[squid-users] squid https
Hi, I am trying to redirect https traffic to squid for days. 2 weeks ago i sent a post to this group and tried some advices but could not fix my problem. If i use server ip and squid port with any browser ( without redirecting https or ftp port with iptables ) it works ( both https anf ftp ) but when i redirect https this error accurs ; 192.168.1.105 TCP_DENIED/400 2194 GET error:invalid-request - NONE/- text/html After that i used this advice ; https_port 443 cert=/etc/squid/cert.pem key=/etc/squid/private.pem Last i tried this one that does not work with squid on OpenBSD4.3 ; https_port 127.0.0.1:3129 transparent cert=/etc/squid/cert.pem Is there anybody use this properly ? Thanks ismail
[squid-users] Squid / HTTPS / Java
Hi all We had this problem with Squid 2.5 and I am seeing it also with 2.6 which I was hoping would fix it Every time we try to access a site using HTTPS that uses Java we keep getting proxy authentication popups The specific site in question is gotomeeting.com when you attempt to join a meeting I remember some time back looking into this there was a Java ACL that could be added to the squid.conf file, this didn't work in 2.5 for me Does anyone know of a work around? Cheers, Scott
Re: [squid-users] squid https
On Tue, Sep 2, 2008 at 11:30 AM, İsmail ÖZATAY <[EMAIL PROTECTED]> wrote: > Hi, > > I am trying to redirect https traffic to squid for days. 2 weeks ago i sent > a post to this group and tried some advices but could not fix my problem. If > i use server ip and squid port with any browser ( without redirecting https > or ftp port with iptables ) it works ( both https anf ftp ) but when i > redirect https this error accurs ; > > 192.168.1.105 TCP_DENIED/400 2194 GET error:invalid-request - NONE/- > text/html > > After that i used this advice ; > > https_port 443 cert=/etc/squid/cert.pem key=/etc/squid/private.pem > > Last i tried this one that does not work with squid on OpenBSD4.3 ; I use OpenBSD 4.3 I think you are trying to redirect https and ftp. Transparent interception of HTTPS traffic is (by design) not possible. Squid 3HEAD includes a feature called sslbump Pls visit below Urls http://markmail.org/message/5d7rtqbhwwcivkkx?q=transparent+https&page=1&refer=vhkzezxg7n643ik2 http://markmail.org/message/mkgy5jjr6wdthi5k?q=transparent+https&page=1&refer=vhkzezxg7n643ik2 -- Thank you Indunil Jayasooriya
Re: [squid-users] squid https
Indunil Jayasooriya yazmış: On Tue, Sep 2, 2008 at 11:30 AM, İsmail ÖZATAY <[EMAIL PROTECTED]> wrote: Hi, I am trying to redirect https traffic to squid for days. 2 weeks ago i sent a post to this group and tried some advices but could not fix my problem. If i use server ip and squid port with any browser ( without redirecting https or ftp port with iptables ) it works ( both https anf ftp ) but when i redirect https this error accurs ; 192.168.1.105 TCP_DENIED/400 2194 GET error:invalid-request - NONE/- text/html After that i used this advice ; https_port 443 cert=/etc/squid/cert.pem key=/etc/squid/private.pem Last i tried this one that does not work with squid on OpenBSD4.3 ; I use OpenBSD 4.3 I think you are trying to redirect https and ftp. Transparent interception of HTTPS traffic is (by design) not possible. Squid 3HEAD includes a feature called sslbump Pls visit below Urls http://markmail.org/message/5d7rtqbhwwcivkkx?q=transparent+https&page=1&refer=vhkzezxg7n643ik2 http://markmail.org/message/mkgy5jjr6wdthi5k?q=transparent+https&page=1&refer=vhkzezxg7n643ik2 Hi Indunil, I am using Squid Cache: Version 2.6.STABLE18 and when i applied sslBump i got error. Can you use this option with the same version of mine ? I think you are using squid 3. I tried this option like this ; http_port 127.0.0.1:3128 transparent sslBump cert=/etc/squid/cert.pem key=/etc/squid/private.pem Regards ismail
Re: [squid-users] squid https
> I am using Squid Cache: Version 2.6.STABLE18 and when i applied sslBump i > got error. Can you use this option with the same version of mine ? I think > you are using squid 3. I tried this option like this ; I also use squid Version 2.6.STABLE18 from OpenBSD port tree as transparent interception. I think below may help you http://wiki.squid-cache.org/Features/SslBump?highlight=%28C%7B1%7DategoryWish%29%7C%28C%7B1%7DategoryFeature%29%7C%28completed%29%7C%28Version...%3A.%2A3.1%29%7C%28Status...%3A%29%7C%28ETA...%3A%29 Happy Squiding -- Thank you Indunil Jayasooriya
