[squid-users] never_direct + https site access problem in sandwich setup!!!
Hi all I am running a squid1->DG->squid2 sandwich setup and i am facing the following problem. When i give "never_direct allow all" in squid1.conf , i am not able to access any https sites. Without the above configuration line , all users can access https sites and even sites denied in the Content filter. For eg: suppose http://www.redhat.com is a banned site in content filter, i am able to access https://www.redhat.com which byepasses the content filter and is served by squid2. My requirement is to allow all https traffic through this setup but the requests should flow through content filter and then to squid2 for serving. Is it possible to tell squid1 to pass the https traffic to the content filter and then to squid2? The Ports used here are 3128->8080->8081 . Following is the configuration of my squid1.conf http_port 3128 cache_peer 127.0.0.1 parent8080 0no-query proxy-only default hierarchy_stoplist cgi-bin ? acl QUERY urlpath_regex cgi-bin \? no_cache deny QUERY cache_mem 8 MB auth_param basic children 5 auth_param basic realm Squid proxy-caching web server auth_param basic credentialsttl 2 hours auth_param basic casesensitive off ##Changed for user authentication auth_param basic program /usr/lib/squid/pam_auth refresh_pattern ^ftp: 1440 20% 10080 refresh_pattern ^gopher: 1440 0% 1440 refresh_pattern . 0 20% 4320 acl all src 0.0.0.0/0.0.0.0 acl all_dst dst 0.0.0.0/0.0.0.0 acl manager proto cache_object acl localhost src 127.0.0.1/255.255.255.255 acl to_localhost dst 127.0.0.0/8 acl SSL_ports port 443 563 acl Safe_ports port 80 # http acl Safe_ports port 21 # ftp acl Safe_ports port 443 563 # https, snews acl Safe_ports port 70 # gopher acl Safe_ports port 210 # wais acl Safe_ports port 1025-65535 # unregistered ports acl Safe_ports port 280 # http-mgmt acl Safe_ports port 488 # gss-http acl Safe_ports port 591 # filemaker acl Safe_ports port 777 # multiling http acl CONNECT method CONNECT ## Change for deny caching never_direct allow all no_cache deny all cache_access_log /var/log/squid/access.log visible_hostname 192.168.10.175 acl students src 192.168.10.2-192.168.10.25 acl ttt src 192.168.10.25-192.168.10.254 acl test dstdom_regex .yahoo.com .google.* .org acl test1 dstdom_regex .sun.* .oracle.* acl test2 dstdom_regex .rediff.* acl time1 time 00:00-23:00 acl time2 time 09:00-23:00 acl lpdf urlpath_regex pdf$ mp3$ gif$ gz$ acl ljob url_regex -i ^http://*job* acl usr1 proxy_auth user3 user1 http_access allow students usr1 http_access allow manager localhost http_access deny manager http_access deny !Safe_ports http_access deny CONNECT !SSL_ports http_access deny all http_reply_access allow all icp_access allow all coredump_dir /var/spool/squid Squid2.conf --- ttp_port 8081 hierarchy_stoplist cgi-bin ? acl QUERY urlpath_regex cgi-bin \? no_cache deny QUERY cache_access_log /usr/local/squid/var/logs/access.log cache_log /usr/local/squid/var/logs/cache.log cache_store_log /usr/local/squid/var/logs/store.log auth_param basic children 5 auth_param basic realm Squid proxy-caching web server auth_param basic credentialsttl 2 hours auth_param basic casesensitive off refresh_pattern ^ftp: 144020% 10080 refresh_pattern ^gopher:14400% 1440 refresh_pattern . 0 20% 4320 acl all src 0.0.0.0/0.0.0.0 acl manager proto cache_object acl localhost src 127.0.0.1/255.255.255.255 acl to_localhost dst 127.0.0.0/8 acl SSL_ports port 443 563 acl Safe_ports port 80 # http acl Safe_ports port 21 # ftp acl Safe_ports port 443 563 # https, snews acl Safe_ports port 70 # gopher acl Safe_ports port 210 # wais acl Safe_ports port 1025-65535 # unregistered ports acl Safe_ports port 280 # http-mgmt acl Safe_ports port 488 # gss-http acl Safe_ports port 591 # filemaker acl Safe_ports port 777 # multiling http acl CONNECT method CONNECT http_access allow manager localhost http_access deny manager http_access deny !Safe_ports http_access deny CONNECT !SSL_ports acl our_networks src 192.168.0.0/24 192.168.1.0/24 http_access allow Safe_ports http_access allow SSL_ports http_access allow our_networks http_access allow localhost http_access deny all http_reply_access allow all icp_access allow all cache_effective_user squid cache_effective_group squid visible_hostname 192.168.10.175 coredump_dir /usr/local/squid/var/cache Thanks for any help Regards Shiva Raman
Re: [squid-users] https site access problem!!!
