Re: [squid-users] squid https: using non-self-signed cert

[Amos Jeffries]

On 20/12/18 4:32 am, Meridoff wrote:
> 1) I just try to intercept https traffic. I use https_port ...
> cert=cert.pem capath=/dir . So squid can generate  sertificates based on
> file.cert as Root CA.
> 

Yes.

> So, my file.cert is combined from cert and key files. And it is not
> sefl-signed.

Please change your focus away from the "self-signed" term. As I wrote
earlier it is just a way of saying "Root CA".

The relevant thing is the "CA" part. What is special about CA is that
those certificates can be used to sign other certificates.
 Or in other words: CA cert are "signing SSL certificate".


> Checked by openssl: 
> openssl verify cert.pem
> cert.pem: CN = *.xxx.com 
> error 20 at 0 depth lookup:unable to get local issuer certificate
> And squid complains too: FATAL: No valid signing SSL certificate configured
> 

These are very different messages.

OpenSSL is complaining that the PEM file contains a certificate which
cannot be validated by any CA it trusts.

Squid is complaining that the PEM file does not contain a CA cert + CA
key it can use for signing when generating leaf certificates.


> I think squid want to know who signed this cert - all cert chain to root
> cert. From where squid sholud know where to get all intermidiate CA
> certs for this cert.pem file ?


You have this slightly backwards. The PEM file is where Squid gets the
CA chain.

The PEM file should contain the CA cert + CA key Squid will be using to
generate leaf certs, plus any extra CA chain up to some CA the clients
trust.


> 
> 2) In capath dir: is it neccesary to put here files in hash-format (as
> "man verify" for -CApath says): I mean for example 1234abcde.0 PEM-file
> in this dir.

Skip this. Like I said earlier that option is about other things not
relevant to your problem.

Your problem is that you are trying to use a leaf certificate for HTTPS
interception. You need a CA certificate.

The PEM file can contain:
 * an intermediary CA cert, or
 * a root CA cert (aka self-signed cert), or
 * a chain of intermediary CA certs, or
 * a chain of intermediary CA certs and their root CA cert.


Notice the constant detail in all those: "CA cert".


Amos
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] squid https: using non-self-signed cert

[Amos Jeffries]

On 20/12/18 1:13 am, Meridoff wrote:
> Hello, when proxying https traffic squid needs self-signed cert.
> 

No, Squid needs a certificate with properties compatible with the
particular "proxying https" which your proxy is configured to do.


Some of those uses require *a CA* certificate and key. Self-signed is
the simplest type of CA certificate - anybody can create and use one for
whatever they want.

There are other types of CA certificate and any of them are are also
usable in the situations where Squid simply needs a CA cert.



> But what if I use not self-signed cert ?

Depends on what type of certificate properties it *does* have.


>  I need to use cert of my
> company which is not self-signed.

Is it a CA certificate? probably not.

Do you actually need a CA for the feature(s) you are trying to use?
 probably yes, maybe no.

Please provide details of the config you are trying to setup so we can
answer more accurately. Right now anybody saying yes, no or giving
specific advice will have to be guessing about what you mean.


> Is it possible ? May be I can use
> capath= option for this..

No. The capath= option is for loading *multiple* CA certificates in
OpenSSL. It does not change the type of certificates loaded.


> Now squid complains: FATAL: No valid signing SSL certificate configured
> for HTTPS_port 192.168.1.1:3128 
> 

That message from Squid simply says the cert you are loading is not
meeting the minimum requirements for the features you have configured in
Squid.

Yes that typically means one of the SSL-Bump features is being used and
the cert is not a CA. But there are also other situations that message
comes up, so please supply details about what you are actually trying to do.

Amos
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] squid https intercept mode and ubuntu third party repositories issue

[Hardik Dangar]

Amos,
Thank you for your reply.
I have version 3.5.12 compiled with Debian rules example provided here,
http://docs.diladele.com/administrator_guide_4_5/install/ubuntu14/tools.html

Do you think I could patch squid from 3.5.12 to 3.5.21 via patches
available at http://www.squid-cache.org/Versions/v3/3.5/
Or I could download tar.gz file and replace files from that folder to
Debian source folder ?

do i need any extra tools to build squid 3.5.21?


On Tue, Sep 20, 2016 at 3:58 PM, Amos Jeffries  wrote:

