Error_directory to https not work

classic Classic list List threaded Threaded
3 messages Options
Reply | Threaded
Open this post in threaded view
|

Error_directory to https not work

Rodrigo Cunha
Dears,
My squid_http work fine and deny request to https too. But when i request https(secure port 443) links deny in file (black_list) my squid not report error_directory files, when i send request to http(insecure port 80) domain the squid report with error_directory.

What a happen with my squid?Follow my squid.conf.

###
### Configurações Locais ###
cache_mgr [hidden email]
visible_hostname lamplus.oduvaldocozzi.intranet
error_directory /usr/share/squid3/errors/pt-br/
###
### Squid Generico Cache ###
cache_mem 512
maximum_object_size_in_memory 4 MB
cache_dir  ufs /var/cache/squid3 3000 16 256
access_log /var/log/squid3/access.log squid

cache_mem 256 MB
cache_swap_low 90
cache_swap_high 95
maximum_object_size 10000 KB
minimum_object_size 0 KB
maximum_object_size_in_memory 4000 KB


acl SSL_ports port 443
acl Safe_ports port 80          # http
acl Safe_ports port 21          # ftp
acl Safe_ports port 443         # https
acl Safe_ports port 70          # gopher
acl Safe_ports port 210         # wais
acl Safe_ports port 1025-65535  # unregistered ports
acl Safe_ports port 280         # http-mgmt
acl Safe_ports port 488         # gss-http
acl Safe_ports port 591         # filemaker
acl Safe_ports port 777         # multiling http
acl CONNECT method CONNECT

###
### ACL ###
acl local1 src 10.0.0.0/24
acl local2 src 10.0.1.0/24
acl blacklist dstdomain "/etc/squid3/negados.list.acl"
#acl fb dstdomain .facebook.com
###
### Controle de Acesso ###
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
http_access allow localhost manager
http_access deny manager
http_access allow localhost
http_access deny blacklist
#http_access deny fb
http_access allow local1
http_access allow local2
http_access deny all
http_port 3128


--
Atenciosamente,
Rodrigo da Silva Cunha
São Gonçalo, RJ - Brasil


_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|

Re: Error_directory to https not work

Amos Jeffries
Administrator
On 23/08/18 11:13 AM, Rodrigo Cunha wrote:
> Dears,
> My squid_http work fine and deny request to https too. But when i
> request https(secure port 443) links deny in file (black_list) my squid
> not report error_directory files, when i send request to http(insecure
> port 80) domain the squid report with error_directory.
>
> What a happen with my squid?Follow my squid.conf.
>

Nothing particular happened.

HTTPS is sent differently through proxies. Using CONNECT requests with
encrypted content. More details on that can be found at
<https://wiki.squid-cache.org/Features/HTTPS>.

Browsers in particular refuse to display error messages sent in response
to CONNECT requests. I think you will find the Squid does send the error
page but the Browser is refusing to display it.


The only thing you can do about this sad situation is use SSL-Bump
feature on the encrypted traffic so Squid can send the error message
within an encrypted response - which the Browser does display *if* it
trusts the proxy TLS certificate used by SSL-Bump.

Please be aware:
  SSL-Bump feature is sometimes forbidden or restricted-use by law. So
please get proper legal advice before using it. Anyone helping you setup
the feature will be assuming that you have done that due diligence check.


HTH
Amos
_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|

Re: Error_directory to https not work

Rodrigo Cunha
Tks Amos, i don't will use this feature. If that problem is a commom error, i dont care.
Tks.

Em qui, 23 de ago de 2018 às 01:37, Amos Jeffries <[hidden email]> escreveu:
On 23/08/18 11:13 AM, Rodrigo Cunha wrote:
> Dears,
> My squid_http work fine and deny request to https too. But when i
> request https(secure port 443) links deny in file (black_list) my squid
> not report error_directory files, when i send request to http(insecure
> port 80) domain the squid report with error_directory.
>
> What a happen with my squid?Follow my squid.conf.
>

Nothing particular happened.

HTTPS is sent differently through proxies. Using CONNECT requests with
encrypted content. More details on that can be found at
<https://wiki.squid-cache.org/Features/HTTPS>.

Browsers in particular refuse to display error messages sent in response
to CONNECT requests. I think you will find the Squid does send the error
page but the Browser is refusing to display it.


The only thing you can do about this sad situation is use SSL-Bump
feature on the encrypted traffic so Squid can send the error message
within an encrypted response - which the Browser does display *if* it
trusts the proxy TLS certificate used by SSL-Bump.

Please be aware:
  SSL-Bump feature is sometimes forbidden or restricted-use by law. So
please get proper legal advice before using it. Anyone helping you setup
the feature will be assuming that you have done that due diligence check.


HTH
Amos
_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users


--
Atenciosamente,
Rodrigo da Silva Cunha
São Gonçalo, RJ - Brasil


_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users