Quantcast

Squid custom error page

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
8 messages Options
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Squid custom error page

chcs
This post was updated on .
Firefox 53.0.2 , Chrome 58.3029 y Opera 44 display "Proxy Server Refused Connection" page, instead of Squid custom error page, when connect to HTTPS site which blocked by proxy server.
For example we try to connect to https://www.something.com via Squid proxy server which denied with 403 error this connect and send custom error page with description of problem in older versions it was worked.
I'm using pfSense 2.4 (actual version squid 3.5.24) with Let'sEncrypt CA certificate.

Reproducible: Always

Steps to Reproduce:
1. Configure Firefox to use proxy server (SSL Proxy).
2. HTTPS/SSL Interception , Enable SSL filtering, splice all, CA: Let's Encript autority
3. Try to connect to HTTPS site, which will be blocked by proxy server

Actual Results:  
Firefox will display "Page Load Error" with description "Proxy Server Refused Connection. Firefox is configured to use a proxy server that is refusing connections."
If we connect to HTTPS site which not blocked by proxy server OR using CA self-signed issuer , all works fine.

Expected Results:  
Display proxy server error page with deny info.
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Squid custom error page

Amos Jeffries
Administrator
On 17/05/17 23:32, chcs wrote:

> Firefox 53.0.2 , Chrome 58.3029 y Opera 44 display "Proxy Server Refused
> Connection" page, instead of Squid custom error page, when connect to HTTPS
> site which blocked by proxy server.
> For example we try to connect to https://www.something.com via Squid proxy
> server which denied with 403 error this connect and send custom error page
> with description of problem in older versions it's worked.
> I'm using pfSense 2.4 (actual version squid 3.5.24).
>
> Reproducible: Always
>
> Steps to Reproduce:
> 1. Configure Firefox to use proxy server (SSL Proxy).
> 2. HTTPS/SSL Interception , Enable SSL filtering, splice all, CA: Let's
> Encript autority
> 3. Try to connect to HTTPS site, which will be blocked by proxy server
>
> Actual Results:
> Firefox will display "Page Load Error" with description "Proxy Server
> Refused Connection. Firefox is configured to use a proxy server that is
> refusing connections."
> If we connect to HTTPS site which not blocked by proxy server OR using CA
> self-signed issuer , all works fine.
>
> Expected Results:
> Display proxy server error page with deny info.

This is a well-known problem with Browsers, they all refuse to display
any response to a CONNECT tunnel message.
<On 17/05/17 23:32, chcs wrote:

> Firefox 53.0.2 , Chrome 58.3029 y Opera 44 display "Proxy Server Refused
> Connection" page, instead of Squid custom error page, when connect to HTTPS
> site which blocked by proxy server.
> For example we try to connect to https://www.something.com via Squid proxy
> server which denied with 403 error this connect and send custom error page
> with description of problem in older versions it's worked.
> I'm using pfSense 2.4 (actual version squid 3.5.24).
>
> Reproducible: Always
>
> Steps to Reproduce:
> 1. Configure Firefox to use proxy server (SSL Proxy).
> 2. HTTPS/SSL Interception , Enable SSL filtering, splice all, CA: Let's
> Encript autority
> 3. Try to connect to HTTPS site, which will be blocked by proxy server
>
> Actual Results:
> Firefox will display "Page Load Error" with description "Proxy Server
> Refused Connection. Firefox is configured to use a proxy server that is
> refusing connections."
> If we connect to HTTPS site which not blocked by proxy server OR using CA
> self-signed issuer , all works fine.
>
> Expected Results:
> Display proxy server error page with deny info.

This is a well-known problem with Browsers, they all refuse to display
any response to a CONNECT tunnel message.
<http://wiki.squid-cache.org/Features/CustomErrors#Custom_error_pages_not_displayed_for_HTTPS>

Use of TLS to secure the connection to the proxy does not affect this
browser behaviour on HTTPS traffic. The best you can hope for is to make
Squid use a 511 status code with deny_info and hope that it chooses to
display something halfway useful.

Amos

_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Squid custom error page

dijxie
In reply to this post by chcs
W dniu 17.05.2017 o 13:32, chcs pisze:
Firefox 53.0.2 , Chrome 58.3029 y Opera 44 display "Proxy Server Refused
Connection" page, instead of Squid custom error page, when connect to HTTPS
site which blocked by proxy server.
For example we try to connect to https://www.something.com via Squid proxy
server which denied with 403 error this connect and send custom error page
with description of problem in older versions it's worked.
I'm using pfSense 2.4 (actual version squid 3.5.24).

