Search squid archive

Re: Chrome auto-HTTPS-upgrade - not falling to http

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



My effort so far:


acl SquidTLSErrorConnect ssl_error SQUID_TLS_ERR_CONNECT

##############################
#unsupported protocol definice
##############################
# define what Squid errors indicate receiving non-HTTP traffic:
acl foreignProtocol squid_error ERR_PROTOCOL_UNKNOWN ERR_TOO_BIG

# define what Squid errors indicate receiving nothing:
acl serverTalksFirstProtocol squid_error ERR_REQUEST_START_TIMEOUT

acl SquidSecureConnectFail squid_error ERR_SECURE_CONNECT_FAIL

# tunnel everything that does not look like HTTP:
on_unsupported_protocol tunnel foreignProtocol

# tunnel if we think the client waits for the server to talk first:
on_unsupported_protocol tunnel serverTalksFirstProtocol

#tunnel all for connection errors
on_unsupported_protocol tunnel SquidTLSErrorConnect
on_unsupported_protocol tunnel SquidSecureConnectFail


# in all other error cases, just send an HTTP "error page" response:
on_unsupported_protocol respond all

This is how it changed the behaviour (checked only with  redir.netcentrum.cz so far)


1712126917.823      0 10.0.0.1 NONE_NONE/503 13605 GET https://redir.netcentrum.cz/favicon.ico - HIER_NONE/- text/html redir.netcentrum.cz
1712126918.842     23 10.0.0.1 NONE_NONE_ABORTED/000 0 CONNECT 46.255.231.158:443 - HIER_NONE/- - redir.netcentrum.cz
1712126918.881      0 10.0.0.1 NONE_NONE/503 13605 GET https://redir.netcentrum.cz/favicon.ico - HIER_NONE/- text/html redir.netcentrum.cz
1712126919.116     21 10.0.0.1 NONE_NONE_ABORTED/000 0 CONNECT 46.255.231.158:443 - HIER_NONE/- - redir.netcentrum.cz
1712126919.156      0 10.0.0.1 NONE_NONE/503 13605 GET https://redir.netcentrum.cz/favicon.ico - HIER_NONE/- text/html redir.netcentrum.cz
1712126918.839     19 10.0.0.1 NONE_NONE_ABORTED/000 0 CONNECT 46.255.231.158:443 - HIER_NONE/- - redir.netcentrum.cz
1712126918.845      0 10.0.0.1 NONE_NONE/503 13605 GET https://redir.netcentrum.cz/? - HIER_NONE/- text/html redir.netcentrum.cz
1712126919.113     19 10.0.0.1 NONE_NONE_ABORTED/000 0 CONNECT 46.255.231.158:443 - HIER_NONE/- - redir.netcentrum.cz
1712126919.119      0 10.0.0.1 NONE_NONE/503 13605 GET https://redir.netcentrum.cz/? - HIER_NONE/- text/html redir.netcentrum.cz
1712127729.466     66 10.0.0.1 TCP_MISS/200 719 GET http://redir.netcentrum.cz/? - ORIGINAL_DST/46.255.231.158 text/html -
1712127729.516      9 10.0.0.1 TCP_MISS/403 424 GET http://redir.netcentrum.cz/favicon.ico - ORIGINAL_DST/46.255.231.158 text/plain -
1712127768.494      8 10.0.0.1 TCP_MISS/200 794 GET http://redir.netcentrum.cz/? - ORIGINAL_DST/46.255.231.158 text/html -
1712127768.544      7 10.0.0.1 TCP_MISS/403 424 GET http://redir.netcentrum.cz/favicon.ico - ORIGINAL_DST/46.255.231.158 text/plain -
1712127833.348      9 10.0.0.1 TCP_MISS/200 794 GET http://redir.netcentrum.cz/? - ORIGINAL_DST/46.255.231.158 text/html -
1712127833.486     15 10.0.0.1 TCP_MISS/403 424 GET http://redir.netcentrum.cz/favicon.ico - ORIGINAL_DST/46.255.231.158 text/plain -
1712129450.601     27 10.0.0.1 TCP_MISS/200 851 GET http://redir.netcentrum.cz/? - ORIGINAL_DST/46.255.231.158 text/html -
1712129450.688      8 10.0.0.1 TCP_MISS/403 424 GET http://redir.netcentrum.cz/favicon.ico - ORIGINAL_DST/46.255.231.158 text/plain -
1712130278.514     54 10.0.0.1 TCP_MISS/200 795 GET http://redir.netcentrum.cz/? - ORIGINAL_DST/46.255.231.158 text/html -
1712130278.565      9 10.0.0.1 TCP_MISS/403 422 GET http://redir.netcentrum.cz/favicon.ico - ORIGINAL_DST/46.255.231.158 text/plain -
1712130282.165      9 10.0.0.1 TCP_MISS/200 815 GET http://redir.netcentrum.cz/? - ORIGINAL_DST/46.255.231.158 text/html -
1712130282.222      8 10.0.0.1 TCP_MISS/403 424 GET http://redir.netcentrum.cz/favicon.ico - ORIGINAL_DST/46.255.231.158 text/plain -

I can see clear change from GET https to GET http only. I have to check what else does not work and why. (for example many users complained about heureka.cz subdomains not openning right with https.) I have to say - there many less competent admins in the wild with selfsigned or unmatched certificates on their websites, thinking they did the homework right. It is tough to explaing to my users that the error page they are getting is not a result of a faulty local gear - nor an attempt of the admin to spy on them or to block some sites etc.