Re: [squid-users] squid https
Indunil Jayasooriya yazm?s,: I am using Squid Cache: Version 2.6.STABLE18 and when i applied sslBump i got error. Can you use this option with the same version of mine ? I think you are using squid 3. I tried this option like this ; I also use squid Version 2.6.STABLE18 from OpenBSD port tree as transparent interception. I think below may help you http://wiki.squid-cache.org/Features/SslBump?highlight=%28C%7B1%7DategoryWish%29%7C%28C%7B1%7DategoryFeature%29%7C%28completed%29%7C%28Version...%3A.%2A3.1%29%7C%28Status...%3A%29%7C%28ETA...%3A%29 Happy Squiding Hi Indunil ; Could you send me your squid.conf file from the version of squid 2.6 , please ? Regards ismail
Re: [squid-users] squid https
Indunil Jayasooriya yazmış: Could you send me your squid.conf file from the version of squid 2.6 , please ? this is the file on openbsd 3.4 Hi again ; This your configuration and i can not see any https configuration in it. This is a standart config. I just want to use redirected https and ftp traffic to my squid server. Ragards acl all src 0.0.0.0/0.0.0.0 acl manager proto cache_object acl localhost src 127.0.0.1/255.255.255.255 acl to_localhost dst 127.0.0.0/8 acl SSL_ports port 443 acl Safe_ports port 80# http acl Safe_ports port 21# ftp acl Safe_ports port 443# https acl Safe_ports port 70# gopher acl Safe_ports port 210# wais acl Safe_ports port 1025-65535# unregistered ports acl Safe_ports port 280# http-mgmt acl Safe_ports port 488# gss-http acl Safe_ports port 591# filemaker acl Safe_ports port 777# multiling http acl CONNECT method CONNECT http_access allow manager localhost http_access deny manager http_access deny !Safe_ports http_access deny CONNECT !SSL_ports acl our_networks src 192.168.9.0/24 http_access allow our_networks http_access deny all icp_access allow all http_port 3128 transparent access_log /var/squid/logs/access.log squid acl QUERY urlpath_regex cgi-bin \? cache deny QUERY refresh_pattern ^ftp:144020%10080 refresh_pattern ^gopher:14400%1440 refresh_pattern .020%4320 acl apache rep_header Server ^Apache broken_vary_encoding allow apache
Re: [squid-users] squid https
> Indunil Jayasooriya yazmýþ: >>> Could you send me your squid.conf file from the version of squid 2.6 , >>> please ? >>> >>> >> >> this is the file on openbsd 3.4 >> >> > Hi again ; > > This your configuration and i can not see any https configuration in it. > This is a standart config. I just want to use > redirected https and Not really possible without SSLBump (which means any Squid earlier than 3.1/HEAD). Some have hacked up a simulation of HTTPS interception using reverse-proxy mode and https_port, but that breaks a lot of things in the network and causes much grief to all users. If you want happy users, do away with the interception altogether. > [redirected] ftp Not possible in any Squid. Squid is an HTTP proxy not an FTP proxy. There is another proxy called 'Froxy' which can be used for that. Amos
Re: [squid-users] squid https
Amos Jeffries yazm?s,: Indunil Jayasooriya yazmýþ: Could you send me your squid.conf file from the version of squid 2.6 , please ? this is the file on openbsd 3.4 Hi again ; This your configuration and i can not see any https configuration in it. This is a standart config. I just want to use redirected https and Not really possible without SSLBump (which means any Squid earlier than 3.1/HEAD). Some have hacked up a simulation of HTTPS interception using reverse-proxy mode and https_port, but that breaks a lot of things in the network and causes much grief to all users. If you want happy users, do away with the interception altogether. [redirected] ftp Not possible in any Squid. Squid is an HTTP proxy not an FTP proxy. There is another proxy called 'Froxy' which can be used for that. Amos Hi Amos , If i use server_ip and squid_port with my browser, i mean without redirecting 80,443, or 21, all of them works properly. Squid can do this perfectly. I do not understand why does not work after redirecting them ? Regards
