My effort so far:
acl SquidTLSErrorConnect ssl_error SQUID_TLS_ERR_CONNECT
##############################
#unsupported protocol definice
##############################
# define what Squid errors indicate receiving non-HTTP traffic:
acl foreignProtocol squid_error ERR_PROTOCOL_UNKNOWN ERR_TOO_BIG
# define what Squid errors indicate receiving nothing:
acl serverTalksFirstProtocol squid_error ERR_REQUEST_START_TIMEOUT
acl SquidSecureConnectFail squid_error ERR_SECURE_CONNECT_FAIL
# tunnel everything that does not look like HTTP:
on_unsupported_protocol tunnel foreignProtocol
# tunnel if we think the client waits for the server to talk first:
on_unsupported_protocol tunnel serverTalksFirstProtocol
#tunnel all for connection errors
on_unsupported_protocol tunnel SquidTLSErrorConnect
on_unsupported_protocol tunnel SquidSecureConnectFail
# in all other error cases, just send an HTTP "error page" response:
on_unsupported_protocol respond all
This is how it changed the behaviour (checked only with
redir.netcentrum.cz so far)
1712126917.823 0 10.0.0.1 NONE_NONE/503 13605 GET
https://redir.netcentrum.cz/favicon.ico - HIER_NONE/- text/html
redir.netcentrum.cz
1712126918.842 23 10.0.0.1 NONE_NONE_ABORTED/000 0 CONNECT
46.255.231.158:443 - HIER_NONE/- - redir.netcentrum.cz
1712126918.881 0 10.0.0.1 NONE_NONE/503 13605 GET
https://redir.netcentrum.cz/favicon.ico - HIER_NONE/- text/html
redir.netcentrum.cz
1712126919.116 21 10.0.0.1 NONE_NONE_ABORTED/000 0 CONNECT
46.255.231.158:443 - HIER_NONE/- - redir.netcentrum.cz
1712126919.156 0 10.0.0.1 NONE_NONE/503 13605 GET
https://redir.netcentrum.cz/favicon.ico - HIER_NONE/- text/html
redir.netcentrum.cz
1712126918.839 19 10.0.0.1 NONE_NONE_ABORTED/000 0 CONNECT
46.255.231.158:443 - HIER_NONE/- - redir.netcentrum.cz
1712126918.845 0 10.0.0.1 NONE_NONE/503 13605 GET
https://redir.netcentrum.cz/? - HIER_NONE/- text/html redir.netcentrum.cz
1712126919.113 19 10.0.0.1 NONE_NONE_ABORTED/000 0 CONNECT
46.255.231.158:443 - HIER_NONE/- - redir.netcentrum.cz
1712126919.119 0 10.0.0.1 NONE_NONE/503 13605 GET
https://redir.netcentrum.cz/? - HIER_NONE/- text/html redir.netcentrum.cz
1712127729.466 66 10.0.0.1 TCP_MISS/200 719 GET
http://redir.netcentrum.cz/? - ORIGINAL_DST/46.255.231.158 text/html -
1712127729.516 9 10.0.0.1 TCP_MISS/403 424 GET
http://redir.netcentrum.cz/favicon.ico - ORIGINAL_DST/46.255.231.158
text/plain -
1712127768.494 8 10.0.0.1 TCP_MISS/200 794 GET
http://redir.netcentrum.cz/? - ORIGINAL_DST/46.255.231.158 text/html -
1712127768.544 7 10.0.0.1 TCP_MISS/403 424 GET
http://redir.netcentrum.cz/favicon.ico - ORIGINAL_DST/46.255.231.158
text/plain -
1712127833.348 9 10.0.0.1 TCP_MISS/200 794 GET
http://redir.netcentrum.cz/? - ORIGINAL_DST/46.255.231.158 text/html -
1712127833.486 15 10.0.0.1 TCP_MISS/403 424 GET
http://redir.netcentrum.cz/favicon.ico - ORIGINAL_DST/46.255.231.158
text/plain -
1712129450.601 27 10.0.0.1 TCP_MISS/200 851 GET
http://redir.netcentrum.cz/? - ORIGINAL_DST/46.255.231.158 text/html -
1712129450.688 8 10.0.0.1 TCP_MISS/403 424 GET
http://redir.netcentrum.cz/favicon.ico - ORIGINAL_DST/46.255.231.158
text/plain -
1712130278.514 54 10.0.0.1 TCP_MISS/200 795 GET
http://redir.netcentrum.cz/? - ORIGINAL_DST/46.255.231.158 text/html -
1712130278.565 9 10.0.0.1 TCP_MISS/403 422 GET
http://redir.netcentrum.cz/favicon.ico - ORIGINAL_DST/46.255.231.158
text/plain -
1712130282.165 9 10.0.0.1 TCP_MISS/200 815 GET
http://redir.netcentrum.cz/? - ORIGINAL_DST/46.255.231.158 text/html -
1712130282.222 8 10.0.0.1 TCP_MISS/403 424 GET
http://redir.netcentrum.cz/favicon.ico - ORIGINAL_DST/46.255.231.158
text/plain -
I can see clear change from GET https to GET http only. I have to check
what else does not work and why. (for example many users complained
about heureka.cz subdomains not openning right with https.) I have to
say - there many less competent admins in the wild with selfsigned or
unmatched certificates on their websites, thinking they did the homework
right. It is tough to explaing to my users that the error page they are
getting is not a result of a faulty local gear - nor an attempt of the
admin to spy on them or to block some sites etc.
