Https inspection gives 503 error

classic Classic list List threaded Threaded
6 messages Options
Reply | Threaded
Open this post in threaded view
|

Https inspection gives 503 error

mandev
This post was updated on .
Hi,

I am using pfsense with squid and squidguard for web filtering without
client side certificate installation. I did manage to block pages and mostly
error free internet traffic. But for the last thing i cannot work it. I want
to redirect users to a block page and i did this with http but cannot do
this with https. When a blocked page visited it gives
"SSL_ERROR_RX_RECORD_TOO_LONG" error. Debug it a lot for this issue and my
founding are below and config files are attached (its pfsense so not much
mostly automatic files);

When i access a http page this is how squid redirects:

2019/12/08 06:32:02.736 kid1| 23,3| url.cc(371) urlParse: urlParse: Split URL 'http://192.168.10.1:80/sgerror.php?url=403%20&a=192.168.10.10&n=192.168.10.10&i=&s=default&t=blacklist&u=http://hurriyet.com.tr/' into proto='http', host='192.168.10.1', port='80', path='/sgerror.php?url=403%20&a=192.168.10.10&n=192.168.10.10&i=&s=default&t=blacklist&u=http://hurriyet.com.tr/'
2019/12/08 06:32:02.736 kid1| 23,3| ../src/HttpRequest.h(82) SetHost: HttpRequest::SetHost() given IP: 192.168.10.1
2019/12/08 06:32:02.736 kid1| 61,2| client_side_request.cc(1286) clientRedirectDone: URL-rewriter diverts URL from http://hurriyet.com.tr/ to http://192.168.10.1/sgerror.php?url=403%20&a=192.168.10.10&n=192.168.10.10&i=&s=default&t=blacklist&u=http://hurriyet.com.tr/
2019/12/08 06:32:02.736 kid1| 83,3| client_side_request.cc(1743) doCallouts: Doing calloutContext->clientAccessCheck2()

When i access a https page this happends:

2019/12/08 06:28:14.431 kid1| 23,3| url.cc(371) urlParse: urlParse: Split URL 'http://192.168.10.1:80/sgerror.php?url=403%20&a=192.168.10.10&n=192.168.10.10&i=&s=default&t=blacklist&u=selimakpinar.com:443' into proto='', host='http', port='443', path=''
2019/12/08 06:28:14.431 kid1| 14,3| Address.cc(389) lookupHostIP: Given Non-IP 'http': hostname nor servname provided, or not known
2019/12/08 06:28:14.431 kid1| 61,2| client_side_request.cc(1286) clientRedirectDone: URL-rewriter diverts URL from selimakpinar.com:443 to http:443

access.log;

1575790083.949      7 192.168.10.10 TAG_NONE/200 0 CONNECT 104.18.58.42:443
- HIER_NONE/- -
1575790084.047     99 192.168.10.10 TAG_NONE/503 0 CONNECT
selimakpinar.com:443 - HIER_NONE/- -


squid.conf
<http://squid-web-proxy-cache.1019090.n4.nabble.com/file/t377846/squid.conf
squidGuard.conf
<http://squid-web-proxy-cache.1019090.n4.nabble.com/file/t377846/squidGuard.conf
Full Logs
http-redirect.txt
https-redirect.txt





--
Sent from: http://squid-web-proxy-cache.1019090.n4.nabble.com/Squid-Users-f1019091.html
_______________________________________________
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|

Re: Https inspection gives 503 error

reinerotto
You can _not_ present a block page for https-block.
Already quite a few discussions about it here on forum. Pls, use search
function.



--
Sent from: http://squid-web-proxy-cache.1019090.n4.nabble.com/Squid-Users-f1019091.html
_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|

Re: Https inspection gives 503 error

mandev
Thank you for the reply. Is it not possible with squid or technicly because
fortigate can do this. If you look logs that i write at first message. It's
looks like there is an error in redirects. It trys to redirect 'http'
address there is no address like 'http'.



--
Sent from: http://squid-web-proxy-cache.1019090.n4.nabble.com/Squid-Users-f1019091.html
_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|

Re: Https inception gives 503 error

Amos Jeffries
Administrator
In reply to this post by mandev
On 8/12/19 8:35 pm, mandev wrote:
> Hi,
>
> I am using pfsense with squid and squidguard for web filtering without
> client side certificate installation. I did manage to block pages and mostly
> error free internet traffic. But for the last thing i cannot work it. I want
> to redirect users to a block page and i did this with http but cannot do
> this with https.

You cannot redirect a CONNECT transaction. It is a request to open a tunnel.

If you wish to continue using the very obsolete and unmaintained
squidguard tool you will need to add this to your squid.conf:

 url_rewrite_access deny CONNECT


To do anything like send error pages to users with intercepted HTTPS
traffic requires SSL-Bump to decrypt the tunnel contents first.

Amos
_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|

Re: Https inception gives 503 error

mandev
Thank you for reply. Long time i have been using squidguard. Maybe it is time
to change or start writing a new one with comminity. Thank for the help.



--
Sent from: http://squid-web-proxy-cache.1019090.n4.nabble.com/Squid-Users-f1019091.html
_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|

Re: Https inception gives 503 error

Amos Jeffries
Administrator
On 9/12/19 12:38 am, mandev wrote:
> Thank you for reply. Long time i have been using squidguard. Maybe it is time
> to change or start writing a new one with comminity. Thank for the help.
>

There is ufdbguard.

But the fundamental thing is that you cannot respond to a TCP SYN packet
 or TLS clientHello handshake with an HTML web page. That is essentially
what your redirector is telling Squid to do.

Amos
_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users