Re: [squid-users] squid https
> Amos Jeffries yazm?s,: >>> Indunil Jayasooriya yazmýþ: >>> > Could you send me your squid.conf file from the version of squid 2.6 > , > please ? > > > this is the file on openbsd 3.4 >>> Hi again ; >>> >>> This your configuration and i can not see any https configuration in >>> it. >>> This is a standart config. I just want to use >>> >> >> >>> redirected https and >>> >> >> Not really possible without SSLBump (which means any Squid earlier than >> 3.1/HEAD). >> >> Some have hacked up a simulation of HTTPS interception using >> reverse-proxy >> mode and https_port, but that breaks a lot of things in the network and >> causes much grief to all users. >> >> If you want happy users, do away with the interception altogether. >> >> >>> [redirected] ftp >>> >> >> Not possible in any Squid. Squid is an HTTP proxy not an FTP proxy. >> There is another proxy called 'Froxy' which can be used for that. >> >> Amos >> >> >> >> >> > Hi Amos , > > If i use server_ip and squid_port with my browser, i mean without > redirecting 80,443, or 21, all of them works properly. Squid can do this > perfectly. I do not understand why does not work after redirecting them ? > Because when your browser is configured to use a proxy. It sends completely different protocol requests. It wraps the FTP up in HTTP headers for Squid to understand whats going on. For HTTPS it does not perform any encryption, or if Squid is configured to allow it, it uses a single encryption key belonging to Squid for all requests. When configured to connect directly to the internet, the browser sends FTP protocol requests across multiple ports simultaneously in a mixture of binary and ASCII. And securely encrypts all traffic to HTTPS servers with unique encryption keys for each destination. Squid is not designed to intercept the FTP tangle. And the HTTPS encryption is specifically designed to prevent quiet interception. Nobody wants anyone playing with their private encrypted details without them knowing. Amos
[squid-users] Squid https caching
Hello. Can anybody tell me can I cache https requests with squid options
described below?
Squid Cache: Version 3.3.8
configure options: '--build=x86_64-linux-gnu' '--prefix=/usr'
'--includedir=${prefix}/include' '--mandir=${prefix}/share/man'
'--infodir=${prefix}/share/info' '--sysconfdir=/etc' '--localstatedir=/var'
'--libexecdir=${prefix}/lib/squid3' '--srcdir=.' '--disable-maintainer-mode'
'--disable-dependency-tracking' '--disable-silent-rules'
'--datadir=/usr/share/squid3' '--sysconfdir=/etc/squid3'
'--mandir=/usr/share/man' '--enable-inline' '--enable-async-io=8'
'--enable-storeio=ufs,aufs,diskd,rock' '--enable-removal-policies=lru,heap'
'--enable-delay-pools' '--enable-cache-digests' '--enable-underscores'
'--enable-icap-client' '--enable-follow-x-forwarded-for'
'--enable-auth-basic=DB,fake,getpwnam,LDAP,MSNT,MSNT-multi-domain,NCSA,NIS,PAM,POP3,RADIUS,SASL,SMB'
'--enable-auth-digest=file,LDAP' '--enable-auth-negotiate=kerberos,wrapper'
'--enable-auth-ntlm=fake,smb_lm'
'--enable-external-acl-helpers=file_userip,kerberos_ldap_group,LDAP_group,session,SQL_session,unix_group,wbinfo_group'
'--enable-url-rewrite-helpers=fake' '--enable-eui' '--enable-esi'
'--enable-icmp' '--enable-zph-qos' '--enable-ecap' '--disable-translation'
'--with-swapdir=/var/spool/squid3' '--with-logdir=/var/log/squid3'
'--with-pidfile=/var/run/squid3.pid' '--with-filedescriptors=65536'
'--with-large-files' '--with-default-user=proxy' '--enable-linux-netfilter'
'build_alias=x86_64-linux-gnu' 'CFLAGS=-g -O2 -fPIE -fstack-protector
--param=ssp-buffer-size=4 -Wformat -Werror=format-security -Wall'
'LDFLAGS=-Wl,-Bsymbolic-functions -fPIE -pie -Wl,-z,relro -Wl,-z,now'
'CPPFLAGS=-D_FORTIFY_SOURCE=2' 'CXXFLAGS=-g -O2 -fPIE -fstack-protector
--param=ssp-buffer-size=4 -Wformat -Werror=format-security'
+
I've configured iptables to redirect 443 to squid https_port number, tcpdump
shows that machine accepts request on port 443. But client cannot open https
sites, with http everything is ok. That is why I want to know, maybe I must
compile squid source with --enable-ssl option.
