Hi Thanks Marcus
I have been hacking my own branch of Squidguard so I can add support for the SNI (I hope) How would I get the peek SNI output to the url_rewriter? I am a bit of a peek new comer. Sounds like there is some hope and a possible way forward. regards Darren B. Sent from Mailbird [http://www.getmailbird.com/?utm_source=Mailbird&utm_medium=email&utm_campaign=sent-from-mailbird] On 9/01/2016 5:46:36 PM, Marcus Kool <marcus.k...@urlfilterdb.com> wrote: On 01/09/2016 05:07 AM, Darren wrote: > Hi > > I am trying to hack squidguard to allow me to redirect users attempts to > connect to blocked https enabled sites. > > Some sites are allowed and the bulk are not. Currently I can see the Connect > details being handed to SG for processing and if I change this to return a > redirect to make it point to a different server > it breaks and gives me an SSL error (as would be expected) indeed, "as expected"... The HTTP protocol supportly support redirection of URL by sending a 30x status code back to he browser. HTTPS, which is SSL+HTTP is "safe" encrypted channel where HTTP is inside the channel and explicitly is designed not to be tampered with. So redirecting a channel to an other website always will cause a certificate error, unless ... 1) one uses ssl-bump 2) installs the Squid fake CA certificate in all browsers 3) one has a policy for the other protocols (e.g. Skype) that use CONNECT > Is there a way I can get this redirection call to squidguard happened earlier > in squid before it gets this far down the CONNECT process? Or is there > something that I can return from Squidguard that > would make this work? I notice that the connect attempts are always just the > IP address, so something earlier in the processing is doing a reverse DNS > lookup, is this the Browser of Squid and if so > can I get in earlier during the process? The above implies that you use Squid in interception mode where it initially can only see the IP address of the server. In ssl-bump mode, Squid can peek in step1 and find the SNI of the server (a.k.a the FQDN) and then the SNI/FQDN can be used in ACLs inside Squid and any URL redirector that can cope with the SNI parameter. Squidguard cannot, the latest ufdbGuard 1.31 cannot, but ufdbGuard 1.32 _can_ and will be released in February. Marcus > > I want to maintain the various lists in just squidguard and not put in ACLs > in squid.conf > > thanks > > Darren B. _______________________________________________ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
_______________________________________________ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users