 |
 |
Thanks so much for that, Erich! While I haven't yet delved into the FiErr extension, I took a cursory look at it. In the meantime, I found a great extension for Pale Moon, URL Rewriter ( https://addons.palemoon.org/addon/url-rewriter/). Using it, I can indeed rewrite https requests to http. Of course, that requires additional rewrite rules to change the http back to https for whitelisted sites. This works absolutely beautifully, allowing the Squid proxy to return its custom error page each time. At least for sites it can't find. For sites it *can* find, it ends up in a loop as it keeps trying to make an http connection to servers that rewrite the request to https. Despite resolv.conf only listing the localhost (127.0.0.53) as a nameserver, and the hosts file only containing addresses for whitelisted sites, *Pale Moon still finds all other valid sites*. The same holds true for Firefox even though its protective DNS settings are turned off. At the command line, the OS can't find anything but the whitelisted sites. So what in the wide, wide world of sports is going on where software is secretly doing its own thing as far as DNS goes, bypassing my security attempts? Apparently, friggin' Google saw fit at one point to ignore any custom DNS and would look to its own quad-8 DNS to resolve any address that failed normal resolution. Paywall article here: https://medium.com/cloud-security/google-chrome-dns-security-bypass-9a1e10e02114 Given my experience with being *unable* *to break* DNS in the browser, I suspect that other browsers have followed suit. So I took the shotgun approach and on the Squid proxy gateway, I blocked *all* DNS *and* HTTPS traffic. For the latter, I have pass rules to the whitelisted sites. Now it's Miller time (whew!)... [image: image.png] Thank you all for your helpful suggestions! John Lolis Coordinator of Computer Systems 100 Martine Avenue White Plains, NY 10601 tel: 1.914.422.1497 fax: 1.914.422.1452 https://whiteplainslibrary.org/ *“I would rather have questions that can’t be answered than answers that can’t be questioned.”* — Richard Feynman <https://click.fourhourmail.com/5qure95xkf7hvvo93wh2/7qh7h8h05vr4zrtz/aHR0cHM6Ly9lbi53aWtpcGVkaWEub3JnL3dpa2kvUmljaGFyZF9GZXlubWFu>, theoretical physicist and recipient of the Nobel Prize in Physics in 1965 On Wed, 27 Mar 2024 at 12:39, Hammer, Erich F <[log in to unmask]> wrote: > John, > > I don't remember the details of what you were looking to do, nor do I know > what options you have for your kiosk. If you have the option to use the > Pale Moon browser (https://www.palemoon.org/), then you might get what > you want with the FiErr extension ( > https://realityripple.com/Software/XUL/Fierr/) > > Erich > > > On Wednesday, March 27, 2024 at 11:24, John Lolis eloquently inscribed: > > > I thought I'd provide an update on my attempts at having a custom error > > page returned at an OPAC. > > > > I started looking into hacking the error pages in Firefox itself > > (thanks, Kaleb!), but due to code-signing requirements, it seemed like a > > rabbit hole I'd want to avoid, at least for now (even though Easter is > > upon us :-). So I set up a Squid proxy server with the necessary > > network restrictions and a custom error page as previously reported, and > > I thought I nailed it until I found that this only works for HTTP > > requests. If it's HTTPS, the browser returns its own error. This > > behavior is apparently ubiquitous with all browsers according to what I > > found. Here's the most exhaustive posting I've found on the subject: > > https://squid-users.squid-cache.narkive.com/527KMD5K/squid-custom- > > error-page > > > > I don't suppose there's an extension that forces HTTP instead of HTTPS. > So > > far I've found plenty that will rewrite a URL, but they only rewrite the > > address portion, and not the protocol. > > > > John Lolis > > Coordinator of Computer Systems > > > > 100 Martine Avenue > > White Plains, NY 10601 > > tel: 1.914.422.1497 > > fax: 1.914.422.1452 > > > > https://whiteplainslibrary.org/ > > > *“I would rather have questions that can’t be answered than answers that > can’t be questioned.”* — Richard Feynman, theoretical physicist and > recipient of the Nobel Prize in Physics in 1965 > > >