Re: [squid-users] Issue with external check and https

From: Amos Jeffries <squid3_at_treenet.co.nz>
Date: Wed, 02 May 2012 11:36:50 +1200

On 02.05.2012 06:45, Stephen McGuinness wrote:
> I have a configuration where I am using Squid to proxy all internet
> bound requests.
>
> I have a custom external ACL that does some checks, and If the check
> fails, it pulls a up a custom error page, which is a simple redirect
> to a another page. This all works well for http connections. If the
> connection request is for https though, the redirect fails. I see the
> 403 response with the expected HTTP headers, the X-Squid-Error
> ERR_CUSTOM is set, but the redirect does not happen. If I do not
> define a custom error page, the response page is displayed.
>
> Is there anyway to get this working, and have the redirect work?

You have confused a couple of concepts here.

First concept:
  An HTTP *redirect* is a status code starting with digit '3'. Status
code '403' does not start with digit '3' and none of the redirect
semantics are done by it.

  403 is an HTTP client error status code, which all start with digit
'4'. error have a body object which gets displayed.

Second concept:
  There is no HTTPS request being made to Squid.

  What *is* being sent to Squid is a CONNECT tunnel request. Simply a
request to open a binary tunnel from client to some other IP:port or
host:port, with Squid in the middle shoveling bytes in both directions
through it.
  When this tunnel is successfully setup the TLS handshake will go
through it, then the real https:// URL requests will go through inside
the TLS wrapper.

Now put those together....

  Open a two-way binary TCP connection -> redirect to alternative URL.
  Perform TLS handshake with said URL.
  On success request one or more web pages and resources from said web
page URI.
  ...

Replacing "URL" with "HTML page" ... sounds like garbage instructions
to you? the browser thinks so.

Concept three:

   A year or so ago it was revealed that browsers were displaying error
messages badly. Who would have thought displaying
https://bankofamerica.com/ in the address bar while displaying somebody
elses 403 status proxy login page was a bad thing?

  So nowdays they simply drop anything even slightly suspicious coming
back from CONNECT requests. Static HTML error pages produced by Squid
and other server software are pretty safe bets, so *some* browsers still
accept them. But only so long as the HTML is actually static with no
scripts etc.

Amos
Received on Tue May 01 2012 - 23:36:56 MDT

This archive was generated by hypermail 2.2.0 : Wed May 02 2012 - 12:00:03 MDT