deny_info page not shown

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
11 messages Options
Reply | Threaded
Open this post in threaded view
|

deny_info page not shown

Janos Dohanics
Hello,

In my config file I have:

deny_info http://google.com custom

However, Firefox shows the error page "Unable to connect".

Here is the full config file:

acl SSL_ports port 443 4433 8443
acl CONNECT method CONNECT

http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
http_access allow localhost manager
http_access deny manager
http_access deny to_localhost

acl custom dstdom_regex "/usr/local/share/examples/squidGuard/blacklists/custom/banlist.txt"
http_access deny custom
deny_info http://google.com custom
http_reply_access deny custom

acl ads dstdom_regex "/usr/local/etc/squid/yoyo_ad_block.txt"
http_access deny ads
deny_info TCP_RESET ads

http_access allow localnet
http_access allow localhost
http_access deny all
http_port 3128

cache_dir ufs /var/squid/cache 100 16 256

coredump_dir /var/squid/cache

refresh_pattern ^ftp: 1440 20% 10080
refresh_pattern ^gopher: 1440 0% 1440
refresh_pattern -i (/cgi-bin/|\?) 0 0% 0
refresh_pattern . 0 20% 4320

logfile_rotate 0

banlist.txt:
.hulu.com
.netflix.com

Would you please point out the problem?
_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|

Re: deny_info page not shown

Amos Jeffries
Administrator
On 28/08/20 4:08 pm, Janos Dohanics wrote:
> Hello,
>
> In my config file I have:
>
> deny_info http://google.com custom
>
> However, Firefox shows the error page "Unable to connect".
>

When? To what type of URL?


>
> acl custom dstdom_regex "/usr/local/share/examples/squidGuard/blacklists/custom/banlist.txt"
> http_access deny custom

Denies a client access to some traffic ...

> deny_info http://google.com custom

Asks Squid to perform a URL-redirect to http://google.com instead of
delivering error pages when ACL "deny custom" happens.


> http_reply_access deny custom

... denies Squid permission to deliver your custom URL-redirect to the
client.

>
> Would you please point out the problem?


Two problems. The one mentioned above.

Plus the fact that Browsers refuse to display or do anything for non-200
status responses to CONNECT tunnels. Whenever Browsers access https://
URLs through the proxy they use CONNECT tunnels.

Amos
_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|

Re: deny_info page not shown

Janos Dohanics
On Fri, 28 Aug 2020 17:08:01 +1200
Amos Jeffries <[hidden email]> wrote:

> [...]

Amos,

thank you for the quick reply.

> > deny_info http://google.com custom
>
> Asks Squid to perform a URL-redirect to http://google.com instead of
> delivering error pages when ACL "deny custom" happens.
>
>
> > http_reply_access deny custom
>
> ... denies Squid permission to deliver your custom URL-redirect to the
> client.

I have removed the http_reply_access... line.

> >
> > Would you please point out the problem?
>
>
> Two problems. The one mentioned above.
>
> Plus the fact that Browsers refuse to display or do anything for
> non-200 status responses to CONNECT tunnels. Whenever Browsers access
> https:// URLs through the proxy they use CONNECT tunnels.

I tried different browsers:

-Firefox79/FreeBSD12: no redirect
-Firefox80/Windows7:  no redirect
-Explorer11/Windows7: sometimes does redirect, sometimes doesn't
-Chrome84/Windows7:   sometimes does redirect, sometimes doesn't

From the log (10.61.70.68=Win7, 10.61.70.200=FreeBSD):

1598593892.883    342 10.61.70.68 TCP_DENIED/307 403 CONNECT www.netflix.com:443 - HIER_NONE/- text/html
1598593917.883      0 10.61.70.68 TCP_DENIED/307 403 CONNECT www.netflix.com:443 - HIER_NONE/- text/html
1598593953.145  61038 10.61.70.68 TCP_TUNNEL/200 4768 CONNECT netflix.com:443 - HIER_DIRECT/34.198.43.9 -
1598593965.273    167 10.61.70.68 TCP_MISS/301 992 GET http://netflix.com/ - HIER_DIRECT/34.198.43.9 -
1598593966.352      0 10.61.70.68 TCP_DENIED/302 390 CONNECT www.netflix.com:443 - HIER_NONE/- text/html
1598593978.145  60456 10.61.70.68 TCP_TUNNEL/200 4768 CONNECT netflix.com:443 - HIER_DIRECT/34.198.43.9 -
1598593998.290  32918 10.61.70.68 TCP_TUNNEL/200 4610 CONNECT netflix.com:443 - HIER_DIRECT/34.198.43.9 -
1598594045.752      0 10.61.70.68 TCP_DENIED/302 390 CONNECT www.netflix.com:443 - HIER_NONE/- text/html
1598594086.507  41199 10.61.70.68 TCP_TUNNEL/200 4610 CONNECT netflix.com:443 - HIER_DIRECT/34.198.43.9 -
1598594166.954      0 10.61.70.68 TCP_DENIED/307 403 CONNECT www.netflix.com:443 - HIER_NONE/- text/html
1598594449.238      0 10.61.70.68 TCP_DENIED/302 390 CONNECT www.netflix.com:443 - HIER_NONE/- text/html
1598594475.705      0 10.61.70.68 TCP_DENIED/302 390 CONNECT www.netflix.com:443 - HIER_NONE/- text/html
1598594523.052  47644 10.61.70.68 TCP_TUNNEL/200 4610 CONNECT netflix.com:443 - HIER_DIRECT/34.198.43.9 -

1598595287.510      0 10.61.70.200 TCP_DENIED/307 403 CONNECT www.netflix.com:443 - HIER_NONE/- text/html

I think the TCP_DENIED/307 entries are from Firefox.