Regards,
--
View this message in context:
http://squid-web-proxy-cache.1019090.n4.nabble.com/Squid-https-caching-tp4663927.html
Sent from the Squid - Users mailing list archive at Nabble.com.
Re: [squid-users] Squid / HTTPS / Java
Thompson, Scott (WA) wrote: Hi all We had this problem with Squid 2.5 and I am seeing it also with 2.6 which I was hoping would fix it Every time we try to access a site using HTTPS that uses Java we keep getting proxy authentication popups The specific site in question is gotomeeting.com when you attempt to join a meeting I remember some time back looking into this there was a Java ACL that could be added to the squid.conf file, this didn't work in 2.5 for me Does anyone know of a work around? Just the browser ACL type. Note however that the browser ACL can be trivially forged to bypass your controls, so should be linked with another ACL such as src or dstdomain to restrict its abuse. Amos -- Please use Squid 2.7.STABLE3 or 3.0.STABLE8
Re: [squid-users] Squid https caching
On 19/12/2013 8:28 a.m., 0bj3ct wrote: > Hello. Can anybody tell me can I cache https requests with squid options > described below? > > I've configured iptables to redirect 443 to squid https_port number, tcpdump > shows that machine accepts request on port 443. But client cannot open https > sites, with http everything is ok. That is why I want to know, maybe I must > compile squid source with --enable-ssl option. That would be a good start. After that you need to configure interception with ssl-bump. The caching part happens by default as much as safely possible once the traffic us decrypted. PS. Are you getting errors about https_port in this build of Squid without --enable-ssl? Amos
[squid-users] Squid + https : Connection failed
Hi, I am having a problem since i have install squid after my adsl connection. Here goes the problem: The proxy function pretty well accept that i am having problem to access https pages. When i disable proxy on my Mozilla Browser, it just works fine without any problem to access my gmail.com but when I activates the proxy in my Mozilla Browser and I connect to gmail.com, it gives me this message error: ERROR The requested URL could not be retrieved While trying to retrieve the URL: www.google.com:443 The following error was encountered: * Connection Failed The system returned: (110) Connection timed out The remote host or network may be down. Please try the request again. Your cache administrator is webmaster. I am using squid/2.5.STABLE9 with NCSA_AUTH module to authenticate my users. When I telnetting gmail.com gives the following: debian-acer:/home/Free# telnet www.gmail.com 443 Trying 64.233.161.105... Connected to www.gmail.com. Escape character is '^]'. exit Connection closed by foreign host. My network config is as follows: Internet <--> ADSL <--> Proxy/Firewall <--> LAN Note that on the proxy/Firewall, squid and iptables are running. Thanks for your helps and quick responds. A+ Shafeek __ Do you Yahoo!? Yahoo! Personals - Better first dates. More second dates. http://personals.yahoo.com
[squid-users] squid https login error
Hi I am not very good in squid. I configured squid-2.5.STABLE11 with LDAP and SSL enabled. Connecitons to https port had "page cannot be displayed" error message in IE6, however connections to http port had no problem and asks username and password. I did not understad why https port connections give such error. not: configuration string: ./configure --enable-ssl --with-openssl --enable-digest-auth-helpers=password --enable-basic-auth-helpers=LDAP Ibrahim Calisir METU
[squid-users] squid https certificate validation failed
Every time a user try to access https web site they got and error about certificate not been emit by certificate authority. Removing the proxy from internet setting, i got rid of these warning. I got squid 2.16 Stable 16 with squidGuard. Tried with 3.1.0.12 and got the same thing. Anybody have this problem before, i searched this mailing list and google and didn't find any solution. Thanks -- View this message in context: http://n4.nabble.com/squid-https-certificate-validation-failed-tp1586483p1586483.html Sent from the Squid - Users mailing list archive at Nabble.com.