Thanks for the Reply. The Problem has been resolved. It was exactly the problem outside squid. The problem was with the redirector_program in validating the SSL site. Regards Shiva Raman On 7/4/08, Henrik Nordstrom <[EMAIL PROTECTED]> wrote: > On fre, 2008-07-04 at 17:33 +0530, Shiva Raman wrote: >> Thanks for the reply. Following are the logs generated while trying to >> access secure.icicidirect.com >> >> >> [EMAIL PROTECTED] logs]# tail -f access.log |grep secure.icicidirect.com >> 1215164529.907641 10.1.3.37 TCP_MISS/200 39 CONNECT >> secure.icicidirect.com:443 - DIRECT/203.27.235.22 - >> 1215164529.943 31 10.1.3.37 TCP_MISS/200 39 CONNECT >> secure.icicidirect.com:443 - DIRECT/203.27.235.22 - > > Which matches your openssl results. Squid succeeded in connecting, but > the connection was closed after only a couple of bytes had been > exchanged. > > I think the evicence is pretty hard that the problem is somewhere > outside Squid. > >- Firewall >- Server maybe have blacklisted your server IP >- Other networking issue >- Some device trying to intercept port 443. > > Regards > Henrik >
Re: [squid-users] https site access problem!!!
Thanks for the reply. Following are the logs generated while trying to access secure.icicidirect.com [EMAIL PROTECTED] logs]# tail -f access.log |grep secure.icicidirect.com 1215164529.907641 10.1.3.37 TCP_MISS/200 39 CONNECT secure.icicidirect.com:443 - DIRECT/203.27.235.22 - 1215164529.943 31 10.1.3.37 TCP_MISS/200 39 CONNECT secure.icicidirect.com:443 - DIRECT/203.27.235.22 - Regds Shiva Raman On 7/4/08, Henrik Nordstrom <[EMAIL PROTECTED]> wrote: > On fre, 2008-07-04 at 09:56 +0530, Shiva Raman wrote: > >> i am not able to open all ssl websites through this squid ,but able to >> access >> few ssl sites through it using lynx command line browser . > > What's said in access.log? > >> When i try to access the above webserver through the squid proxy, it >> is unable to open >> the website. When i try the links its showing as only "SSL ERROR" > > Works for me.. > >> I tried to check the openssl connectivity through command prompt get >> following error. >> >> [EMAIL PROTECTED] openssl s_client -connect >> secure.icicidirect.com:443 -showcerts > > That too works for me.. > > Regards > Henrik >
[squid-users] https site access problem!!!
