Re: [squid-users] Squid custom error page

2017-05-18 Thread Alex Rousskov 
On 05/18/2017 11:40 AM, chcs wrote:

> HTTPS/SSL Interception , Enable SSL filtering, splice all, CA: Let's Encript 
> autority

> One more cuestion:
> With 2 CA differents certificates to block twitter.com >> differents results 
> 
> Issuer: self-signed0 10.0.0.100 TAG_NONE/403 4709 GET
> https://www.twitter.com/ - HIER_NONE/- text/html
> Result: no problem, it's show me squid custom error page
>  
> Issuer: Let's encript  0 10.0.0.100 TCP_DENIED/403 4714 CONNECT
> www.twitter.com:443 - HIER_NONE/- text/html
> Result: It doesnt show me squid custom error page

Let's Encrypt does not issue CA certificates. You need a CA certificate
for an SslBump setup to work for more than one site. Let's Encrypt also
does not issue leaf certificates for www.twitter.com unless you control
www.twitter.com.

When you generated a self-signed certificate, you probably generated a
CA certificate. If you did not, then you will encounter problems if you
try to import that certificate in browsers/clients that require CA
certificates. See the OpenSSL command below for one way to check what
you have generated.

CA certificates have an x509 "Basic Constraints" extension with a
CA:TRUE constraint. For example:

> $ openssl x509 -in CA-priv+pub.pem -text -noout | fgrep -A 1 'Basic'
> X509v3 Basic Constraints: 
> CA:TRUE

HTH,

Alex.

___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] Squid custom error page

2017-05-18 Thread Walter H. 

On 18.05.2017 19:40, chcs wrote:

One more cuestion:
With 2 CA differents certificates to block twitter.com>>  differents results

Issuer: self-signed0 10.0.0.100 TAG_NONE/403 4709 GET
https://www.twitter.com/ - HIER_NONE/- text/html
Result: no problem, it's show me squid custom error page

Issuer: Let's encript  0 10.0.0.100 TCP_DENIED/403 4714 CONNECT
www.twitter.com:443 - HIER_NONE/- text/html
Result: It doesnt show me squid custom error page

Why?

and what is the end entity certificate where the issuer is Let's encrypt?
(this might be the reason)



smime.p7s
Description: S/MIME Cryptographic Signature
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] Squid custom error page

2017-05-18 Thread chcs 
One more cuestion:
With 2 CA differents certificates to block twitter.com >> differents results 

Issuer: self-signed0 10.0.0.100 TAG_NONE/403 4709 GET
https://www.twitter.com/ - HIER_NONE/- text/html
Result: no problem, it's show me squid custom error page
 
Issuer: Let's encript  0 10.0.0.100 TCP_DENIED/403 4714 CONNECT
www.twitter.com:443 - HIER_NONE/- text/html
Result: It doesnt show me squid custom error page

Why?



--
View this message in context: 
http://squid-web-proxy-cache.1019090.n4.nabble.com/Squid-custom-error-page-tp4682433p4682470.html
Sent from the Squid - Users mailing list archive at Nabble.com.
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] Squid custom error page

2017-05-17 Thread Rafael Akchurin 
Please note if you first let the connect tunnel to succeed (forcing bump) and 
then block the next coming request through that tunnel - you will get the 
blocked message displayed.

We do it in ICAP 
(https://docs.diladele.com/faq/squid/cannot_connect_to_site_using_https.html) - 
other community members may know better if it is possible to do that in Squid 
directly.

Beware of those using your tunnels to pump non http traffic though. Blocking 
the connect as it is done now in Squid keeps you on safe side.

Best regards,
Rafael Akchurin

Op 17 mei 2017 om 4:04 PM heeft Amos Jeffries 
mailto:squ...@treenet.co.nz>> het volgende geschreven:

On 17/05/17 23:32, chcs wrote:
Firefox 53.0.2 , Chrome 58.3029 y Opera 44 display "Proxy Server Refused
Connection" page, instead of Squid custom error page, when connect to HTTPS
site which blocked by proxy server.
For example we try to connect to https://www.something.com via Squid proxy
server which denied with 403 error this connect and send custom error page
with description of problem in older versions it's worked.
I'm using pfSense 2.4 (actual version squid 3.5.24).

