Re: [squid-users] squidguard ssl redirect

Hi Martin,

Squid is a little awkward:
the URL returned by squidguard must have the protocol as the original URL.
So for a URL with HTTPS protocol, squidguard must return a URL that uses the HTTPS protocol.
This is really not nice but the workaround is to use a 302 redirection:
    redirect 302:http://www.internal-server.com/blocked.html

-Marcus

martin perner wrote:
> Hi,
>
> I'm running a squid 2.7.STABLE3 on a SLES10 as a normal proxy.
>
> For content-filtering we are using squidguard which redirects a user to
> a special page if he hits a blocked page.
>
> If the redirect goes to a http page everthing works as expeced.
>
> But if the redirect goes to a https page, the user gets a errorpage
> saying that the connection failed and the system returned '(71) Protocol
> error'. In the cache.log a error is printed (attached).
>
> A deny_info to the https page works without any problem.
>
> When i'm adding 'sslproxy_flags DONT_VERIFY_PEER' to the squid.conf the
> error disappears.
>
> The question is now: is the sslproxy_flags method opening any holes in
> the setup or is there an other way for solving this problem?
>
> Thanks in advance
>
>
>
> part of the cache.log (cut the detail about the certificate):
>
> 2008/09/03 17:50:05| SSL unknown certificate error 20 in (cert)
> 2008/09/03 17:50:05| fwdNegotiateSSL: Error negotiating SSL connection
> on FD 48: error:14090086:SSL
> routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed (1/-1/0)
> 2008/09/03 17:50:05| SSL unknown certificate error 20 in (cert)
> 2008/09/03 17:50:05| fwdNegotiateSSL: Error negotiating SSL connection
> on FD 48: error:14090086:SSL
> routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed (1/-1/0)
> 2008/09/03 17:50:05| SSL unknown certificate error 20 in (cert)
> 2008/09/03 17:50:05| fwdNegotiateSSL: Error negotiating SSL connection
> on FD 48: error:14090086:SSL
> routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed (1/-1/0)
>
>
Received on Thu Sep 04 2008 - 01:05:51 MDT