Re: [squid-users] Squid + https : Connection failed
Here is the access.log 1112855949.835 60538 192.168.1.150 TCP_MISS/503 0 CONNECT www.google.com:443 test DIRECT/216.239.59.99 Which gives error 503 service unavailable --- Shafeek Sumser <[EMAIL PROTECTED]> wrote: > Hi, > > I am having a problem since i have install squid > after > my adsl connection. Here goes the problem: > > The proxy function pretty well accept that i am > having > problem to access https pages. > > When i disable proxy on my Mozilla Browser, it just > works fine without any problem to access my > gmail.com > but when I activates the proxy in my Mozilla Browser > and I connect to gmail.com, it gives me this > message > error: > > ERROR > The requested URL could not be retrieved > > While trying to retrieve the URL: www.google.com:443 > > The following error was encountered: > > * Connection Failed > > The system returned: > > (110) Connection timed out > > The remote host or network may be down. Please try > the > request again. > > Your cache administrator is webmaster. > > > I am using squid/2.5.STABLE9 with NCSA_AUTH module > to > authenticate my users. > > When I telnetting gmail.com gives the following: > > debian-acer:/home/Free# telnet www.gmail.com 443 > Trying 64.233.161.105... > Connected to www.gmail.com. > Escape character is '^]'. > exit > Connection closed by foreign host. > > My network config is as follows: > > Internet <--> ADSL <--> Proxy/Firewall <--> LAN > > Note that on the proxy/Firewall, squid and iptables > are running. > > > Thanks for your helps and quick responds. > > > A+ > > Shafeek > > > > __ > Do you Yahoo!? > Yahoo! Personals - Better first dates. More second > dates. > http://personals.yahoo.com > > __ Yahoo! Messenger Show us what our next emoticon should look like. Join the fun. http://www.advision.webevents.yahoo.com/emoticontest
RE: [squid-users] Squid + https : Connection failed
> Hi, > > I am having a problem since i have install squid after > my adsl connection. Here goes the problem: > > The proxy function pretty well accept that i am having > problem to access https pages. > > When i disable proxy on my Mozilla Browser, it just > works fine without any problem to access my gmail.com > but when I activates the proxy in my Mozilla Browser > and I connect to gmail.com, it gives me this message > error: > > ERROR > The requested URL could not be retrieved > > While trying to retrieve the URL: www.google.com:443 > > The following error was encountered: > > * Connection Failed > > The system returned: > > (110) Connection timed out > > The remote host or network may be down. Please try the > request again. > > Your cache administrator is webmaster. > > > I am using squid/2.5.STABLE9 with NCSA_AUTH module to > authenticate my users. > > When I telnetting gmail.com gives the following: > > debian-acer:/home/Free# telnet www.gmail.com 443 > Trying 64.233.161.105... > Connected to www.gmail.com. > Escape character is '^]'. > exit > Connection closed by foreign host. > > My network config is as follows: > > Internet <--> ADSL <--> Proxy/Firewall <--> LAN > > Note that on the proxy/Firewall, squid and iptables > are running. > > > Thanks for your helps and quick responds. > - What's in SQUID's access.log , for this failed request ? M.