Reproducible: Always

Steps to Reproduce:
1. Configure Firefox to use proxy server (SSL Proxy).
2. HTTPS/SSL Interception , Enable SSL filtering, splice all, CA: Let's
Encript autority
3. Try to connect to HTTPS site, which will be blocked by proxy server

Actual Results:  
Firefox will display "Page Load Error" with description "Proxy Server
Refused Connection. Firefox is configured to use a proxy server that is
refusing connections."
If we connect to HTTPS site which not blocked by proxy server OR using CA
self-signed issuer , all works fine.

Expected Results:  
Display proxy server error page with deny info. 



--
View this message in context: http://squid-web-proxy-cache.1019090.n4.nabble.com/Squid-custom-error-page-tp4682433.html
Sent from the Squid - Users mailing list archive at Nabble.com.
_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users

This is intentional Firefox behavior since long time ago:
https://bugzilla.mozilla.org/show_bug.cgi?id=493699

Even if this bug is outdated,  it is browser thing how to render error pages, not squid's fault.
You may try to redirect (instead of blocking) your blocked page to your custom page that looks exactly  like sqid's internal error page, but then You will see browser's SSL security warning, since page you have requested was SSL, and your error page is not - the same goes for internal error pages.
Proxies error pages are nowadays usually replaced by browsers due to security reasons in case of SSL pages.

If your custom-pretending-to-be-squid's-internal page would be SSL with valid cert, my guess is your problem is solved.

-- 
Greets, Dijx

_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Squid custom error page

Walter H.
In reply to this post by Amos Jeffries
On 17.05.2017 16:04, Amos Jeffries wrote:

> On 17/05/17 23:32, chcs wrote:
>> Expected Results:
>> Display proxy server error page with deny info.
>
> This is a well-known problem with Browsers, they all refuse to display
> any response to a CONNECT tunnel message.
> <http://wiki.squid-cache.org/Features/CustomErrors#Custom_error_pages_not_displayed_for_HTTPS>
>
>
> Use of TLS to secure the connection to the proxy does not affect this
> browser behaviour on HTTPS traffic. The best you can hope for is to
> make Squid use a 511 status code with deny_info and hope that it
> chooses to display something halfway useful.
there seems to be another problem ...

at my setup any browser shows the proxy messages;

with deny_info the special page
e.g. ERR_DOMAIN_BLOCKED,
without just the ERR_ACCESS_DENIED as default ...

my squid 3.5,25 (CentOS 6.9) - thanks to
Eliezer Croitoru for doing this good job;

the custom error pages are only shown, when the proxy does
SSL interception and the browser has installed the squid CA certificate ...

why is this:

without SSL interception, the browser sends a CONNECT
and expects a SSL/TLS handshake, instead he gets an
HTTP reply with the custom error page, which the browser
doesn't know to handle at this moment ...
only the information of HTTP header is processed;

in case someone has configured https_port this is just the same,
because the SSL/TLS connection to the webserver is tunneled inside
the SSL/TLS connection between client and browser ...


_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users

smime.p7s (4K) Download Attachment
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Squid custom error page

Rafael Akchurin
In reply to this post by Amos Jeffries
Please note if you first let the connect tunnel to succeed (forcing bump) and then block the next coming request through that tunnel - you will get the blocked message displayed.

We do it in ICAP (https://docs.diladele.com/faq/squid/cannot_connect_to_site_using_https.html) - other community members may know better if it is possible to do that in Squid directly.

Beware of those using your tunnels to pump non http traffic though. Blocking the connect as it is done now in Squid keeps you on safe side.

Best regards,
Rafael Akchurin

Op 17 mei 2017 om 4:04 PM heeft Amos Jeffries <[hidden email]> het volgende geschreven:

On 17/05/17 23:32, chcs wrote:
Firefox 53.0.2 , Chrome 58.3029 y Opera 44 display "Proxy Server Refused
Connection" page, instead of Squid custom error page, when connect to HTTPS
site which blocked by proxy server.
For example we try to connect to https://www.something.com via Squid proxy
server which denied with 403 error this connect and send custom error page
with description of problem in older versions it's worked.
I'm using pfSense 2.4 (actual version squid 3.5.24).

Reproducible: Always

Steps to Reproduce:
1. Configure Firefox to use proxy server (SSL Proxy).
2. HTTPS/SSL Interception , Enable SSL filtering, splice all, CA: Let's
Encript autority
3. Try to connect to HTTPS site, which will be blocked by proxy server

Actual Results:
Firefox will display "Page Load Error" with description "Proxy Server
Refused Connection. Firefox is configured to use a proxy server that is
refusing connections."
If we connect to HTTPS site which not blocked by proxy server OR using CA
self-signed issuer , all works fine.