Dear All I got a squidIcap Installation running with following squid.conf - http_port 80 hierarchy_stoplist cgi-bin ? acl QUERY urlpath_regex cgi-bin \? no_cache deny QUERY cache_mem 8 MB cache_dir ufs /usr/local/squidICAP/var/cache 500 16 256 cache_access_log /usr/local/squidICAP/var/logs/access.log cache_log /usr/local/squidICAP/var/logs/cache.log cache_store_log /usr/local/squidICAP/var/logs/store.log redirect_program /opt/Websense/bin/WsRedtor redirect_children 30 auth_param basic children 5 auth_param basic realm Squid proxy-caching web server auth_param basic credentialsttl 2 hours auth_param basic casesensitive off refresh_pattern ^ftp: 144020% 10080 refresh_pattern ^gopher:14400% 1440 refresh_pattern . 0 20% 4320 acl squidICAP dstdomain "/usr/local/squidICAP/bad_domains" header_access Accept-Encoding deny squidICAP acl all src 0.0.0.0/0.0.0.0 acl manager proto cache_object acl localhost src 127.0.0.1/255.255.255.255 acl to_localhost dst 127.0.0.0/8 acl SSL_ports port 443 563 acl Safe_Ports port 81 # non stadard part acl Safe_ports port 80 # http acl Safe_ports port 21 # ftp acl Safe_ports port 443 563 # https, snews acl Safe_ports port 70 # gopher acl Safe_ports port 210 # wais acl Safe_ports port 1025-65535 # unregistered ports acl Safe_ports port 280 # http-mgmt acl Safe_ports port 488 # gss-http acl Safe_ports port 591 # filemaker acl Safe_ports port 777 # multiling http acl CONNECT method CONNECT acl GET method GET http_access allow all http_access allow manager localhost http_access deny manager http_access deny !Safe_ports http_access deny CONNECT !SSL_ports http_access deny all http_reply_access allow all icp_access allow all cache_effective_user squid visible_hostname squidproxy coredump_dir /usr/local/squidICAP/var/cache redirector_bypass off i am not able to open all ssl websites through this squid ,but able to access few ssl sites through it using lynx command line browser . Following is one of the site tested https://secure.icicidirect.com I am not sure whether its squid or linux ssl issue When i try to access the above webserver through the squid proxy, it is unable to open the website. When i try the links its showing as only "SSL ERROR" I tried to check the openssl connectivity through command prompt get following error. [EMAIL PROTECTED] openssl s_client -connect secure.icicidirect.com:443 -showcerts CONNECTED(0003) write:errno=104 Any suggestions / workarounds for this problems, please let me know. Regards Shiva Raman
[squid-users] Problem in allowing only selected https sites and denying all others !!!
Hi I am using Centos 5, Squid Cache: Version 2.6.STABLE6 and my local lan network is 192.168.10.0/24. More than 150 users are concurrently accessing the squid proxy server. Following is my requirement 1) Access to all http sites 2) Access to only selected https sites like redhat.com ,paypal.com and all other https sites should be denied . Following is my squid.conf http_port 3128 hierarchy_stoplist cgi-bin ? acl QUERY urlpath_regex cgi-bin \? cache deny QUERY acl apache rep_header Server ^Apache broken_vary_encoding allow apache access_log /var/log/squid/access.log squid refresh_pattern ^ftp: 1440 20% 10080 refresh_pattern ^gopher: 1440 0% 1440 refresh_pattern . 0 20% 4320 acl all src 0.0.0.0/0.0.0.0 acl manager proto cache_object acl localhost src 127.0.0.1/255.255.255.255 acl to_localhost dst 127.0.0.0/8 acl SSL_ports port 443 acl Safe_ports port 443 # https acl Safe_ports port 80 # http acl Safe_ports port 21 # ftp acl Safe_ports port 443 # wais acl Safe_ports port 1025-65535 # unregistered ports acl CONNECT method CONNECT http_access deny !Safe_ports http_access deny CONNECT !SSL_ports acl our_networks src 192.168.10.0/24 192.168.20.0/24 acl myhttps dstdomain .redhat.com http_access allow our_networks http_access deny our_networks SSL_ports !myhttps http_access deny our_networks http_access deny all http_reply_access allow all icp_access allow all visible_hostname myoffice coredump_dir /var/spool/squid -- >From the above configuration, the problem i am facing here is that all the https sites are accessible to the users. even if i had allowed only 'myhttps' . Is it possible to block specific https sites as per my requirement? Also Is it neccesary to define prot 443 in both SSL_ports as well as Safe_ports? When i remove 443 from Safe_ports, i am not able to access any https sites. Thanks for any help Regards Shiva Raman . SysAdmin