RE: [squid-users] Squid + https : Connection failed
Here is the access.log 1112855949.835 60538 192.168.1.150 TCP_MISS/503 0 CONNECT www.google.com:443 test DIRECT/216.239.59.99 Which gives error 503 service unavailable --- Elsen Marc <[EMAIL PROTECTED]> wrote: > > > > Hi, > > > > I am having a problem since i have install squid > after > > my adsl connection. Here goes the problem: > > > > The proxy function pretty well accept that i am > having > > problem to access https pages. > > > > When i disable proxy on my Mozilla Browser, it > just > > works fine without any problem to access my > gmail.com > > but when I activates the proxy in my Mozilla > Browser > > and I connect to gmail.com, it gives me this > message > > error: > > > > ERROR > > The requested URL could not be retrieved > > > > While trying to retrieve the URL: > www.google.com:443 > > > > The following error was encountered: > > > > * Connection Failed > > > > The system returned: > > > > (110) Connection timed out > > > > The remote host or network may be down. Please try > the > > request again. > > > > Your cache administrator is webmaster. > > > > > > I am using squid/2.5.STABLE9 with NCSA_AUTH module > to > > authenticate my users. > > > > When I telnetting gmail.com gives the following: > > > > debian-acer:/home/Free# telnet www.gmail.com 443 > > Trying 64.233.161.105... > > Connected to www.gmail.com. > > Escape character is '^]'. > > exit > > Connection closed by foreign host. > > > > My network config is as follows: > > > > Internet <--> ADSL <--> Proxy/Firewall <--> LAN > > > > Note that on the proxy/Firewall, squid and > iptables > > are running. > > > > > > Thanks for your helps and quick responds. > > > > > - What's in SQUID's access.log , for this failed > request ? > > M. > __ Yahoo! Messenger Show us what our next emoticon should look like. Join the fun. http://www.advision.webevents.yahoo.com/emoticontest
RE: [squid-users] Squid + https : Connection failed
--- Elsen Marc <[EMAIL PROTECTED]> wrote: > > > > Hi, > > > > I am having a problem since i have install squid > after > > my adsl connection. Here goes the problem: > > > > The proxy function pretty well accept that i am > having > > problem to access https pages. > > > > When i disable proxy on my Mozilla Browser, it > just > > works fine without any problem to access my > gmail.com > > but when I activates the proxy in my Mozilla > Browser > > and I connect to gmail.com, it gives me this > message > > error: > > > > ERROR > > The requested URL could not be retrieved > > > > While trying to retrieve the URL: > www.google.com:443 > > > > The following error was encountered: > > > > * Connection Failed > > > > The system returned: > > > > (110) Connection timed out > > > > The remote host or network may be down. Please try > the > > request again. > > > > Your cache administrator is webmaster. > > > > > > I am using squid/2.5.STABLE9 with NCSA_AUTH module > to > > authenticate my users. > > > > When I telnetting gmail.com gives the following: > > > > debian-acer:/home/Free# telnet www.gmail.com 443 > > Trying 64.233.161.105... > > Connected to www.gmail.com. > > Escape character is '^]'. > > exit > > Connection closed by foreign host. > > > > My network config is as follows: > > > > Internet <--> ADSL <--> Proxy/Firewall <--> LAN > > > > Note that on the proxy/Firewall, squid and > iptables > > are running. > > > > > > Thanks for your helps and quick responds. > > > > > - What's in SQUID's access.log , for this failed > request ? > > M. > tail -f /var/log/squid/access.log 1112857550.905 61288 192.168.1.150 TCP_MISS/503 0 CONNECT www.google.com:443 test DIRECT/216.239.59.99 - It says 503: Service unavailable S. __ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com
RE: [squid-users] Squid + https : Connection failed
>... >... > > tail -f /var/log/squid/access.log > > 1112857550.905 61288 192.168.1.150 TCP_MISS/503 0 > CONNECT www.google.com:443 test DIRECT/216.239.59.99 - > > > It says 503: Service unavailable > - Is there any addiditional info in cache.log ? - Does DNS (lookup) work on the squidbox (try via 'nslookup' e.d.) M.
