Re: [squid-users] "ACCESS DENIED" page by ssl_bump terminate

Mon, 28 Mar 2016 06:30:13 -0700 

I've already checked it. Order of this options doesn't matter.


28.03.2016 15:30, Yuri Voinov пишет:


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

I suggests the order is important and must be:

ssl_bump terminate blocked_https
deny_info http://www.example.com blocked_https

28.03.16 11:59, Alexandr Yatskin пишет:
> Directive "deny_info" didn't work when we blocked https site with option "ssl_bump". > Maybe, is there another method? > > -------------------------------------------------------------------- > acl blocked_https ssl::server_name "/etc/squid/blocked_https.txt" > acl step1 at_step SslBump1 > ssl_bump peek step1 > > deny_info http://www.example.com blocked_https > ssl_bump terminate blocked_https > -------------------------------------------------------------------- > > > 25.03.2016 17:14, Yuri Voinov пишет: >> > # TAG: deny_info > # Usage: deny_info err_page_name acl > # or deny_info http://... acl > # or deny_info TCP_RESET acl > # > # This can be used to return a ERR_ page for requests which > # do not pass the 'http_access' rules. Squid remembers the last > # acl it evaluated in http_access, and if a 'deny_info' line exists > # for that ACL Squid returns a corresponding error page. > # > # The acl is typically the last acl on the http_access deny line which > # denied access. The exceptions to this rule are: > # - When Squid needs to request authentication credentials. It's then > # the first authentication related acl encountered > # - When none of the http_access lines matches. It's then the last > # acl processed on the last http_access line. > # - When the decision to deny access was made by an adaptation service, > # the acl name is the corresponding eCAP or ICAP service_name. > # > # NP: If providing your own custom error pages with error_directory > # you may also specify them by your custom file name: > # Example: deny_info ERR_CUSTOM_ACCESS_DENIED bad_guys > # > # By defaut Squid will send "403 Forbidden". A different 4xx or 5xx > # may be specified by prefixing the file name with the code and a colon. > # e.g. 404:ERR_CUSTOM_ACCESS_DENIED > # > # Alternatively you can tell Squid to reset the TCP connection > # by specifying TCP_RESET. > # > # Or you can specify an error URL or URL pattern. The browsers will > # get redirected to the specified URL after formatting tags have > # been replaced. Redirect will be done with 302 or 307 according to > # HTTP/1.1 specs. A different 3xx code may be specified by prefixing > # the URL. e.g. 303:http://example.com/ > # > # URL FORMAT TAGS: > # %a - username (if available. Password NOT included) > # %B - FTP path URL > # %e - Error number > # %E - Error description > # %h - Squid hostname > # %H - Request domain name > # %i - Client IP Address > # %M - Request Method > # %o - Message result from external ACL helper > # %p - Request Port number > # %P - Request Protocol name > # %R - Request URL path > # %T - Timestamp in RFC 1123 format > # %U - Full canonical URL from client > # (HTTPS URLs terminate with *) > # %u - Full canonical URL from client > # %w - Admin email from squid.conf > # %x - Error name > # %% - Literal percent (%) code > # > #Default: > # none > > ? > > 25.03.16 16:15, Alexandr Yatskin пишет: > > Hello everyone! > > > How redirect users to "Access Denied" page when they go to > blocked https sites? > > > Now users only can see such error: "ERR_CONNECTION_CLOSED". > > > > > There are several lines from our config: > > > ------------------------------------------ > > > acl blocked_https ssl::server_name > "/etc/squid/blocked_https.txt" > > > ssl_bump terminate blocked_https > > > ------------------------------------------ > > > Thanks in advance. > > > > > > > > > _______________________________________________ > > > squid-users mailing list > > > squid-users@lists.squid-cache.org > > > http://lists.squid-cache.org/listinfo/squid-users > >> >> >> >> _______________________________________________ >> squid-users mailing list >> squid-users@lists.squid-cache.org >> http://lists.squid-cache.org/listinfo/squid-users > 

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2

iQEcBAEBCAAGBQJW+SPZAAoJENNXIZxhPexGn0wIALLPgsRZLfdfo6j2cxRiYU2W
wREfDnN+i02rLBmboPiP1h9kk59r6wd37Fzbk8Ltp+zpQVv150Uo9ivHEfbOyeCk
/enX/vaBhnyaIk3BGHkdrmI2FcRMVFV+fh/C+nLixyRfswTq1Xv/cmY9YrkSBtDM
yt39353FlJFNwcz3wV+xlfibCQeMvJ8vLAa0jVGALeb0KwKgXJ90WlL2AssaiTRC
G74KCXSnF0eqgj9Mjbh0SN/b9YrINAnjjOBiYAx8epMLD2Rl2VxXNFcWNUKRUiiV
0mHOocOe4Q8Wrqh5WS2NUcN921FEoW5bwsKdbItAl0xQs0Ow9Cax8aVIKWDYQyo=
=FmF4
-----END PGP SIGNATURE-----




_______________________________________________
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Reply via email to