[SOLVED] Squid custom error pages

4Paul4 · 06-19-2012, 11:39 PM

I am trying to setup a customer error page for our squid reverse proxy.
We have IP-Whitelisted some of our websites allowing potential customers to 'request a demo' after which their IP addresses will be added to the whitelist.
Case 1:
A customer visits our website (http://demo.oursite.com) without being in the whitelist
Result:

Code:

The following error was encountered while trying to retrieve the URL: http://demo.oursite.com
Unable to forward this request at this time.
This request could not be forwarded to the origin server or to any parent caches.... etc
(squid/3.0.STABLE26)

Case2:
Customer tries to access the following (https://demo.oursite.com)
Result:
Site does not load for them at all. Website unavailable message generated by their browser.

Rather than seeing these results, we would like them to see our custom html file telling them to request a demo.
I have tried editing the error message in the file on the sever, restarting squid but it still displays the same old message.

Tail of /var/logs/cache.log:

Code:

Every 2.0s: tail /var/logs/cache.log                                                                                                  Wed Jun 20 04:22:37 2012

Y29t
-----END SSL SESSION PARAMETERS-----
2012/06/20 04:22:33| Failed to select source for 'http://demo.oursite.com/'
2012/06/20 04:22:33|   always_direct = 0
2012/06/20 04:22:33|    never_direct = 0
2012/06/20 04:22:33|        timedout = 0
2012/06/20 04:22:34| Failed to select source for 'http://demo.oursite.com/favicon.ico'
2012/06/20 04:22:34|   always_direct = 0
2012/06/20 04:22:34|    never_direct = 0
2012/06/20 04:22:34|        timedout = 0

Two Questions:

1) I would like the same effect whether they connect through HTTPS or HTTP. Why is it not connecting at all via HTTPS and showing the error message via HTTP?

2) Other than edit the error message file, what else must I do to get the customer error message displayed?

squid.conf

Code:

#ACLS and Debug options
debug_options ALL,1 33,2 28, 9
acl publicall src 0.0.0.0/0
acl darwinsrc 1x.xx.xx.xx
acl geelong src 2x.xx.xx.xx

#SSL Setup
visible_hostname oursite.com
http_port 80 accel vhost
https_port 443 accel cert=/usr/newrprgate/CertAuth/cert.cert key=/usr/newrprgate/CertAuth/key.pem vhost defaultsite=www.oursite.com
forwarded_for on

#Demo Site
cache_peer demo.oursite.com parent 443 0 no-query originserver ssl sslversion=3 sslflags=DONT_VERIFY_PEER front-end-https=on name=demo
acl sites_demo dstdomain demo.oursite.com
cache_peer_access demo allow sites_demo darwin
cache_peer_access demo allow sites_demo geelong
cache_peer_access demo deny publicall
acl https proto https

<Other Sites Omitted>

acl https proto https
http_access allow all


access_log /var/log/squid/access.log
cache_mgr support@oursite.com

bathory · 06-20-2012, 12:03 PM

Quote:

Two Questions:

1) I would like the same effect whether they connect through HTTPS or HTTP. Why is it not connecting at all via HTTPS and showing the error message via HTTP?

2) Other than edit the error message file, what else must I do to get the customer error message displayed?

1. I'm not familiar with squid reverse proxy setup for a SSL backend, but from the documentation, looks like you need to use the same name in cache_peer_access as the one defined in cache_peer (that is "demo" in your case). So you should have:

Code:

cache_peer_access demo allow sites_demo darwin
cache_peer_access demo allow sites_demo geelong
cache_peer_access demo deny publicall

2. Have a look at the deny_info directive

Regards

4Paul4 · 06-21-2012, 02:00 AM

Quote:

Originally Posted by bathory

1. I'm not familiar with squid reverse proxy setup for a SSL backend, but from the documentation, looks like you need to use the same name in cache_peer_access as the one defined in cache_peer (that is "demo" in your case). So you should have:

2. Have a look at the deny_info directive

Regards

Hi bathory,

Sorry, that was a typo. They are all indeed demo.
I've got it sorted anyway, I just edited templates/ERR_CANNOT_FORWARD to contain the custom error message.

This works fine for http connections. Now all I need is to get https://demo.example.com to redirect to the error page instead of just timing out which it does now.

So right now, everything within the whitelist is working as expected. For everyone else, HTTP:// connections redirect to our custom error page as expected but HTTPS:// connections time out.

What do I have to change to make https connections forward to the error page also?
Is there something like https_access allow all?

Cheers

bathory · 06-21-2012, 03:24 AM

Quote:

This works fine for http connections. Now all I need is to get https://demo.example.com to redirect to the error page instead of just timing out which it does now.

Timeout means that squid cannot access the backend server through the specific port.
Anyway in this case, I guess you can change the ERR_CONNECT_FAIL page to your likings

Regards

4Paul4 · 06-21-2012, 07:03 PM

Quote:

Originally Posted by bathory

Timeout means that squid cannot access the backend server through the specific port.
Anyway in this case, I guess you can change the ERR_CONNECT_FAIL page to your likings

Regards

The thing is, there is no error message showing up at all for https. I am not seeing the ERR_CONNECT_FAIL message, the page just keeps loading until I see the web browser's builtin 'cannot connect' message.

Also, within the white-listed IP addresses, clients are able to connect via HTTPS perfectly.

If I attempt to connect via http outside of the whitelist, I get the custom error page and the following appears in the /var/logs/cache.log:

Code:

2012/06/22 00:04:49| Failed to select source for 'http://demo.example.com/'
2012/06/22 00:04:49|   always_direct = 0
2012/06/22 00:04:49|    never_direct = 0
2012/06/22 00:04:49|        timedout = 0

But if I try to connect via HTTPS, nothing appears at all.

EDIT:

I found the problem. After re-reading my post, I decided to nmap the server and found only port 80 visible. It turns out i had a firewall-like system blocking it. All working fine now.

Thanks for the reply.