Expected Results:
Display proxy server error page with deny info.

This is a well-known problem with Browsers, they all refuse to display any response to a CONNECT tunnel message.
<On 17/05/17 23:32, chcs wrote:
Firefox 53.0.2 , Chrome 58.3029 y Opera 44 display "Proxy Server Refused
Connection" page, instead of Squid custom error page, when connect to HTTPS
site which blocked by proxy server.
For example we try to connect to https://www.something.com via Squid proxy
server which denied with 403 error this connect and send custom error page
with description of problem in older versions it's worked.
I'm using pfSense 2.4 (actual version squid 3.5.24).

Reproducible: Always

Steps to Reproduce:
1. Configure Firefox to use proxy server (SSL Proxy).
2. HTTPS/SSL Interception , Enable SSL filtering, splice all, CA: Let's
Encript autority
3. Try to connect to HTTPS site, which will be blocked by proxy server

Actual Results:
Firefox will display "Page Load Error" with description "Proxy Server
Refused Connection. Firefox is configured to use a proxy server that is
refusing connections."
If we connect to HTTPS site which not blocked by proxy server OR using CA
self-signed issuer , all works fine.

Expected Results:
Display proxy server error page with deny info.

This is a well-known problem with Browsers, they all refuse to display any response to a CONNECT tunnel message.
<http://wiki.squid-cache.org/Features/CustomErrors#Custom_error_pages_not_displayed_for_HTTPS>

Use of TLS to secure the connection to the proxy does not affect this browser behaviour on HTTPS traffic. The best you can hope for is to make Squid use a 511 status code with deny_info and hope that it chooses to display something halfway useful.

Amos

_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users

_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Squid custom error page

chcs
In reply to this post by chcs
One more cuestion:
With 2 CA differents certificates to block twitter.com >> differents results

Issuer: self-signed    0 10.0.0.100 TAG_NONE/403 4709 GET https://www.twitter.com/ - HIER_NONE/- text/html
Result: no problem, it's show me squid custom error page
 
Issuer: Let's encript  0 10.0.0.100 TCP_DENIED/403 4714 CONNECT www.twitter.com:443 - HIER_NONE/- text/html
Result: It doesnt show me squid custom error page

Why?
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Squid custom error page

Walter H.
On 18.05.2017 19:40, chcs wrote:

> One more cuestion:
> With 2 CA differents certificates to block twitter.com>>  differents results
>
> Issuer: self-signed    0 10.0.0.100 TAG_NONE/403 4709 GET
> https://www.twitter.com/ - HIER_NONE/- text/html
> Result: no problem, it's show me squid custom error page
>
> Issuer: Let's encript  0 10.0.0.100 TCP_DENIED/403 4714 CONNECT
> www.twitter.com:443 - HIER_NONE/- text/html
> Result: It doesnt show me squid custom error page
>
> Why?
and what is the end entity certificate where the issuer is Let's encrypt?
(this might be the reason)


_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users

smime.p7s (4K) Download Attachment
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Squid custom error page

Alex Rousskov
In reply to this post by chcs
On 05/18/2017 11:40 AM, chcs wrote:

> HTTPS/SSL Interception , Enable SSL filtering, splice all, CA: Let's Encript autority

> One more cuestion:
> With 2 CA differents certificates to block twitter.com >> differents results
>
> Issuer: self-signed    0 10.0.0.100 TAG_NONE/403 4709 GET
> https://www.twitter.com/ - HIER_NONE/- text/html
> Result: no problem, it's show me squid custom error page
>  
> Issuer: Let's encript  0 10.0.0.100 TCP_DENIED/403 4714 CONNECT
> www.twitter.com:443 - HIER_NONE/- text/html
> Result: It doesnt show me squid custom error page

Let's Encrypt does not issue CA certificates. You need a CA certificate
for an SslBump setup to work for more than one site. Let's Encrypt also
does not issue leaf certificates for www.twitter.com unless you control
www.twitter.com.

When you generated a self-signed certificate, you probably generated a
CA certificate. If you did not, then you will encounter problems if you
try to import that certificate in browsers/clients that require CA
certificates. See the OpenSSL command below for one way to check what
you have generated.

CA certificates have an x509 "Basic Constraints" extension with a
CA:TRUE constraint. For example:

> $ openssl x509 -in CA-priv+pub.pem -text -noout | fgrep -A 1 'Basic'
>             X509v3 Basic Constraints:
>                 CA:TRUE

HTH,

Alex.

_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Loading...