Jim wrote:
> Just to clarify...
>
> If i do a ..
> http_access deny CONNECT
>
> Then this happens before any ssl stuff and therefore I can return a
> http page to a ssl request?
Yes.
>
> You also say that deny_info does same as redirects but just sends
> error code rather than 302: redirects. If you use deny_info and
> specify a http://www.mydomain.com as the page to go to if denied does
> this send cause squid to issue a 302 type redirect. Reason I ask is
> that I can redirect to a customised squid error page for https
> requests by using something like
>
> http_access deny CONNECT
> deny_info ERR_ACCESS_DENIED connect
>
> but if I use
> http_access deny CONNECT
> deny_info http://www.mydomain.com/error_page.php connect
>
> Fails which makes me think that specifiying a URL in deny info
> triggers a 302 styles redirect (which does not work with https)
>
case-sensitive names + order-sensitive rules IIRC.
> If only php was supported by the error pages my problems would all be solved!!!
>
> ANy chance :)
>
> Jim
>
>
>
> 2009/3/13 Amos Jeffries <squid3_at_treenet.co.nz>:
>> Jim wrote:
>>> Oops just realised this did not go to the user group but to you directly.
>>>
>>> I am reposting to user group now.
>>>
>>> My apologise for direct email
>> No worries.
>>
>> The deny_info is performing the exact same actions as a redirector would.
>> Just without the helper overheads and sending an error code as the status
>> instead of 302/200.
>>
>> IE8 not displaying any non-local error messages for CONNECT is a major bug
>> in IE. Sounds like that feature was a hack to get around the bug in earlier
>> IE.
>>
>> The ONLY way to get HTTPS blocked with any kind of reasonable response is to
>> deny CONNECT to HTTPS ports _before_ the SSL stuff starts to happen.
>>
>> Once the SSL starts, using a redirect is simply forcing the HTTPS channel to
>> your non-HTTPS server causes barfs. Working around this by HTTPS-enabling
>> your error message server will only change the problem from a plain barf to
>> a security attack warning for all clients (since you are performing
>> man-in-middle attack now).
>>
>> Amos
>>> Jim
>>>
>>> 2009/3/12 Jim <jimothy76_at_gmail.com>:
>>>> Thanks Amos,
>>>>
>>>> I can already do this correctly usuing an external acl and deny info
>>>> as you suggest. However IE8 (which is in final stage before release)
>>>> has a problem with squid error pages.
>>>>
>>>> To try to explian. If my external ACL blocks a page it returns a squid
>>>> error page. this works fine with http as squid returns a http error
>>>> page. However over https if you block the page then squid returns http
>>>> content to a https request. Now in IE6 and 7 there is a "feature"
>>>> which allows the browser to display the first x bytes of data even if
>>>> it is http data to a https request. The value of x is low byt
>>>> providing your pages are small it works.
>>>>
>>>> Now IE 8 does NOT do this. If you return a squid http error page to a
>>>> https request you get an error and nothing displayed. This is why I am
>>>> looking for alternatives and have started looking at converting my
>>>> external acls perl scripts to a perl url_rewrite_program but have
>>>> again struggled with https (ssl) requests.
>>>>
>>>> I hope this makes sense
>>>>
>>>> Basically I need a way of blocking https requests based on a set of
>>>> rules. I can do the blockign with no problem. The issues is returning
>>>> an error page to the user because so squid error pages are http and it
>>>> appears that redirectors can not redirect https requests to a http
>>>> error page
>>>>
>>>> Thanks
>>>>
>>>> 2009/3/12 Amos Jeffries <squid3_at_treenet.co.nz>:
>>>>> Jim wrote:
>>>>>> Hi,
>>>>>> I have a url_rewrite_program that will redirect users to an
>>>>>> accepatable use policy page if they have not agreed to it before. THis
>>>>>> works fine for any URL except for HTTPS requests.
>>>>>>
>>>>>> My log file tells me it is being re-written to my new URL but the
>>>>>> browser just shows error page.
>>>>>>
>>>>>> I have tried making the redirector divert to a https version of the
>>>>>> error page if it is a https request and a http version if a http
>>>>>> request but with no difference.
>>>>>>
>>>>>> One thing I have noticed and not sure if related or not. If the
>>>>>> request is HTTPS then the only thing passed to the rewrite program for
>>>>>> the url is the host and port. No path, scheme (protocol) etc is
>>>>>> passed. I believe this is because squid only has access to the host
>>>>>> for HTTPS requests (because they are encrypted).
>>>>> Squid does not receive such data for HTTPS. What it pases the redirector
>>>>> is
>>>>> all it sees.
>>>>> The CONNECT method is how HTTPS appears in logs and ACLs etc.
>>>>>
>>>>>> Could this be relating to my problem.
>>>>>>
>>>>>> The redirector will divert to
>>>>>> 302:http(s)www.mydomain.com/filtering/aup_handler.php if the user has
>>>>>> not agreed to the acceptable use policy. As I say fine for http but
>>>>>> can;t get it to work with https.
>>>>>>
>>>>>> Can any body help?
>>>>> HTTPS is not HTTP for Squid.
>>>>>
>>>>> Your better approach is to use an external ACL + http_access + deny_info
>>>>> page to do the redirection. That works for any protocol that can display
>>>>> error pages.
>>>>>
Amos
-- Please be using Current Stable Squid 2.7.STABLE6 or 3.0.STABLE13 Current Beta Squid 3.1.0.6Received on Sun Mar 15 2009 - 08:59:24 MDT
This archive was generated by hypermail 2.2.0 : Sun Mar 15 2009 - 12:00:03 MDT