RE: [squid-users] Squid + https : Connection failed
--- Elsen Marc <[EMAIL PROTECTED]> wrote: > >... > >... > > > > tail -f /var/log/squid/access.log > > > > 1112857550.905 61288 192.168.1.150 TCP_MISS/503 0 > > CONNECT www.google.com:443 test > DIRECT/216.239.59.99 - > > > > > > It says 503: Service unavailable > > > >- Is there any addiditional info in cache.log ? No I have info only in access.log 1112861648.674 1529 192.168.1.150 TCP_MISS/302 1130 GET http://gmail.google.com/gmail test DIRECT/64.233.185.106 text/html 1112861709.845 61165 192.168.1.150 TCP_MISS/503 0 CONNECT www.google.com:443 test DIRECT/216.239.59.104 - >- Does DNS (lookup) work on the squidbox (try via > 'nslookup' e.d.) > >M. Yes debian-acer:~# nslookup www.gmail.com Server: 202.123.2.6 Address:202.123.2.6#53 Non-authoritative answer: www.gmail.com canonical name = gmail.google.com. gmail.google.comcanonical name = gmail.google.akadns.net. Name: gmail.google.akadns.net Address: 64.233.179.106 Name: gmail.google.akadns.net Address: 64.233.179.107 Note: All other webpages i can access on https i cannot. Thanks S. __ Do you Yahoo!? Yahoo! Personals - Better first dates. More second dates. http://personals.yahoo.com
RE: [squid-users] Squid + https : Connection failed
A gret Thanks to you all. I have been able to solve the problem. In fact, it is not in squid. The problem is in iptables. I just forgot to add https in the OUTPUT part. The problem has been solved. Thanks A+ Shafeek Sumser --- Elsen Marc <[EMAIL PROTECTED]> wrote: > > > > >- Is there any addiditional info in cache.log > ? > > > > No I have info only in access.log > > > > 1112861648.674 1529 192.168.1.150 TCP_MISS/302 > 1130 > > GET http://gmail.google.com/gmail test > > DIRECT/64.233.185.106 text/html > > 1112861709.845 61165 192.168.1.150 TCP_MISS/503 0 > > CONNECT www.google.com:443 test > DIRECT/216.239.59.104 > > - > > > > > > > > > > >- Does DNS (lookup) work on the squidbox (try > via > > > 'nslookup' e.d.) > > > > > >M. > > > > Yes > > > > debian-acer:~# nslookup www.gmail.com > > Server: 202.123.2.6 > > Address:202.123.2.6#53 > > > > Non-authoritative answer: > > www.gmail.com canonical name = gmail.google.com. > > gmail.google.comcanonical name = > > gmail.google.akadns.net. > > Name: gmail.google.akadns.net > > Address: 64.233.179.106 > > Name: gmail.google.akadns.net > > Address: 64.233.179.107 > > > > > > > > Note: All other webpages i can access on https i > > cannot. > > > > Thanks > > > > Strange (very), let me elaborate somemore in > private;to not clog the list : > > So I assume the telnet test was done, on the box, > squid runs on ? > I assume that is this proxy firewall ? > > Is squid configured to use any peers (parents) ? > > Marc. > __ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com
Re: [squid-users] squid https login error
Ibrahim Calisir schrieb: Hi I am not very good in squid. I configured squid-2.5.STABLE11 with LDAP and SSL enabled. Connecitons to https port had "page cannot be displayed" error message in IE6, however connections to http port had no problem and asks username and password. I did not understad why https port connections give such error. not: configuration string: ./configure --enable-ssl --with-openssl --enable-digest-auth-helpers=password --enable-basic-auth-helpers=LDAP The error message from IE 6 does not really help. You will have to find out why you get the error. How are your acl ant http_access configuration lines ? Can you browse https sites from the proxy machine itself without using a proxy, i.e. are you sure your firewall permits https connections out ? Yours, Jakob Curdes
Re: [squid-users] squid https login error
thank you, for your quick reply.. However there is no line that relate to https connection that I write, except the default acl rules as: acl Safe_ports port 443 563 # https, snews http_access deny !Safe_ports acl SSL_ports port 443 563 http_access deny CONNECT !SSL_ports I do not have a firewall rule yet, and I can connect https site from proxy machine with firefox. I check with Mozilla, Netscape and IE and all of them lost their connection with web sites as I addressed https port of my proxy. not: I assigned 443 as https port of proxy, and nothing changed. Yours, Ibrahim Calisir METU Jakob Curdes wrote: Ibrahim Calisir schrieb: Hi I am not very good in squid. I configured squid-2.5.STABLE11 with LDAP and SSL enabled. Connecitons to https port had "page cannot be displayed" error message in IE6, however connections to http port had no problem and asks username and password. I did not understad why https port connections give such error. not: configuration string: ./configure --enable-ssl --with-openssl --enable-digest-auth-helpers=password --enable-basic-auth-helpers=LDAP The error message from IE 6 does not really help. You will have to find out why you get the error. How are your acl ant http_access configuration lines ? Can you browse https sites from the proxy machine itself without using a proxy, i.e. are you sure your firewall permits https connections out ? Yours, Jakob Curdes
