Re: [squid-users] Squidguard, redirect and https

From: Marcus Kool <marcus.kool_at_urlfilterdb.com>
Date: Thu, 17 Oct 2013 08:09:06 -0300

The problem is not Squid nor HTTPS.

The problem is that the HTTP protocol has a standard that allows
redirection and the HTTPS protocol does not.
The HTTPS protocol was designed to be secure and does not allow
any type of interference.

So, all filtering technologies have the same issue:
how to block HTTPS sensibly ?
Blocking is easy: one redirects or closes a socket and
the user/browser cannot get the content of the HTTPS-based URL.
But how to do it sensibly ?
One can choose to redirect a HTTPS URL to another HTTPS URL.
This works a little: the redirect itself works but the browser will
issue a warning saying "I do not trust this site: the certificate is wrong".
This is a little better than browser messages like "cannot connect".
ufdbGuard, an alternative for squidGuard, by default redirects to
https://blockedhttps.urlfilterdb.com so the name of the site may
give a hint to the user that the content is being blocked.

Marcus

On 10/17/2013 06:17 AM, Alessandro Dentella wrote:
> Hi,
>
> I'm struggling with squidguard and https redirect. I setup squid to handle
> https and http connection, squidguard correctly blocks what is to be blocked
> but I cannot understand how to manage redirect.
>
> I'm usig squid rel 2.7 and authentication is done via ntlm.
>
> I get a correct redirect for http but when using https I get an
> error. I read all what I found and the more significant messages I found
> are on squid list:
>
> http://www.mail-archive.com/squid-users@squid-cache.org/msg58433.html
>
> suggests to use 302: in front of the redirect url, but in my case it doesn't
> work (Errore 111 (net::ERR_TUNNEL_CONNECTION_FAILED): unknown Error.)
>
>
> http://www.mail-archive.com/squid-users@squid-cache.org/msg70871.html
>
> suggests that https and squidGuard do not work well toghether. Is that true?
>
>
> Any hint is really appreciated
>
> sandro
> *:-)
>
>
>
>
Received on Thu Oct 17 2013 - 11:09:11 MDT

This archive was generated by hypermail 2.2.0 : Thu Oct 17 2013 - 12:00:06 MDT