-users
_______________________________________________ squid-users mailing list squid-users@xxxxxxxxxxxxxxxxxxxxx https://lists.squid-cache.org/listinfo/squid-users