LL

Dne 03.04.2024 v 8:14 Loučanský Lukáš napsal(a):

Hello,

this has recently started me up more then let it go. For a while chrome is upgrading in-page links to https. It is supposed to work something like https://www.bleepingcomputer.com/news/google/google-chrome-now-auto-upgrades-to-secure-connections-fo r-all-users/

But there is a catch for me - my squid returns something like:

(104) Connection reset by peer (TLS code: SQUID_TLS_ERR_CONNECT+TLS_IO_ERR=5+errno=104)
Failed to establish a secure connection: [No Error]

or

[No Error] (TLS code: SQUID_TLS_ERR_CONNECT+TLS_LIB_ERR=1408F10B+TLS_IO_ERR=1)
Failed to establish a secure connection: error:1408F10B:SSL routines:ssl3_get_record:wrong version number

to the user - via error page

Log file:

1712122364.809   1172 10.0.0.1 NONE_NONE_ABORTED/000 0 CONNECT 46.255.231.158:443 - HIER_NONE/- - SNI redir.netcentrum.cz BumpMode peek - - - ServerNegoTLS - ServerRecTLS - ServerRecVer - ServerNegCiph - Error: ERR_SECURE_CONNECT_FAIL | SQUID_TLS_ERR_CONNECT+TLS_IO_ERR=5+errno=104
1712122366.296     23 10.0.0.1 NONE_NONE_ABORTED/000 0 CONNECT 46.255.231.158:443 - HIER_NONE/- - SNI redir.netcentrum.cz BumpMode peek - - - ServerNegoTLS - ServerRecTLS - ServerRecVer - ServerNegCiph - Error: ERR_SECURE_CONNECT_FAIL | SQUID_TLS_ERR_CONNECT+TLS_IO_ERR=5+errno=104
1712122366.293     21 10.0.0.1 NONE_NONE_ABORTED/000 0 CONNECT 46.255.231.158:443 - HIER_NONE/- - SNI redir.netcentrum.cz BumpMode peek - - - ServerNegoTLS - ServerRecTLS - ServerRecVer - ServerNegCiph - Error: ERR_SECURE_CONNECT_FAIL | SQUID_TLS_ERR_CONNECT+TLS_IO_ERR=5+errno=104
1712122367.111     20 10.0.0.1 NONE_NONE_ABORTED/000 0 CONNECT 46.255.231.158:443 - HIER_NONE/- - SNI redir.netcentrum.cz BumpMode peek - - - ServerNegoTLS - ServerRecTLS - ServerRecVer - ServerNegCiph - Error: ERR_SECURE_CONNECT_FAIL | SQUID_TLS_ERR_CONNECT+TLS_IO_ERR=5+errno=104
1712122367.114     21 10.0.0.1 NONE_NONE_ABORTED/000 0 CONNECT 46.255.231.158:443 - HIER_NONE/- - SNI redir.netcentrum.cz BumpMode peek - - - ServerNegoTLS - ServerRecTLS - ServerRecVer - ServerNegCiph - Error: ERR_SECURE_CONNECT_FAIL | SQUID_TLS_ERR_CONNECT+TLS_IO_ERR=5+errno=104

In fact - this seems to be http only sites like - https://www.ssllabs.com/ssltest/analyze.html?d=www.jarovnet.org or https://www.ssllabs.com/ssltest/analyze.html?d=redir.netcentrum.cz&s=46.255.231.158&latest. See this snapshot from centrum web mail page source code "Více informací o tomto zapezpečení naleznete v <a href="" class="moz-txt-link-rfc2396E" href="http://napoveda.centrum.cz/index.php?/Knowledgebase/Article/View/18/1/" moz-do-not-send="true">"http://napoveda.centrum.cz/index.php?/Knowledgebase/Article/View/18/1/" "

So - what is supposed to be happening is chrome should fallback to http if there is a problem with https - i think the most obvious reason to fall back would be no output at all. So I think my effort should target the situation when squid says  ERR_SECURE_CONNECT_FAIL | SQUID_TLS_ERR_CONNECT+TLS_IO_ERR=5+errno=104 and to remain silent to the client.

Is there a way to do it - ie. do not show error page for not able to connect to server at all? I'd like every other problems (ie. bad/selfsigned/not matched certificate etc.) pushed to the client's eyes. I have implemented https://www.squid-cache.org/Doc/config/on_unsupported_protocol/ like in the example - but it is for an accepted TCP connections. I'd like to handle SSL errors - such as not being able to connect at all. - could it be done with https://www.squid-cache.org/Doc/config/sslproxy_cert_error/?

LL



_______________________________________________
squid-users mailing list
squid-users@xxxxxxxxxxxxxxxxxxxxx
https://lists.squid-cache.org/listinfo/squid-users
_______________________________________________
squid-users mailing list
squid-users@xxxxxxxxxxxxxxxxxxxxx
https://lists.squid-cache.org/listinfo/squid-users

[Index of Archives]     [Linux Audio Users]     [Samba]     [Big List of Linux Books]     [Linux USB]     [Yosemite News]

  Powered by Linux