Reproducible: Always

Steps to Reproduce:
1. Configure Firefox to use proxy server (SSL Proxy).
2. HTTPS/SSL Interception , Enable SSL filtering, splice all, CA: Let's
Encript autority
3. Try to connect to HTTPS site, which will be blocked by proxy server

Actual Results:
Firefox will display "Page Load Error" with description "Proxy Server
Refused Connection. Firefox is configured to use a proxy server that is
refusing connections."
If we connect to HTTPS site which not blocked by proxy server OR using CA
self-signed issuer , all works fine.

Expected Results:
Display proxy server error page with deny info.

This is a well-known problem with Browsers, they all refuse to display any 
response to a CONNECT tunnel message.
https://www.something.com via Squid proxy
server which denied with 403 error this connect and send custom error page
with description of problem in older versions it's worked.
I'm using pfSense 2.4 (actual version squid 3.5.24).

Reproducible: Always

Steps to Reproduce:
1. Configure Firefox to use proxy server (SSL Proxy).
2. HTTPS/SSL Interception , Enable SSL filtering, splice all, CA: Let's
Encript autority
3. Try to connect to HTTPS site, which will be blocked by proxy server

Actual Results:
Firefox will display "Page Load Error" with description "Proxy Server
Refused Connection. Firefox is configured to use a proxy server that is
refusing connections."
If we connect to HTTPS site which not blocked by proxy server OR using CA
self-signed issuer , all works fine.

Expected Results:
Display proxy server error page with deny info.

This is a well-known problem with Browsers, they all refuse to display any 
response to a CONNECT tunnel message.


Use of TLS to secure the connection to the proxy does not affect this browser 
behaviour on HTTPS traffic. The best you can hope for is to make Squid use a 
511 status code with deny_info and hope that it chooses to display something 
halfway useful.

Amos

___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] Squid custom error page

2017-05-17 Thread Walter H. 

On 17.05.2017 16:04, Amos Jeffries wrote:

On 17/05/17 23:32, chcs wrote:

Expected Results:
Display proxy server error page with deny info.


This is a well-known problem with Browsers, they all refuse to display 
any response to a CONNECT tunnel message.
 



Use of TLS to secure the connection to the proxy does not affect this 
browser behaviour on HTTPS traffic. The best you can hope for is to 
make Squid use a 511 status code with deny_info and hope that it 
chooses to display something halfway useful.

there seems to be another problem ...

at my setup any browser shows the proxy messages;

with deny_info the special page
e.g. ERR_DOMAIN_BLOCKED,
without just the ERR_ACCESS_DENIED as default ...

my squid 3.5,25 (CentOS 6.9) - thanks to
Eliezer Croitoru for doing this good job;

the custom error pages are only shown, when the proxy does
SSL interception and the browser has installed the squid CA certificate ...

why is this:

without SSL interception, the browser sends a CONNECT
and expects a SSL/TLS handshake, instead he gets an
HTTP reply with the custom error page, which the browser
doesn't know to handle at this moment ...
only the information of HTTP header is processed;

in case someone has configured https_port this is just the same,
because the SSL/TLS connection to the webserver is tunneled inside
the SSL/TLS connection between client and browser ...



smime.p7s
Description: S/MIME Cryptographic Signature
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] Squid custom error page

2017-05-17 Thread Dijxie 

W dniu 17.05.2017 o 13:32, chcs pisze:

Firefox 53.0.2 , Chrome 58.3029 y Opera 44 display "Proxy Server Refused
Connection" page, instead of Squid custom error page, when connect to HTTPS
site which blocked by proxy server.
For example we try to connect to https://www.something.com via Squid proxy
server which denied with 403 error this connect and send custom error page
with description of problem in older versions it's worked.
I'm using pfSense 2.4 (actual version squid 3.5.24).

Reproducible: Always

Steps to Reproduce:
1. Configure Firefox to use proxy server (SSL Proxy).
2. HTTPS/SSL Interception , Enable SSL filtering, splice all, CA: Let's
Encript autority
3. Try to connect to HTTPS site, which will be blocked by proxy server

Actual Results:
Firefox will display "Page Load Error" with description "Proxy Server
Refused Connection. Firefox is configured to use a proxy server that is
refusing connections."
If we connect to HTTPS site which not blocked by proxy server OR using CA
self-signed issuer , all works fine.

Expected Results:
Display proxy server error page with deny info.