Re: [squid-users] squid https login error
The https port is not related to https proxying and should probably be removed. To proxy https, in your browser, set the https proxy port to 3128 (or whatever you have set the standard http port to). Ben On 07/10/05, Ibrahim Calisir <[EMAIL PROTECTED]> wrote: > thank you, for your quick reply.. > > However there is no line that relate to https connection that I write, > except the default acl rules as: > > acl Safe_ports port 443 563 # https, snews > http_access deny !Safe_ports > > acl SSL_ports port 443 563 > http_access deny CONNECT !SSL_ports > > I do not have a firewall rule yet, and I can connect https site from > proxy machine with firefox. > > I check with Mozilla, Netscape and IE and all of them lost their > connection with web sites as I addressed https port of my proxy. > > not: I assigned 443 as https port of proxy, and nothing changed. > > Yours, > Ibrahim Calisir > METU > > Jakob Curdes wrote: > > Ibrahim Calisir schrieb: > > > >> Hi > >> > >> I am not very good in squid. I configured squid-2.5.STABLE11 with LDAP > >> and SSL enabled. Connecitons to https port had "page cannot be > >> displayed" error message in IE6, however connections to http port had no > >> problem and asks username and password. I did not understad why https > >> port connections give such error. > >> > >> not: configuration string: > >> ./configure --enable-ssl --with-openssl > >> --enable-digest-auth-helpers=password --enable-basic-auth-helpers=LDAP > >> > > The error message from IE 6 does not really help. You will have to find > > out why you get the error. > > How are your acl ant http_access configuration lines ? Can you browse > > https sites from the proxy machine itself without using a proxy, i.e. > > are you sure your firewall permits https connections out ? > > > > Yours, > > Jakob Curdes > >
[squid-users] Squid, https , MITM and Antivirus
Hello, today on our proxy server we have a antivirus between the client and squid. The antivirus listens on 3128 an then passes the packets to squid via 3130. Thats fine with http. The problem is that users access external webmail sites via https and download virus infected files that can not be scanned by the antivirus. Is it possible to configure squid as "man in the middle" and to configure squid the way that it passes all the downloaded files to the virus scanner before passing them to the client ? Thanks Andreas Moroder Public hospital Brixen IT/EU
Re: [squid-users] squid https certificate validation failed
boipie01 wrote: Every time a user try to access https web site they got and error about certificate not been emit by certificate authority. Removing the proxy from internet setting, i got rid of these warning. I got squid 2.16 Stable 16 with squidGuard. Tried with 3.1.0.12 and got the same thing. Anybody have this problem before, i searched this mailing list and google and didn't find any solution. Thanks Hmm, symptoms identical to someone trying to intercept HTTPS destined for websites they do not own. Amos
Re: [squid-users] Squid, https , MITM and Antivirus
Andreas Moroder schrieb: Hello, today on our proxy server we have a antivirus between the client and squid. The antivirus listens on 3128 an then passes the packets to squid via 3130. Thats fine with http. The problem is that users access external webmail sites via https and download virus infected files that can not be scanned by the antivirus. You cannot intercept https communications with squid. This would only be possible after checking the certificates belonging to the connection, decrypting the traffice , inspecting it , caching it and afterwards re-encrypting it. Squid cannot do this, it is a http proxy. Be aware that by allowing https to everywhere you are encountering bigger risks than your attachments only, keyword tunneling the proxy. JC
Re: [squid-users] Squid, https , MITM and Antivirus
Andreas Moroder schrieb: Hello Jakob, I know about the tunneling problem. We discovered one PC in our hospital last week with a tunneling softwar einstalled. On the other hand there are sites you need https to log in. There are commercial interception solutions on the market. I do not know of an open source project. One easy solution would be to limit https access to a list of well-known sites such as some webmailers (but then you are back at the attachment problem) anf homebanking sites. JC
