Re: [squid-users] No 'access denied' message with 'https' from Amos Jeffries on 2012-02-14 (squid-users)

From: Amos Jeffries <squid3_at_treenet.co.nz>
Date: Wed, 15 Feb 2012 01:52:43 +1300

On 15/02/2012 1:24 a.m., Danilo Godec wrote:
> Hi,
>
> I needed to block certain web sites with Squid 3.1.12 and I managed
> doing so with:
>
> acl dstdomain MYBLOCK blockeddomain.com
> http_access deny MYBLOCK
>
> Since my clients are all configured to use proxy and not allowed
> direct access to the internet, this works for both 'http' and 'https'.
>
> However - if clients use 'http' to access the prohibited site, they
> get a 'nice' informative message that they are being denied the access
>
> But if they use 'https' instead, the browser shows an error (for
> example, Chrome shows 'Error 111 (net::ERR_TUNNEL_CONNECTION_FAILED):
> Unknown error.', while Firefox shows 'Firefox is configured to use a
> proxy server that is refusing connections'). That's not very 'user
> friendly' and might lead to false error reports...
>
> Is there a way to have Squid display the 'Access Denied' page for
> 'https' destinations as well?

You will have to talk to the browser people about that message
inaccuracy. Squid *is* sending back the exact same content and status
codes for both HTTP and HTTPS requests.

The problem is that the browser is not sending https://... to Squid the
way it does for http://...., different protocols after all . It is
sending a CONNECT tunnel request to setup a blind data tunnel to the
domains server, over which is wants at some point to send encrypted
"stuff". That tunnel request is what Squid is rejecting. The browser has
a problem with showing your error page underneath the users requested
URI in the address bar, at the same time, something about phishing ...

For the browsers which handle it properly the 303 status code can be
used to redirect the CONNECT request to a http:// URI which is also
blocked. If the browser does what it is supposed to and fetches that URI
using GET the error page will show up when *that* is blocked. Last time
I checked only Firefox was doing that, but its a while ago now and
things have been progressing fast.

Like so:
   acl MYBLOCK dstdomain .example.com
   deny_info 303:http://bar.example.com CONNECT
   http_access deny MYBLOCK !CONNECT
   http_access deny MYBLOCK CONNECT

Amos
Received on Tue Feb 14 2012 - 12:53:03 MST

This archive was generated by hypermail 2.2.0 : Tue Feb 14 2012 - 12:00:02 MST