Re: [squid-users] TCP/DENIED 303 redirect firefox 19.0 not working

From: Amos Jeffries <squid3_at_treenet.co.nz>
Date: Wed, 09 Oct 2013 17:20:01 +1300

On 9/10/2013 3:29 a.m., steve_at_comitcon.be wrote:
> Dear all
>
> I compiled squid 3.3.9 on debian and are trying to get deny_info working
> properly.
>
> When I go to HTTPS sites, I am getting an error message in firefox/ chrome
> etc and not redirection. It does work with regular http requests.
>
> I have been reading up on quite some data and I found messages saying that
> if we return 303:URL, is should work.
>
> What I see in my log file is in fact not the expected result
>
> Log output:
>
> 1381242441.978 0 194.78.29.66 TCP_DENIED/303 331 GET
> http://www.homerecording.be/ - HIER_NONE/- text/html
> 1381242442.034 8 194.78.29.66 TCP_MISS/302 328 GET
> http://www.c2root.be/ - HIER_DIRECT/46.18.36.231 text/html
> 1381242442.069 21 194.78.29.66 TCP_MISS/200 7857 GET
> http://www.c2root.be/viewpage.php? - HIER_DIRECT/46.18.36.231 text/html
> 1381242442.349 8 194.78.29.66 TCP_MISS/302 328 GET
> http://www.c2root.be/ - HIER_DIRECT/46.18.36.231 text/html
> 1381242442.381 21 194.78.29.66 TCP_MISS/200 7857 GET
> http://www.c2root.be/viewpage.php? - HIER_DIRECT/46.18.36.231 text/html
> 1381242463.894 0 194.78.29.66 TCP_DENIED/303 331 CONNECT
> www.facebook.com:443 - HIER_NONE/- text/html
>
> When I have a TCP_DENIED/303 in combination with a CONNECT, I simply get a
> problem loading page error.

That is a redirect. The request is "rejected" by Squid ACLs with a 303
status message redirecting the client to try somewhere which will be
allowed.

> Any ideas.
>
> My conf has the following modified (and only that)
> acl whitelist dstdomain .c2root.be .paypal.com .hln.be
> http_access allow whitelist
> deny_info 303:http://www.c2root.be CONNECT

CONNECT requests are not requests for URLs. They are requests to open
TCP tunnel to a specific server.
Sending back a redirect to that request is undefined behaviour in HTTP.
Browsers also have a long history of security problems as a result of
past attempts to follow what would appear to be the obvious thing, so
now they place quite a number of limitations on what responses can be
returned to a CONNECT request.
303 is the right status to be using, but it line any status requires the
client supports the HTTP feature in the way you are trying to use it.

Amos
Received on Wed Oct 09 2013 - 04:20:18 MDT

This archive was generated by hypermail 2.2.0 : Wed Oct 09 2013 - 12:00:05 MDT