Hi,
Sorry for the noise. In fact, it works. It's just squid couldn't connect
to the local cgi page (while it could for squidclamav), and then did its
best that was rather strange.
I confirm "url_rewrite_access deny CONNECT" works like a charm to avoid
redirection during connection establishm
Hi all,
I know it's an old subject but I come back on it as I moved my old proxy
server to Debian Buster.
I now have a 4.10 version from git.
Here are my last tests regarding this subject :
* Using c-icap for virus detection works well. I mean if I download a
virus from an HTTPS server like
Hi Edouard,
To block GET https://www.example.com/foo.html and to pass CONNECT
www,example.com you need
a) squid with ssl-bump in peek+bump mode
b) ufdbGuard
ufdbGuard can skip the CONNECT and waits for the GET request
which can be blocked without browser errors.
Since ssl-bump is not easy it i
Hi community,
Any news about this?
I've tried 3.5.25 but still observe this behaviour.
I understand it well since I read:
https://serverfault.com/questions/727262/how-to-redirect-https-connect-request-with-squid-explicit-proxy
But how to let the CONNECT request succeed and later block/redire
On 11/13/2015 02:16 AM, Edouard Gaulué wrote:
> I read on http://wiki.squid-cache.org/Features/MimicSslServerCert in the
> "Delayed error responses" chapter:
> "When Squid fails to negotiate a secure connection with the origin
> server and bump-ssl-server-first is enabled, Squid remembers the erro
On 13/11/2015 10:16 p.m., Edouard Gaulué wrote:
> Hi Amos and all,
>
> Learning on HTTP CONNECT, I got
> there:http://serverfault.com/questions/727262/how-to-redirect-https-connect-request-with-squid-explicit-proxy
>
>
> I read on http://wiki.squid-cache.org/Features/MimicSslServerCert in the
>
Hi Amos and all,
Learning on HTTP CONNECT, I got
there:http://serverfault.com/questions/727262/how-to-redirect-https-connect-request-with-squid-explicit-proxy
I read on http://wiki.squid-cache.org/Features/MimicSslServerCert in the
"Delayed error responses" chapter:
"When Squid fails to negot
On 13/11/2015 1:02 a.m., Edouard Gaulué wrote:
>
> In the https case I observe just 1 stream:
> CONNECT ad.doubleclick.net:443 HTTP/1.1
> User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.10; rv:42.0)
> Gecko/20100101 Firefox/42.0
> Proxy-Connection: keep-alive
> Connection: keep-alive
> Host:
On 05.11.2015 04:26, Amos Jeffries wrote:
There was a bug about the wrong SNI being sent to servers on bumped
traffic that got re-written. That got fixed in Squid-3.5.7 and
re-writers should have been fully working since then.
This seems to be a bug in 3.5.x only
with 3.4.10 this works fine ..
Le 12/11/2015 13:28, Marcus Kool a écrit :
I cannot make much of the logs and expect that information is missing.
But using just logic, it seems that Squid has a problem with the
redirect to a CONNECT.
I suggest to set debug all,9 and to look closely at what happens with
the redirection.
Marc
I cannot make much of the logs and expect that information is missing.
But using just logic, it seems that Squid has a problem with the redirect to a
CONNECT.
I suggest to set debug all,9 and to look closely at what happens with the
redirection.
Marcus
On 11/12/2015 10:02 AM, Edouard Gaulué w
Hi Marcus and all,
I have option_debug ALL,2 61,9.
Logs don't tell me a lot, the squidguard answer is exactly the same with
or without ssl.
===
2015/11/12 11:51:13.320 kid1| 11,2| client_side.cc(2345)
parseHttpRequest: HTTP Client local=192.168.0.233:3128
remote=192.168
Hi again,
Just forget what I said about REDIRECT answers, there are the same with
or without SSL (it was a side effect of "-C5" on my logs grep).
But, why are browsers handling that in a different way?
Without SSL, it's all right. With SSL it's getting to the conclusion it
should try to conn
On 11/12/2015 07:03 AM, Edouard Gaulué wrote:
Hi Marcus, Amos and maybe others,
Here were I am. I've looked in the log. Let me describe what I observe. It's
maybe linked with some other posts I've read.
Imagine I try to connect to http://ad.doubleclick.net/ad.jpg. I observe the
request in w
Hi Marcus, Amos and maybe others,
Here were I am. I've looked in the log. Let me describe what I observe.
It's maybe linked with some other posts I've read.
Imagine I try to connect to http://ad.doubleclick.net/ad.jpg. I observe
the request in wireshark. It goes to the squid process: there is
On 11/04/2015 08:55 PM, Edouard Gaulué wrote:
Hi Marcus,
Well that just an URL rewriter program. You can just test it from the command
line :
echo "URL" | /usr/bin/squidGuard -c /etc/squidguard/squidGuard.conf
Before I understood it was possible to precise the redirect code I got that:
#> ec
On 5/11/2015 11:55 a.m., Edouard Gaulué wrote:
> Hi Marcus,
>
> Well that just an URL rewriter program. You can just test it from the
> command line :
> echo "URL" | /usr/bin/squidGuard -c /etc/squidguard/squidGuard.conf
>
> Before I understood it was possible to precise the redirect code I got
>
Hi Marcus,
Well that just an URL rewriter program. You can just test it from the
command line :
echo "URL" | /usr/bin/squidGuard -c /etc/squidguard/squidGuard.conf
Before I understood it was possible to precise the redirect code I got that:
#> echo
"https://ad.doubleclick.net/N4061/adi/com.yt
You need to know what squidGuard actually sends to Squid.
squidGuard does not have a debug option for this, so you have to set
debug_options ALL,1 61,9
in squid.conf to see what Squid receives.
I bet that what Squid receives, is what it complains about:
the URL starts with 'https://http'
Marcu
Le 04/11/2015 11:00, Amos Jeffries a écrit :
On 4/11/2015 12:48 p.m., Marcus Kool wrote:
I suspect that the problem is that you redirect a HTTPS-based URL to an
HTTP URL and Squid does not like that.
Marcus
To give it a try in that direction I now redirect to an https server.
And I get :
The
On 4/11/2015 12:48 p.m., Marcus Kool wrote:
> I suspect that the problem is that you redirect a HTTPS-based URL to an
> HTTP URL and Squid does not like that.
>
> Marcus
>
No it is apparently the fact that the domain name being redirected to is
"http".
As in: "http://http/something";
Which br
I suspect that the problem is that you redirect a HTTPS-based URL to an HTTP
URL and Squid does not like that.
Marcus
On 11/03/2015 08:48 PM, Edouard Gaulué wrote:
Hi community,
I've followed
http://wiki.squid-cache.org/ConfigExamples/Intercept/SslBumpExplicit to
set my server. It looks re
Hi community,
I've followed
http://wiki.squid-cache.org/ConfigExamples/Intercept/SslBumpExplicit to
set my server. It looks really interesting and it's said to be the more
common configuration.
I often observe (example here withwww.youtube.com) :
***
The following error
23 matches
Mail list logo