Re: [squid-users] SSL sites bypass authentication

From: Milen Pankov <mail_at_milen.pankov.eu>
Date: Mon, 19 Mar 2012 11:53:38 +0200

On 19.03.2012 07:35, Amos Jeffries wrote:
> Tried the current 3.1.19 release?
>
> Is the second HTTPS request even going through the proxy?
>
> What is the rest of the config look like?
> The partial piece of config you posted has no holes which this could be
> using.
>
> Amos
Hi,

Thank you for your response.
You are right that the https requests are not going through the proxy. I
can confirm with tcpdump that the traffic to the https sites is going
directly. In the access logs there are many TCP_DENIED messages at the
same time to some http addresses, which seem to be links in the https
site. It seems if client refuses authentication and he tries to open
https site he can open it directly, but if there are any http links in
the sites they go through the proxy and are denied. Also this seems not
to be a browser problem as I can confirm the same behavior with firefox
and opera on linux. According to me the right behavior should be to deny
the user access to the https site and to present him an error page.

--
Milen
Received on Mon Mar 19 2012 - 09:58:33 MDT

This archive was generated by hypermail 2.2.0 : Mon Mar 19 2012 - 12:00:03 MDT