from:"Shiva Raman"

[squid-users] never_direct + https site access problem in sandwich setup!!!

2008-07-10 Thread Shiva Raman

Hi all
  I am running a squid1->DG->squid2  sandwich setup and i am facing
the following problem.
When i give "never_direct allow all" in squid1.conf , i am not able to
access any https sites.
Without the above configuration line , all users can access https
sites and even sites denied in the Content filter. For eg: suppose
http://www.redhat.com is a banned site in content filter, i am able to
access https://www.redhat.com which byepasses the content filter and
is served by squid2.

  My requirement is to allow all  https traffic through this setup but
the requests should  flow through content filter and then to squid2
for serving. Is it possible to tell squid1 to pass the https traffic
to the content filter and then to squid2?


The Ports used here are 3128->8080->8081 .

Following is the configuration of my
squid1.conf

http_port 3128
cache_peer 127.0.0.1  parent8080   0no-query proxy-only default
hierarchy_stoplist cgi-bin ?
acl QUERY urlpath_regex cgi-bin \?
no_cache deny QUERY
cache_mem 8 MB
auth_param basic children 5
auth_param basic realm Squid proxy-caching web server
auth_param basic credentialsttl 2 hours
auth_param basic casesensitive off
##Changed for user authentication
auth_param basic program /usr/lib/squid/pam_auth
refresh_pattern ^ftp: 1440 20% 10080
refresh_pattern ^gopher: 1440 0% 1440
refresh_pattern . 0 20% 4320
acl all src 0.0.0.0/0.0.0.0
acl all_dst dst 0.0.0.0/0.0.0.0
acl manager proto cache_object
acl localhost src 127.0.0.1/255.255.255.255
acl to_localhost dst 127.0.0.0/8
acl SSL_ports port 443 563
acl Safe_ports port 80 # http
acl Safe_ports port 21 # ftp
acl Safe_ports port 443 563 # https, snews
acl Safe_ports port 70 # gopher
acl Safe_ports port 210 # wais
acl Safe_ports port 1025-65535 # unregistered ports
acl Safe_ports port 280 # http-mgmt
acl Safe_ports port 488 # gss-http
acl Safe_ports port 591 # filemaker
acl Safe_ports port 777 # multiling http
acl CONNECT method CONNECT
## Change for deny caching
never_direct allow all
no_cache deny all
cache_access_log /var/log/squid/access.log
visible_hostname 192.168.10.175
acl students src 192.168.10.2-192.168.10.25
acl ttt src 192.168.10.25-192.168.10.254
acl test dstdom_regex .yahoo.com .google.* .org
acl test1 dstdom_regex .sun.*  .oracle.*
acl test2 dstdom_regex .rediff.*
acl time1 time 00:00-23:00
acl time2 time 09:00-23:00
acl lpdf urlpath_regex pdf$ mp3$ gif$ gz$
acl ljob url_regex -i ^http://*job*
acl usr1 proxy_auth user3 user1
http_access allow students usr1
http_access allow manager localhost
http_access deny manager
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
http_access deny all
http_reply_access allow all
icp_access allow all
coredump_dir /var/spool/squid

Squid2.conf
---
 ttp_port 8081
hierarchy_stoplist cgi-bin ?
acl QUERY urlpath_regex cgi-bin \?
no_cache deny QUERY
cache_access_log /usr/local/squid/var/logs/access.log
cache_log /usr/local/squid/var/logs/cache.log
cache_store_log /usr/local/squid/var/logs/store.log
auth_param basic children 5
auth_param basic realm Squid proxy-caching web server
auth_param basic credentialsttl 2 hours
auth_param basic casesensitive off
refresh_pattern ^ftp:   144020% 10080
refresh_pattern ^gopher:14400%  1440
refresh_pattern .   0   20% 4320
acl all src 0.0.0.0/0.0.0.0
acl manager proto cache_object
acl localhost src 127.0.0.1/255.255.255.255
acl to_localhost dst 127.0.0.0/8
acl SSL_ports port 443 563
acl Safe_ports port 80  # http
acl Safe_ports port 21  # ftp
acl Safe_ports port 443 563 # https, snews
acl Safe_ports port 70  # gopher
acl Safe_ports port 210 # wais
acl Safe_ports port 1025-65535  # unregistered ports
acl Safe_ports port 280 # http-mgmt
acl Safe_ports port 488 # gss-http
acl Safe_ports port 591 # filemaker
acl Safe_ports port 777 # multiling http
acl CONNECT method CONNECT
http_access allow manager localhost
http_access deny manager
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
acl our_networks src 192.168.0.0/24 192.168.1.0/24
http_access allow Safe_ports
http_access allow SSL_ports
http_access allow our_networks
http_access allow  localhost
http_access deny all
http_reply_access allow all
icp_access allow all
cache_effective_user squid
cache_effective_group squid
visible_hostname 192.168.10.175
coredump_dir /usr/local/squid/var/cache


Thanks for any help

Regards

Shiva Raman

Re: [squid-users] https site access problem!!!

