On 17.05.2017 16:04, Amos Jeffries wrote:
> On 17/05/17 23:32, chcs wrote:
>> Expected Results:
>> Display proxy server error page with deny info.
>
> This is a well-known problem with Browsers, they all refuse to display
> any response to a CONNECT tunnel message.
> <http://wiki.squid-cache.org/Features/CustomErrors#Custom_error_pages_not_displayed_for_HTTPS>
>
>
> Use of TLS to secure the connection to the proxy does not affect this
> browser behaviour on HTTPS traffic. The best you can hope for is to
> make Squid use a 511 status code with deny_info and hope that it
> chooses to display something halfway useful.
there seems to be another problem ...

at my setup any browser shows the proxy messages;

with deny_info the special page
e.g. ERR_DOMAIN_BLOCKED,
without just the ERR_ACCESS_DENIED as default ...

my squid 3.5,25 (CentOS 6.9) - thanks to
Eliezer Croitoru for doing this good job;

the custom error pages are only shown, when the proxy does
SSL interception and the browser has installed the squid CA certificate ...

why is this:

without SSL interception, the browser sends a CONNECT
and expects a SSL/TLS handshake, instead he gets an
HTTP reply with the custom error page, which the browser
doesn't know to handle at this moment ...
only the information of HTTP header is processed;

in case someone has configured https_port this is just the same,
because the SSL/TLS connection to the webserver is tunneled inside
the SSL/TLS connection between client and browser ...

Please note if you first let the connect tunnel to succeed (forcing bump) and then block the next coming request through that tunnel - you will get the blocked message displayed.

We do it in ICAP (https://docs.diladele.com/faq/squid/cannot_connect_to_site_using_https.html) - other community members may know better if it is possible to do that in Squid directly.

Beware of those using your tunnels to pump non http traffic though. Blocking the connect as it is done now in Squid keeps you on safe side.

Best regards,
Rafael Akchurin

Op 17 mei 2017 om 4:04 PM heeft Amos Jeffries <***@treenet.co.nz<mailto:***@treenet.co.nz>> het volgende geschreven:

On 17/05/17 23:32, chcs wrote:
Firefox 53.0.2 , Chrome 58.3029 y Opera 44 display "Proxy Server Refused
Connection" page, instead of Squid custom error page, when connect to HTTPS
site which blocked by proxy server.
For example we try to connect to https://www.something.com via Squid proxy
server which denied with 403 error this connect and send custom error page
with description of problem in older versions it's worked.
I'm using pfSense 2.4 (actual version squid 3.5.24).

Reproducible: Always

Steps to Reproduce:
1. Configure Firefox to use proxy server (SSL Proxy).
2. HTTPS/SSL Interception , Enable SSL filtering, splice all, CA: Let's
Encript autority
3. Try to connect to HTTPS site, which will be blocked by proxy server

Actual Results:
Firefox will display "Page Load Error" with description "Proxy Server
Refused Connection. Firefox is configured to use a proxy server that is
refusing connections."
If we connect to HTTPS site which not blocked by proxy server OR using CA
self-signed issuer , all works fine.

Expected Results:
Display proxy server error page with deny info.

This is a well-known problem with Browsers, they all refuse to display any response to a CONNECT tunnel message.
<On 17/05/17 23:32, chcs wrote:
Firefox 53.0.2 , Chrome 58.3029 y Opera 44 display "Proxy Server Refused
Connection" page, instead of Squid custom error page, when connect to HTTPS
site which blocked by proxy server.
For example we try to connect to https://www.something.com via Squid proxy
server which denied with 403 error this connect and send custom error page
with description of problem in older versions it's worked.
I'm using pfSense 2.4 (actual version squid 3.5.24).

Reproducible: Always

Steps to Reproduce:
1. Configure Firefox to use proxy server (SSL Proxy).
2. HTTPS/SSL Interception , Enable SSL filtering, splice all, CA: Let's
Encript autority
3. Try to connect to HTTPS site, which will be blocked by proxy server

Actual Results:
Firefox will display "Page Load Error" with description "Proxy Server
Refused Connection. Firefox is configured to use a proxy server that is
refusing connections."
If we connect to HTTPS site which not blocked by proxy server OR using CA
self-signed issuer , all works fine.

Expected Results:
Display proxy server error page with deny info.

This is a well-known problem with Browsers, they all refuse to display any response to a CONNECT tunnel message.
<http://wiki.squid-cache.org/Features/CustomErrors#Custom_error_pages_not_displayed_for_HTTPS>

Use of TLS to secure the connection to the proxy does not affect this browser behaviour on HTTPS traffic. The best you can hope for is to make Squid use a 511 status code with deny_info and hope that it chooses to display something halfway useful.

Amos

_______________________________________________
squid-users mailing list
squid-***@lists.squid-cache.org<mailto:squid-***@lists.squid-cache.org>
http://lists.squid-cache.org/listinfo/squid-users

On 18.05.2017 19:40, chcs wrote:
> One more cuestion:
> With 2 CA differents certificates to block twitter.com>> differents results
>
> Issuer: self-signed 0 10.0.0.100 TAG_NONE/403 4709 GET
> https://www.twitter.com/ - HIER_NONE/- text/html
> Result: no problem, it's show me squid custom error page
>
> Issuer: Let's encript 0 10.0.0.100 TCP_DENIED/403 4714 CONNECT
> www.twitter.com:443 - HIER_NONE/- text/html
> Result: It doesnt show me squid custom error page
>
> Why?
and what is the end entity certificate where the issuer is Let's encrypt?
(this might be the reason)

On 05/18/2017 11:40 AM, chcs wrote:

> HTTPS/SSL Interception , Enable SSL filtering, splice all, CA: Let's Encript autority

> One more cuestion:
> With 2 CA differents certificates to block twitter.com >> differents results
>
> Issuer: self-signed 0 10.0.0.100 TAG_NONE/403 4709 GET
> https://www.twitter.com/ - HIER_NONE/- text/html
> Result: no problem, it's show me squid custom error page
>
> Issuer: Let's encript 0 10.0.0.100 TCP_DENIED/403 4714 CONNECT
> www.twitter.com:443 - HIER_NONE/- text/html
> Result: It doesnt show me squid custom error page

Let's Encrypt does not issue CA certificates. You need a CA certificate
for an SslBump setup to work for more than one site. Let's Encrypt also
does not issue leaf certificates for www.twitter.com unless you control
www.twitter.com.

When you generated a self-signed certificate, you probably generated a
CA certificate. If you did not, then you will encounter problems if you
try to import that certificate in browsers/clients that require CA
certificates. See the OpenSSL command below for one way to check what
you have generated.

CA certificates have an x509 "Basic Constraints" extension with a
CA:TRUE constraint. For example:

> $ openssl x509 -in CA-priv+pub.pem -text -noout | fgrep -A 1 'Basic'
> X509v3 Basic Constraints:
> CA:TRUE

HTH,

Alex.