ssl-bump does not redirect to block page

classic Classic list List threaded Threaded
3 messages Options
Reply | Threaded
Open this post in threaded view
|

ssl-bump does not redirect to block page

leo messi
Hi
My squid config is something like this:
acl blk ssl::server_name .google.com
http_access deny blk
http_access allow all


http_port 0.0.0.0:3128
http_port 0.0.0.0:3129 tproxy
https_port 3130 tproxy ssl-bump \
  cert=/etc/squid/ssl_cert/myCA.pem \
  generate-host-certificates=on dynamic_cert_mem_cache_size=4MB
sslcrtd_program /usr/lib64/squid/security_file_certgen -s /var/lib/ssl_db -M 4MB

acl step1 at_step SslBump1
ssl_bump peek step1
ssl_bump splice all


My problem is when i block some pages like google.com,my firefox browser show "secure connection failed",but i want it to show block page or warning page, how can i do this?

_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|

Re: ssl-bump does not redirect to block page

Amos Jeffries
Administrator
On 7/02/19 3:52 am, leo messi wrote:
> Hi
> My squid config is something like this:
> acl blk ssl::server_name .google.com
> http_access deny blk
> http_access allow all
>
...
>
> acl step1 at_step SslBump1
> ssl_bump peek step1
> ssl_bump splice all
>
>
> My problem is when i block some pages like google.com,my firefox browser
> show "secure connection failed",but i want it to show block page or
> warning page, how can i do this?


You have chosen to splice the traffic. So far only TCP SYN packet and
TLS clientHello have happened. There is no HTTP request to 'redirect'.

To cause anything at all to display in the browser you require fully
decrypting the traffic. aka the 'bump' action.
Please see <https://wiki.squid-cache.org/Features/SslPeekAndSplice>


Amos
_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|

Re: ssl-bump does not redirect to block page

Alex Rousskov
On 2/6/19 12:57 PM, Amos Jeffries wrote:
> On 7/02/19 3:52 am, leo messi wrote:
>> My squid config is something like this:
>> acl blk ssl::server_name .google.com
>> http_access deny blk
>> http_access allow all

>> ssl_bump peek step1
>> ssl_bump splice all

>> My problem is when i block some pages like google.com,my firefox browser
>> show "secure connection failed",but i want it to show block page or
>> warning page, how can i do this?


> To cause anything at all to display in the browser you require fully
> decrypting the traffic.

Correct.


> aka the 'bump' action.

This part is misleading: Modern Squids _automatically_ bump connections
to report [access denied] errors -- no explicit bump action is required
(or even desirable). I do not know whether

* that bumping does not happen for leo (e.g., due to Squid bugs), or

* it does happen, but the browser refuses to show the error page anyway
(because of certificate pinning and/or because Squid did not have enough
information to properly bump the client connection using just step1
knowledge).

A packet capture or an ALL,2 cache.log may distinguish those two cases.

Alex.
_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users