Squidguard, redirect and https

classic Classic list List threaded Threaded
2 messages Options
Reply | Threaded
Open this post in threaded view
|

Squidguard, redirect and https

Alessandro Dentella
Hi,

I'm struggling with squidguard and https redirect. I setup squid to handle
https and http connection, squidguard correctly blocks what is to be blocked
but I cannot understand how to manage redirect.

I'm usig squid rel 2.7 and authentication is done via ntlm.

I get a correct redirect for http but when using https I get an
error. I read all what I found and the more significant messages I found
are on squid list:

 http://www.mail-archive.com/squid-users@.../msg58433.html

suggests to use 302: in front of the redirect url, but in my case it doesn't
work (Errore 111 (net::ERR_TUNNEL_CONNECTION_FAILED): unknown Error.)


  http://www.mail-archive.com/squid-users@.../msg70871.html

suggests that https and squidGuard do not work well toghether. Is that true?


Any hint is really appreciated

sandro
*:-)




--
Sandro Dentella  *:-)
http://www.reteisi.org             Soluzioni libere per le scuole
http://sqlkit.argolinux.org        SQLkit home page - PyGTK/python/sqlalchemy



Reply | Threaded
Open this post in threaded view
|

Re: Squidguard, redirect and https

Marcus Kool
The problem is not Squid nor HTTPS.

The problem is that the HTTP protocol has a standard that allows
redirection and the HTTPS protocol does not.
The HTTPS protocol was designed to be secure and does not allow
any type of interference.

So, all filtering technologies have the same issue:
how to block HTTPS sensibly ?
Blocking is easy: one redirects or closes a socket and
the user/browser cannot get the content of the HTTPS-based URL.
But how to do it sensibly ?
One can choose to redirect a HTTPS URL to another HTTPS URL.
This works a little: the redirect itself works but the browser will
issue a warning saying "I do not trust this site: the certificate is wrong".
This is a little better than browser messages like "cannot connect".
ufdbGuard, an alternative for squidGuard, by default redirects to
https://blockedhttps.urlfilterdb.com so the name of the site may
give a hint to the user that the content is being blocked.

Marcus


On 10/17/2013 06:17 AM, Alessandro Dentella wrote:

> Hi,
>
> I'm struggling with squidguard and https redirect. I setup squid to handle
> https and http connection, squidguard correctly blocks what is to be blocked
> but I cannot understand how to manage redirect.
>
> I'm usig squid rel 2.7 and authentication is done via ntlm.
>
> I get a correct redirect for http but when using https I get an
> error. I read all what I found and the more significant messages I found
> are on squid list:
>
>   http://www.mail-archive.com/squid-users@.../msg58433.html
>
> suggests to use 302: in front of the redirect url, but in my case it doesn't
> work (Errore 111 (net::ERR_TUNNEL_CONNECTION_FAILED): unknown Error.)
>
>
>    http://www.mail-archive.com/squid-users@.../msg70871.html
>
> suggests that https and squidGuard do not work well toghether. Is that true?
>
>
> Any hint is really appreciated
>
> sandro
> *:-)
>
>
>
>