--
View this message in context: 
http://squid-web-proxy-cache.1019090.n4.nabble.com/Squid-custom-error-page-tp4682433.html
Sent from the Squid - Users mailing list archive at Nabble.com.
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users


This is intentional Firefox behavior since long time ago:
https://bugzilla.mozilla.org/show_bug.cgi?id=493699

Even if this bug is outdated,  it is browser thing how to render error 
pages, not squid's fault.
You may try to redirect (instead of blocking) your blocked page to your 
custom page that looks exactly  like sqid's internal error page, but 
then You will see browser's SSL security warning, since page you have 
requested was SSL, and your error page is not - the same goes for 
internal error pages.
Proxies error pages are nowadays usually replaced by browsers due to 
security reasons in case of SSL pages.


If your custom-pretending-to-be-squid's-internal page would be SSL with 
valid cert, my guess is your problem is solved.


--
Greets, Dijx

___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] Squid custom error page

2017-05-17 Thread Amos Jeffries 

On 17/05/17 23:32, chcs wrote:

Firefox 53.0.2 , Chrome 58.3029 y Opera 44 display "Proxy Server Refused
Connection" page, instead of Squid custom error page, when connect to HTTPS
site which blocked by proxy server.
For example we try to connect to https://www.something.com via Squid proxy
server which denied with 403 error this connect and send custom error page
with description of problem in older versions it's worked.
I'm using pfSense 2.4 (actual version squid 3.5.24).

Reproducible: Always

Steps to Reproduce:
1. Configure Firefox to use proxy server (SSL Proxy).
2. HTTPS/SSL Interception , Enable SSL filtering, splice all, CA: Let's
Encript autority
3. Try to connect to HTTPS site, which will be blocked by proxy server

Actual Results:
Firefox will display "Page Load Error" with description "Proxy Server
Refused Connection. Firefox is configured to use a proxy server that is
refusing connections."
If we connect to HTTPS site which not blocked by proxy server OR using CA
self-signed issuer , all works fine.

Expected Results:
Display proxy server error page with deny info.


This is a well-known problem with Browsers, they all refuse to display 
any response to a CONNECT tunnel message.


Firefox 53.0.2 , Chrome 58.3029 y Opera 44 display "Proxy Server Refused
Connection" page, instead of Squid custom error page, when connect to HTTPS
site which blocked by proxy server.
For example we try to connect to https://www.something.com via Squid proxy
server which denied with 403 error this connect and send custom error page
with description of problem in older versions it's worked.
I'm using pfSense 2.4 (actual version squid 3.5.24).

Reproducible: Always

Steps to Reproduce:
1. Configure Firefox to use proxy server (SSL Proxy).
2. HTTPS/SSL Interception , Enable SSL filtering, splice all, CA: Let's
Encript autority
3. Try to connect to HTTPS site, which will be blocked by proxy server

Actual Results:
Firefox will display "Page Load Error" with description "Proxy Server
Refused Connection. Firefox is configured to use a proxy server that is
refusing connections."
If we connect to HTTPS site which not blocked by proxy server OR using CA
self-signed issuer , all works fine.

Expected Results:
Display proxy server error page with deny info.


This is a well-known problem with Browsers, they all refuse to display 
any response to a CONNECT tunnel message.



Use of TLS to secure the connection to the proxy does not affect this 
browser behaviour on HTTPS traffic. The best you can hope for is to make 
Squid use a 511 status code with deny_info and hope that it chooses to 
display something halfway useful.


Amos

___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

[squid-users] Squid custom error page

2017-05-17 Thread chcs 
Firefox 53.0.2 , Chrome 58.3029 y Opera 44 display "Proxy Server Refused
Connection" page, instead of Squid custom error page, when connect to HTTPS
site which blocked by proxy server.
For example we try to connect to https://www.something.com via Squid proxy
server which denied with 403 error this connect and send custom error page
with description of problem in older versions it's worked.
I'm using pfSense 2.4 (actual version squid 3.5.24).

Reproducible: Always

Steps to Reproduce:
1. Configure Firefox to use proxy server (SSL Proxy).
2. HTTPS/SSL Interception , Enable SSL filtering, splice all, CA: Let's
Encript autority
3. Try to connect to HTTPS site, which will be blocked by proxy server

Actual Results:  
Firefox will display "Page Load Error" with description "Proxy Server
Refused Connection. Firefox is configured to use a proxy server that is
refusing connections."
If we connect to HTTPS site which not blocked by proxy server OR using CA
self-signed issuer , all works fine.

Expected Results:  
Display proxy server error page with deny info. 



--
View this message in context: 
http://squid-web-proxy-cache.1019090.n4.nabble.com/Squid-custom-error-page-tp4682433.html
Sent from the Squid - Users mailing list archive at Nabble.com.
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users