Re: Squid + Squidguard - Problems redirecting HTTPS

Top Page
Attachments:
Message as email
+ (text/plain)
Delete this message
Reply to this message
Author: Kevin
Date:  
To: PLUG-DISCUSS, David Bendit
Subject: Re: Squid + Squidguard - Problems redirecting HTTPS

From the Squid FAQ:

1.12 Does Squid support SSL/HTTPS/TLS?

Squid supports these encrypted protocols by ``tunelling'' traffic between
clients and servers. Squid can relay the encrypted bits between a client and
a server.

Normally, when your browser comes across an https URL, it does one of two
things:

1. The browser opens an SSL connection directly to the origin server.
2. The browser tunnels the request through Squid with the CONNECT request
method.

The CONNECT method is a way to tunnel any kind of connection through an HTTP
proxy. The proxy doesn't understand or interpret the contents. It just
passes bytes back and forth between the client and server. For the gory
details on tunnelling and the CONNECT method, please see RFC 2817 and
Tunneling TCP based protocols through Web proxy servers (expired).

Squid can not (yet) encrypt or decrypt such connections, however. Some folks
are working on a patch, using OpenSSL, that allows Squid to do this.

...Kevin




> From: David Bendit <>
> Reply-To: Main PLUG discussion list <>
> Date: Thu, 12 Oct 2006 20:23:33 -0700
> To: Main PLUG discussion list <>
> Subject: Squid + Squidguard - Problems redirecting HTTPS
>
>
> Hey there,
>
> In the Paradise Valley School District, we've switched from WebSense to
> a Debian server running Squid and Squidguard for blocking sites. For the
> past 2 months or so, everything's gone perfectly. However, we've hit a
> snag, and I was wondering if anybody on here could provide some assistance.
>
> Normally, when a user accesses a site, the request goes to Squid through
> transparent proxying, which sends it to the redirector, Squidguard.
> Squidguard checks the URL against its blocklists, then either grabs the
> queried page through Squid, or, if it's blocked, redirects to our block
> page. This all works fine.
>
> However, when trying to block an HTTPS page, things get odd. The request
> makes it through Squid into Squidguard, which checks the URL. Since the
> site is blocked, it should grab the redirect page. However, it goes
> straight through. I'm not sure why it's doing this.
>
> Looking at the Squidguard logs, while the normal redirect request is
> issued with a GET, CONNECT is used for HTTPS. That's the only difference
> I can find.
>
> In the Squid logs, the request doesn't even appear. Apparently, Squid
> only logs the request on its way out of the redirector. Since Squidguard
> issues a CONNECT request instead of a GET, I think it's leaving Squid
> and going out directly.
>
> Does anybody know how to get around this problem?
>
> Thanks,
> David Bendit
>
> ---------------------------------------------------
> PLUG-discuss mailing list -
> To subscribe, unsubscribe, or to change you mail settings:
> http://lists.PLUG.phoenix.az.us/mailman/listinfo/plug-discuss
>



---------------------------------------------------
PLUG-discuss mailing list -
To subscribe, unsubscribe, or to change you mail settings:
http://lists.PLUG.phoenix.az.us/mailman/listinfo/plug-discuss