Is there a way to have deny_info instruct browsers to reliably display
the desired URL/page?

_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|

Re: deny_info page not shown

Amos Jeffries
Administrator
On 28/08/20 6:22 pm, Janos Dohanics wrote:
>
> Is there a way to have deny_info instruct browsers to reliably display
> the desired URL/page?

No there is not. This is a security feature of Browsers not something
Squid can workaround.

CONNECT is a request to open a TCP connection. Delivering an HTTP page,
or even a URL redirect in response to a TCP connection request is
completely the wrong type of result.

Like asking someone to open a door because you have a load of things
needing to go through it - and they instead throw a basket of apples at
you. Not want you expected, and more harm than good.


Amos
_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|

Re: deny_info page not shown

Janos Dohanics
On Fri, 28 Aug 2020 18:59:56 +1200
Amos Jeffries <[hidden email]> wrote:

> On 28/08/20 6:22 pm, Janos Dohanics wrote:
> >
> > Is there a way to have deny_info instruct browsers to reliably
> > display the desired URL/page?
>
> No there is not. This is a security feature of Browsers not something
> Squid can workaround.
>
> CONNECT is a request to open a TCP connection. Delivering an HTTP
> page, or even a URL redirect in response to a TCP connection request
> is completely the wrong type of result.
>
> Like asking someone to open a door because you have a load of things
> needing to go through it - and they instead throw a basket of apples
> at you. Not want you expected, and more harm than good.

Thanks for the explanation - so, the rationale for the http://... acl
value in the deny_info directive is conditioned on "if the browser is
willing"?
_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|

Re: deny_info page not shown

Matus UHLAR - fantomas
>> On 28/08/20 6:22 pm, Janos Dohanics wrote:
>> > Is there a way to have deny_info instruct browsers to reliably
>> > display the desired URL/page?

>On Fri, 28 Aug 2020 18:59:56 +1200
>Amos Jeffries <[hidden email]> wrote:
>> No there is not. This is a security feature of Browsers not something
>> Squid can workaround.
>>
>> CONNECT is a request to open a TCP connection. Delivering an HTTP
>> page, or even a URL redirect in response to a TCP connection request
>> is completely the wrong type of result.
>>
>> Like asking someone to open a door because you have a load of things
>> needing to go through it - and they instead throw a basket of apples
>> at you. Not want you expected, and more harm than good.

On 28.08.20 04:23, Janos Dohanics wrote:
>Thanks for the explanation - so, the rationale for the http://... acl
>value in the deny_info directive is conditioned on "if the browser is
>willing"?

when you ask via HTTP for HTTP page and get HTTP answer, it is different
than asking via HTTP for CONNECT and getting CONNECT denied via HTTP.

in the latter case it is clear that the request was denied by proxy and
since secure content was requested, the insecure response must not be shown.

That's the security provided.

--
Matus UHLAR - fantomas, [hidden email] ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
Support bacteria - they're the only culture some people have.
_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|

Re: deny_info page not shown

Janos Dohanics
On Fri, 28 Aug 2020 10:31:41 +0200
Matus UHLAR - fantomas <[hidden email]> wrote:

> >> On 28/08/20 6:22 pm, Janos Dohanics wrote:
> >> > Is there a way to have deny_info instruct browsers to reliably
> >> > display the desired URL/page?
>
> >On Fri, 28 Aug 2020 18:59:56 +1200
> >Amos Jeffries <[hidden email]> wrote:
> >> No there is not. This is a security feature of Browsers not
> >> something Squid can workaround.
> >>
> >> CONNECT is a request to open a TCP connection. Delivering an HTTP
> >> page, or even a URL redirect in response to a TCP connection
> >> request is completely the wrong type of result.
> >>
> >> Like asking someone to open a door because you have a load of
> >> things needing to go through it - and they instead throw a basket
> >> of apples at you. Not want you expected, and more harm than good.
>
> On 28.08.20 04:23, Janos Dohanics wrote:
> >Thanks for the explanation - so, the rationale for the http://... acl
> >value in the deny_info directive is conditioned on "if the browser is
> >willing"?
>
> when you ask via HTTP for HTTP page and get HTTP answer, it is
> different than asking via HTTP for CONNECT and getting CONNECT denied
> via HTTP.
>
> in the latter case it is clear that the request was denied by proxy
> and since secure content was requested, the insecure response must
> not be shown.

Thanks - would you have an example of using deny_info http://... acl
which actually works?