LL
Dne 03.04.2024 v 8:14 Loučanský Lukáš napsal(a):
Hello,
this has recently started me up more then let it go. For a while
chrome is upgrading in-page links to https. It is supposed to work
something like
https://www.bleepingcomputer.com/news/google/google-chrome-now-auto-upgrades-to-secure-connections-fo
r-all-users/
But there is a catch for me - my squid returns something like:
(104) Connection reset by peer (TLS code:
SQUID_TLS_ERR_CONNECT+TLS_IO_ERR=5+errno=104)
Failed to establish a secure connection: [No Error]
or
[No Error] (TLS code:
SQUID_TLS_ERR_CONNECT+TLS_LIB_ERR=1408F10B+TLS_IO_ERR=1)
Failed to establish a secure connection: error:1408F10B:SSL
routines:ssl3_get_record:wrong version number
to the user - via error page
Log file:
1712122364.809 1172 10.0.0.1 NONE_NONE_ABORTED/000 0 CONNECT
46.255.231.158:443 - HIER_NONE/- - SNI redir.netcentrum.cz BumpMode
peek - - - ServerNegoTLS - ServerRecTLS - ServerRecVer - ServerNegCiph
- Error: ERR_SECURE_CONNECT_FAIL |
SQUID_TLS_ERR_CONNECT+TLS_IO_ERR=5+errno=104
1712122366.296 23 10.0.0.1 NONE_NONE_ABORTED/000 0 CONNECT
46.255.231.158:443 - HIER_NONE/- - SNI redir.netcentrum.cz BumpMode
peek - - - ServerNegoTLS - ServerRecTLS - ServerRecVer - ServerNegCiph
- Error: ERR_SECURE_CONNECT_FAIL |
SQUID_TLS_ERR_CONNECT+TLS_IO_ERR=5+errno=104
1712122366.293 21 10.0.0.1 NONE_NONE_ABORTED/000 0 CONNECT
46.255.231.158:443 - HIER_NONE/- - SNI redir.netcentrum.cz BumpMode
peek - - - ServerNegoTLS - ServerRecTLS - ServerRecVer - ServerNegCiph
- Error: ERR_SECURE_CONNECT_FAIL |
SQUID_TLS_ERR_CONNECT+TLS_IO_ERR=5+errno=104
1712122367.111 20 10.0.0.1 NONE_NONE_ABORTED/000 0 CONNECT
46.255.231.158:443 - HIER_NONE/- - SNI redir.netcentrum.cz BumpMode
peek - - - ServerNegoTLS - ServerRecTLS - ServerRecVer - ServerNegCiph
- Error: ERR_SECURE_CONNECT_FAIL |
SQUID_TLS_ERR_CONNECT+TLS_IO_ERR=5+errno=104
1712122367.114 21 10.0.0.1 NONE_NONE_ABORTED/000 0 CONNECT
46.255.231.158:443 - HIER_NONE/- - SNI redir.netcentrum.cz BumpMode
peek - - - ServerNegoTLS - ServerRecTLS - ServerRecVer - ServerNegCiph
- Error: ERR_SECURE_CONNECT_FAIL |
SQUID_TLS_ERR_CONNECT+TLS_IO_ERR=5+errno=104
In fact - this seems to be http only sites like -
https://www.ssllabs.com/ssltest/analyze.html?d=www.jarovnet.org or
https://www.ssllabs.com/ssltest/analyze.html?d=redir.netcentrum.cz&s=46.255.231.158&latest.
See this snapshot from centrum web mail page source code "Více
informací o tomto zapezpečení naleznete v <a
href="http://napoveda.centrum.cz/index.php?/Knowledgebase/Article/View/18/1/";
"
So - what is supposed to be happening is chrome should fallback to
http if there is a problem with https - i think the most obvious
reason to fall back would be no output at all. So I think my effort
should target the situation when squid says ERR_SECURE_CONNECT_FAIL |
SQUID_TLS_ERR_CONNECT+TLS_IO_ERR=5+errno=104 and to remain silent to
the client.
Is there a way to do it - ie. do not show error page for not able to
connect to server at all? I'd like every other problems (ie.
bad/selfsigned/not matched certificate etc.) pushed to the client's
eyes. I have implemented
https://www.squid-cache.org/Doc/config/on_unsupported_protocol/ like
in the example - but it is for an accepted TCP connections. I'd like
to handle SSL errors - such as not being able to connect at all. -
could it be done with
https://www.squid-cache.org/Doc/config/sslproxy_cert_error/?
LL
_______________________________________________
squid-users mailing list
squid-users@lists.squid-cache.org
https://lists.squid-cache.org/listinfo/squid-users
_______________________________________________
squid-users mailing list
squid-users@lists.squid-cache.org
https://lists.squid-cache.org/listinfo/squid-users