2008-07-08 Thread Shiva Raman

Thanks for the Reply.

 The Problem has been resolved. It was exactly the problem outside
squid. The problem was with the redirector_program in validating the
SSL site.

Regards

Shiva Raman

On 7/4/08, Henrik Nordstrom <[EMAIL PROTECTED]> wrote:
> On fre, 2008-07-04 at 17:33 +0530, Shiva Raman wrote:
>> Thanks for the reply. Following are the logs generated while trying to
>> access secure.icicidirect.com
>>
>>
>> [EMAIL PROTECTED] logs]# tail -f access.log |grep secure.icicidirect.com
>> 1215164529.907641 10.1.3.37 TCP_MISS/200 39 CONNECT
>> secure.icicidirect.com:443 - DIRECT/203.27.235.22 -
>> 1215164529.943 31 10.1.3.37 TCP_MISS/200 39 CONNECT
>> secure.icicidirect.com:443 - DIRECT/203.27.235.22 -
>
> Which matches your openssl results. Squid succeeded in connecting, but
> the connection was closed after only a couple of bytes had been
> exchanged.
>
> I think the evicence is pretty hard that the problem is somewhere
> outside Squid.
>
>- Firewall
>- Server maybe have blacklisted your server IP
>- Other networking issue
>- Some device trying to intercept port 443.
>
> Regards
> Henrik
>

Re: [squid-users] https site access problem!!!

2008-07-04 Thread Shiva Raman

Thanks for the reply. Following are the logs generated while trying to
access secure.icicidirect.com


[EMAIL PROTECTED] logs]# tail -f access.log |grep secure.icicidirect.com
1215164529.907641 10.1.3.37 TCP_MISS/200 39 CONNECT
secure.icicidirect.com:443 - DIRECT/203.27.235.22 -
1215164529.943 31 10.1.3.37 TCP_MISS/200 39 CONNECT
secure.icicidirect.com:443 - DIRECT/203.27.235.22 -

Regds

Shiva Raman

On 7/4/08, Henrik Nordstrom <[EMAIL PROTECTED]> wrote:
> On fre, 2008-07-04 at 09:56 +0530, Shiva Raman wrote:
>
>> i am not able to open all ssl websites through this squid ,but  able to
>> access
>> few ssl sites through it using lynx command line browser .
>
> What's said in access.log?
>
>> When i try to access the above webserver through the squid proxy, it
>> is unable to open
>> the website. When i try the links its showing as only "SSL ERROR"
>
> Works for me..
>
>> I tried to check the openssl connectivity through command prompt get
>> following error.
>>
>> [EMAIL PROTECTED] openssl s_client -connect
>> secure.icicidirect.com:443 -showcerts
>
> That too works for me..
>
> Regards
> Henrik
>

[squid-users] https site access problem!!!

2008-07-03 Thread Shiva Raman

Dear All

I got a squidIcap Installation running   with following squid.conf

-
http_port 80

hierarchy_stoplist cgi-bin ?

acl QUERY urlpath_regex cgi-bin \?

no_cache deny QUERY

cache_mem 8 MB

cache_dir ufs /usr/local/squidICAP/var/cache 500 16 256

cache_access_log /usr/local/squidICAP/var/logs/access.log

cache_log /usr/local/squidICAP/var/logs/cache.log

cache_store_log /usr/local/squidICAP/var/logs/store.log

redirect_program /opt/Websense/bin/WsRedtor

redirect_children 30

auth_param basic children 5

auth_param basic realm Squid proxy-caching web server

auth_param basic credentialsttl 2 hours

auth_param basic casesensitive off

refresh_pattern ^ftp:   144020% 10080

refresh_pattern ^gopher:14400%  1440

refresh_pattern .   0   20% 4320

acl squidICAP dstdomain  "/usr/local/squidICAP/bad_domains"