_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|

Re: deny_info page not shown

Amos Jeffries
Administrator
On 28/08/20 8:49 pm, Janos Dohanics wrote:
>
> Thanks - would you have an example of using deny_info http://... acl
> which actually works?
>

Any HTTP request message where 302 is a valid response status code will
work. Your configuration does that.

The problem is that Browsers only accept 20x status for CONNECT
requests. Everything else is "Cannot Connect".


Amos
_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|

Re: deny_info page not shown

Janos Dohanics
On Fri, 28 Aug 2020 22:58:00 +1200
Amos Jeffries <[hidden email]> wrote:

> On 28/08/20 8:49 pm, Janos Dohanics wrote:
> >
> > Thanks - would you have an example of using deny_info http://... acl
> > which actually works?
> >
>
> Any HTTP request message where 302 is a valid response status code
> will work. Your configuration does that.
>
> The problem is that Browsers only accept 20x status for CONNECT
> requests. Everything else is "Cannot Connect".

Thank you for all your help and patience...
_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|

Re: deny_info page not shown

Alex Rousskov
In reply to this post by Matus UHLAR - fantomas
>> Amos Jeffries <[hidden email]> wrote:
>>> CONNECT is a request to open a TCP connection. Delivering an HTTP
>>> page, or even a URL redirect in response to a TCP connection request
>>> is completely the wrong type of result.

>>> Like asking someone to open a door because you have a load of things
>>> needing to go through it - and they instead throw a basket of apples
>>> at you. Not want you expected, and more harm than good.


On 8/28/20 4:31 AM, Matus UHLAR - fantomas wrote:
> when you ask via HTTP for HTTP page and get HTTP answer, it is different
> than asking via HTTP for CONNECT and getting CONNECT denied via HTTP.
>
> in the latter case it is clear that the request was denied by proxy and
> since secure content was requested, the insecure response must not be
> shown.
>
> That's the security provided.


I believe the above explanations and analogies are rather misleading!
There are no conceptual or protocol problems with HTTP error responses
to HTTP CONNECT requests. The browser knows where the response is coming
from. The browser knows that the response is an error. The browser
already anticipates and processes some error CONNECT responses specially
(think proxy authentication). There is no confusion, harm,
inappropriateness, or some new insecurity here!

What is actually happening (AFAICT) is that browser folks do not want to
spend their resources on properly informing the user of the error. There
are ways to do it, but they all require non-trivial work in a
controversial area, and browser folks simply do not consider this
specific use case important enough to support. At the end of the day,
you are not their customer. They do not want you as their customer. You
lost.


While opinions on the underlying causes may differ, the end result is
still the same -- a forward proxy cannot display an error page to a user
behind a popular browser in a modern environment (without bumping the
browser connection first).


Cheer,

Alex.
_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|

Re: deny_info page not shown

Matus UHLAR - fantomas
>>> Amos Jeffries <[hidden email]> wrote:
>>>> CONNECT is a request to open a TCP connection. Delivering an HTTP
>>>> page, or even a URL redirect in response to a TCP connection request
>>>> is completely the wrong type of result.
>
>>>> Like asking someone to open a door because you have a load of things
>>>> needing to go through it - and they instead throw a basket of apples
>>>> at you. Not want you expected, and more harm than good.
>
>
>On 8/28/20 4:31 AM, Matus UHLAR - fantomas wrote:
>> when you ask via HTTP for HTTP page and get HTTP answer, it is different
>> than asking via HTTP for CONNECT and getting CONNECT denied via HTTP.
>>
>> in the latter case it is clear that the request was denied by proxy and
>> since secure content was requested, the insecure response must not be
>> shown.
>>
>> That's the security provided.

On 28.08.20 16:10, Alex Rousskov wrote:

>I believe the above explanations and analogies are rather misleading!
>There are no conceptual or protocol problems with HTTP error responses
>to HTTP CONNECT requests. The browser knows where the response is coming
>from. The browser knows that the response is an error. The browser
>already anticipates and processes some error CONNECT responses specially
>(think proxy authentication). There is no confusion, harm,
>inappropriateness, or some new insecurity here!
>
>What is actually happening (AFAICT) is that browser folks do not want to
>spend their resources on properly informing the user of the error. There
>are ways to do it, but they all require non-trivial work in a
>controversial area, and browser folks simply do not consider this
>specific use case important enough to support. At the end of the day,
>you are not their customer. They do not want you as their customer. You
>lost.

This is what I wanted to say. Browsers don't want to show "unsecure" page
gotten via HTTP from proxy, when they expect "secure" content from
webserver.

They show error instead. I don't want to guess what could happen, if user
entering HTTPS page got HTML from proxy rendered, behaving as if it was the
page from the server.

>While opinions on the underlying causes may differ, the end result is
>still the same -- a forward proxy cannot display an error page to a user
>behind a popular browser in a modern environment (without bumping the
>browser connection first).


--
Matus UHLAR - fantomas, [hidden email] ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
There's a long-standing bug relating to the x86 architecture that
allows you to install Windows.   -- Matthew D. Fuller
_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users