Hello,

I wanted to block a particular website based on CONNECT request
because I am not bumping (decrypting)  the site. But now I have
realised that if I do not dump the site then there is no way I can
paint a custom message on the browser.

So, can somebody suggest me if there is a way to pass a flag to squid
from ecap adapter to decrypt a site regardless of what ACL says. For
example if I have an acl as below which says do not decrypt
www.888.com but If my ecap adapter could pass a message to squid
asking it to decrypt www.888.com (for that session only) and ignore
the below acl.
Is it possible?

acl no_ssl_interception dstdomain .888.com
ssl_bump none no_ssl_interception
ssl_bump client-first all

Thanks,
Jatin


On Fri, Aug 22, 2014 at 9:59 AM, Jatin Bhasin <jbhasi...@gmail.com> wrote:
> Hello,
>
> Yes, that is the same scenario what I have been experiencing but when
> I call function  (x->blockVirgin())     from my ecap adapter then
> squid does print the "access denied page" which is one of my squid
> error pages. So as I see that squid does complete the SSL handshake
> and then paints the "access denied page" which works fine.
>
>
>
> But if I try to paint a custom message then squid does not complete
> the handshake and just continues to paint the blockpage which then is
> rejected by the browser (as browser is expecting a proper handshake
> before receiving any response data).
>
> May be this is a bug in squid or I am not doing it right, but it would
> be great if somebody can suggest if I am doing something wrong.
>
>
> Thanks,
> Jatin
>
> On Thu, Aug 21, 2014 at 9:35 PM, Rafael Akchurin
> <rafael.akchu...@diladele.com> wrote:
>> Hello Jatin,
>>
>> May be this (for ICAP not for eCap) describes your issue - 
>> http://docs.diladele.com/faq/squid.html#why-i-see-cannot-connect-to-site-using-https-browser-message-instead-of-usual-site-is-blocked
>>
>> Raf
>> ________________________________________
>> From: Jatin Bhasin <jbhasi...@gmail.com>
>> Sent: Thursday, August 21, 2014 12:47 PM
>> To: squid-users@squid-cache.org
>> Subject: [squid-users] blockVirgin Works for CONNECT but Custom Response 
>> does not work
>>
>> When I see a CONNECT request in my eCap adapter then if I call
>> function blockVirgin then I see a squid ACCESS DENIED page which is
>> good.
>>
>> But if instead of calling blockVirgin if I generate a CUSTOM response
>> message saying "YOU ARE NOT AUTHORISED TO VIEW THIS PAGE" then build
>> response based on FAQ https://answers.launchpad.net/ecap/+faq/2516
>> then it fails.
>>
>> Although the same code (request satisfaction) works if I build a
>> custom response for a GET request.
>>
>> Please suggest how can I achieve CUSTOM response for a CONNECT.

Reply via email to