header_access Accept-Encoding deny squidICAP

acl all src 0.0.0.0/0.0.0.0

acl manager proto cache_object

acl localhost src 127.0.0.1/255.255.255.255

acl to_localhost dst 127.0.0.0/8

acl SSL_ports port 443 563

acl Safe_Ports port 81  # non stadard part

acl Safe_ports port 80  # http

acl Safe_ports port 21  # ftp

acl Safe_ports port 443 563 # https, snews

acl Safe_ports port 70  # gopher

acl Safe_ports port 210 # wais

acl Safe_ports port 1025-65535  # unregistered ports

acl Safe_ports port 280 # http-mgmt

acl Safe_ports port 488 # gss-http

acl Safe_ports port 591 # filemaker

acl Safe_ports port 777 # multiling http

acl CONNECT method CONNECT

acl GET method GET

http_access allow all

http_access allow manager localhost

http_access deny manager

http_access deny !Safe_ports

http_access deny CONNECT !SSL_ports

http_access deny all

http_reply_access allow all

icp_access allow all

cache_effective_user squid

visible_hostname squidproxy

coredump_dir /usr/local/squidICAP/var/cache

redirector_bypass off






i am not able to open all ssl websites through this squid ,but  able to access
few ssl sites through it using lynx command line browser .

Following is one of the site tested https://secure.icicidirect.com

I am not sure  whether its squid or linux ssl issue

When i try to access the above webserver through the squid proxy, it
is unable to open
the website. When i try the links its showing as only "SSL ERROR"

I tried to check the openssl connectivity through command prompt get
following error.

[EMAIL PROTECTED] openssl s_client -connect
secure.icicidirect.com:443 -showcerts

CONNECTED(0003)
write:errno=104


Any suggestions / workarounds for this problems, please let me know.

Regards

Shiva Raman

[squid-users] Problem in allowing only selected https sites and denying all others !!!

2008-05-13 Thread Shiva Raman

Hi

I am using Centos 5, Squid Cache: Version 2.6.STABLE6 and
my local lan network is 192.168.10.0/24. More than 150 users
are concurrently accessing the squid proxy server.

Following is my requirement

1) Access to all  http sites
2) Access to only selected https sites like redhat.com ,paypal.com
and all  other https sites should be denied .

Following is my squid.conf



http_port 3128
hierarchy_stoplist cgi-bin ?
acl QUERY urlpath_regex cgi-bin \?
cache deny QUERY
acl apache rep_header Server ^Apache
broken_vary_encoding allow apache
access_log /var/log/squid/access.log squid
refresh_pattern ^ftp: 1440 20% 10080
refresh_pattern ^gopher: 1440 0% 1440
refresh_pattern . 0 20% 4320
acl all src 0.0.0.0/0.0.0.0
acl manager proto cache_object
acl localhost src 127.0.0.1/255.255.255.255
acl to_localhost dst 127.0.0.0/8
acl SSL_ports port 443
acl Safe_ports  port 443  # https
acl Safe_ports port 80 # http
acl Safe_ports port 21 # ftp
acl Safe_ports port 443 # wais
acl Safe_ports port 1025-65535 # unregistered ports
acl CONNECT method CONNECT
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
acl our_networks src 192.168.10.0/24 192.168.20.0/24
acl myhttps dstdomain .redhat.com
http_access allow our_networks
http_access deny our_networks  SSL_ports !myhttps
http_access deny  our_networks
http_access deny all
http_reply_access allow all
icp_access allow all
visible_hostname myoffice
coredump_dir /var/spool/squid


--


>From the above configuration, the problem i am facing here is that all
the https sites are accessible to the users.
even if i had allowed only 'myhttps' . Is it possible to block
specific https sites as per my requirement?

Also Is  it neccesary to define prot 443 in both SSL_ports as well as
Safe_ports?
When i remove 443 from Safe_ports, i am not able to access any https sites.



Thanks for any help

Regards

Shiva Raman .
SysAdmin

[squid-users] never_direct + https site access problem in sandwich setup!!!

Re: [squid-users] https site access problem!!!

Re: [squid-users] https site access problem!!!

[squid-users] https site access problem!!!

[squid-users] Problem in allowing only selected https sites and denying all others !!!

5 matches

Site Navigation

Mail list logo

Footer information