Re: [squid-users] squidguard ssl redirect

From: martin perner <martin.perner_at_googlemail.com>
Date: Thu, 04 Sep 2008 08:39:33 +0200

Hi Marcus,

that did the trick, now it works as expected.

Thank you very much

Maritn

Marcus Kool wrote:
> Hi Martin,
>
> Squid is a little awkward:
> the URL returned by squidguard must have the protocol as the original URL.
> So for a URL with HTTPS protocol, squidguard must return a URL that uses
> the HTTPS protocol.
> This is really not nice but the workaround is to use a 302 redirection:
> redirect 302:http://www.internal-server.com/blocked.html
>
> -Marcus
>
>
> martin perner wrote:
>> Hi,
>>
>> I'm running a squid 2.7.STABLE3 on a SLES10 as a normal proxy.
>>
>> For content-filtering we are using squidguard which redirects a user to
>> a special page if he hits a blocked page.
>>
>> If the redirect goes to a http page everthing works as expeced.
>>
>> But if the redirect goes to a https page, the user gets a errorpage
>> saying that the connection failed and the system returned '(71) Protocol
>> error'. In the cache.log a error is printed (attached).
>>
>> A deny_info to the https page works without any problem.
>>
>> When i'm adding 'sslproxy_flags DONT_VERIFY_PEER' to the squid.conf the
>> error disappears.
>>
>> The question is now: is the sslproxy_flags method opening any holes in
>> the setup or is there an other way for solving this problem?
>>
>> Thanks in advance
>>
>>
>>
>> part of the cache.log (cut the detail about the certificate):
>>
>> 2008/09/03 17:50:05| SSL unknown certificate error 20 in (cert)
>> 2008/09/03 17:50:05| fwdNegotiateSSL: Error negotiating SSL connection
>> on FD 48: error:14090086:SSL
>> routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed (1/-1/0)
>> 2008/09/03 17:50:05| SSL unknown certificate error 20 in (cert)
>> 2008/09/03 17:50:05| fwdNegotiateSSL: Error negotiating SSL connection
>> on FD 48: error:14090086:SSL
>> routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed (1/-1/0)
>> 2008/09/03 17:50:05| SSL unknown certificate error 20 in (cert)
>> 2008/09/03 17:50:05| fwdNegotiateSSL: Error negotiating SSL connection
>> on FD 48: error:14090086:SSL
>> routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed (1/-1/0)
>>
>>
Received on Thu Sep 04 2008 - 06:39:43 MDT

This archive was generated by hypermail 2.2.0 : Thu Sep 04 2008 - 12:00:02 MDT