Project

General

Profile

Actions

Bug #6774

closed

al usar la categoria in-addr en squidguard bloquea cualquier web en https

Added by Albert Albert over 8 years ago. Updated over 8 years ago.

Status:
Rejected
Priority:
Normal
Assignee:
-
Category:
Squid
Target version:
-
Start date:
09/07/2016
Due date:
% Done:

0%

Estimated time:
Plus Target Version:
Affected Version:
Affected Plus Version:
Affected Architecture:
amd64

Description

al tener el proxy en modo transparente usando tanto pfsense 2.3.2 y 2.3.3, e inspeccionando trafico ssl, si se activa la casilla "Do not allow IP-Addresses in URL ()" en squidguard, cualquier web https que se quiera visitar se vuelve inaccesible, el mensaje que arroja squid es:

"Unable to determine the ip address from host name http"

Los logs que arroja squidguard son:

05.09.2016 21:22:02 Request(default/in-addr/-) 189.247.145.104:443 10.0.0.5/10.0.0.5
05.09.2016 21:22:02 Request(default/in-addr/-) 189.247.145.104:443 10.0.0.5/10.0.0.5
05.09.2016 21:22:02 Request(default/in-addr/-) 189.247.145.104:443 10.0.0.5/10.0.0.5

en lugar de ver el dominio google.com, se ve la ip y entra en la categoria in-addr, el proxy no sabe interpretar los mensajes.
Esto solo sucede al activar dicha casilla, desactivandola, todo funciona bien.

Actions #1

Updated by Albert Albert over 8 years ago

Sorry for my english.

If I want to enable the next option in common acl, squidguard block all traffic from https

Do not allow IP-Addresses in URL ()
To make sure that people do not bypass the URL filter by simply using the IP-Addresses instead of the FQDN you can check this option. This option has no effect on the whitelist.

When I want to enter to https://www.google.com I saw that squidguard is blocking the request by the rule !in-addr but this rule should apply only with ip addresses not on domains

The output log from squidguard is:

05.09.2016 21:22:02 Request(default/in-addr/-) 189.247.145.104:443 10.0.0.5/10.0.0.5
05.09.2016 21:22:02 Request(default/in-addr/-) 189.247.145.104:443 10.0.0.5/10.0.0.5
05.09.2016 21:22:02 Request(default/in-addr/-) 189.247.145.104:443 10.0.0.5/10.0.0.5

The next error appear when I write https://www.google.com in the browser

"Unable to determine the ip address from host name http"

This message is from squid, only appear when the rule !in-addr in squidguard is applied

The proxy is set in transparent mode with ssl inspection.

Actions #2

Updated by Jim Pingle over 8 years ago

  • Status changed from New to Rejected
  • Affected Version deleted (2.3.2)

You'll have to post on the forum and find someone who is interested in looking into transparent SSL -- it isn't an officially supported feature.

The information available to squid/squidGuard is not always what you'd expect in such cases, it varies widely depending on how the client connects, whether or not you're using SSL bumping, and so on. Most likely it's either a configuration issue or a limitation of your configuration and not a bug to be fixed.

Actions

Also available in: Atom PDF