> On 20/09/2016 4:42 a.m., Hardik Dangar wrote:
> > Hello,
> >
> > I am using squid 3.5.12(detailed version info is below) on Ubuntu 16.04.1
> > LTS server. My squid config is at, http://pastebin.com/raw/b8RZ67u9
> >
> > I have configured squid as intercept proxy bumping all SSL https
> > connections. Setup is working fine for many things like browsing,
> > even on command line like wget i can download via https as i have
> installed
> > root certificate within my client os.
> >
> > My issue is whenever i try to add extra repository via command, i.e.
> > sudo add-apt-repository ppa:ondrej/php
> > command fails with output "Cannot add PPA: 'ppa:~ondrej/ubuntu/php'.
> ERROR:
> > '~ondrej' user or team does not exist." and in squid's cache and
> access.log
> > following entries can be located for this request,
> >
> > ==> /var/log/squid/access.log <==
> > 1474302162.378439 192.168.1.66 TAG_NONE/200 0 CONNECT
> 91.189.89.223:443
> > - ORIGINAL_DST/91.189.89.223 -
> >
> > ==> /var/log/squid/cache.log <==
> > 2016/09/19 21:52:42 kid1| Error negotiating SSL connection on FD 21:
> > error:14094418:SSL routines:ssl3_read_bytes:tlsv1 alert unknown ca (1/0)
> > 2016/09/19 21:52:42 kid1| hold write on SSL connection on FD 22
> >
> > ==> /var/log/squid/access.log <==
> > 1474302162.885403 192.168.1.66 TAG_NONE/200 0 CONNECT
> 91.189.89.223:443
> > - ORIGINAL_DST/91.189.89.223 -
> >
> > ==> /var/log/squid/cache.log <==
> > 2016/09/19 21:52:42 kid1| Error negotiating SSL connection on FD 21:
> > error:14094418:SSL routines:ssl3_read_bytes:tlsv1 alert unknown ca (1/0)
> >
> > in the above output 192.168.1.66 is my client requesting that request and
> > as you can see in cache.log there is certificate negotiation error. I
> have
> > tried to fiddle with all options provided at
> http://wiki.squid-cache.org/
> > ConfigExamples/Intercept/SslBumpExplicit but it seems i am out of luck
> > after almost half of my day battling this issue.
> >
> > Can someone tell me they are successful with this issue? if so can you
> > share your squid.conf relevant section?
> >
> > $ squid -v
> > Squid Cache: Version 3.5.12
>
> Ubuntu Squid package does not build with SSL functionality.
>
> When re-building your Squid with SSL-Bump features it is important to
> always use teh very latest Squid release. SSL/TLS and bumping are part
> of an ongoing arms race situation. Things are constantly changing and
> software from as little as a year ago is unlikly to work 100% well with
> intercepting ('bumping') encryption from today.
>
> First thing to try is to rebuild with squid 3.5.20 or .21 and see if the
> problem remains.
>
> Amos
>
> ___
> squid-users mailing list
> squid-users@lists.squid-cache.org
> http://lists.squid-cache.org/listinfo/squid-users
>
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] squid https intercept mode and ubuntu third party repositories issue

[Amos Jeffries]

On 20/09/2016 4:42 a.m., Hardik Dangar wrote:
> Hello,
> 
> I am using squid 3.5.12(detailed version info is below) on Ubuntu 16.04.1
> LTS server. My squid config is at, http://pastebin.com/raw/b8RZ67u9
> 
> I have configured squid as intercept proxy bumping all SSL https
> connections. Setup is working fine for many things like browsing,
> even on command line like wget i can download via https as i have installed
> root certificate within my client os.
> 
> My issue is whenever i try to add extra repository via command, i.e.
> sudo add-apt-repository ppa:ondrej/php
> command fails with output "Cannot add PPA: 'ppa:~ondrej/ubuntu/php'.ERROR:
> '~ondrej' user or team does not exist." and in squid's cache and access.log
> following entries can be located for this request,
> 
> ==> /var/log/squid/access.log <==
> 1474302162.378439 192.168.1.66 TAG_NONE/200 0 CONNECT 91.189.89.223:443
> - ORIGINAL_DST/91.189.89.223 -
> 
> ==> /var/log/squid/cache.log <==
> 2016/09/19 21:52:42 kid1| Error negotiating SSL connection on FD 21:
> error:14094418:SSL routines:ssl3_read_bytes:tlsv1 alert unknown ca (1/0)
> 2016/09/19 21:52:42 kid1| hold write on SSL connection on FD 22
> 
> ==> /var/log/squid/access.log <==
> 1474302162.885403 192.168.1.66 TAG_NONE/200 0 CONNECT 91.189.89.223:443
> - ORIGINAL_DST/91.189.89.223 -
> 
> ==> /var/log/squid/cache.log <==
> 2016/09/19 21:52:42 kid1| Error negotiating SSL connection on FD 21:
> error:14094418:SSL routines:ssl3_read_bytes:tlsv1 alert unknown ca (1/0)
> 
> in the above output 192.168.1.66 is my client requesting that request and
> as you can see in cache.log there is certificate negotiation error. I have
> tried to fiddle with all options provided at http://wiki.squid-cache.org/
> ConfigExamples/Intercept/SslBumpExplicit but it seems i am out of luck
> after almost half of my day battling this issue.
> 
> Can someone tell me they are successful with this issue? if so can you
> share your squid.conf relevant section?
> 
> $ squid -v
> Squid Cache: Version 3.5.12

Ubuntu Squid package does not build with SSL functionality.

When re-building your Squid with SSL-Bump features it is important to
always use teh very latest Squid release. SSL/TLS and bumping are part
of an ongoing arms race situation. Things are constantly changing and
software from as little as a year ago is unlikly to work 100% well with
intercepting ('bumping') encryption from today.

First thing to try is to rebuild with squid 3.5.20 or .21 and see if the
problem remains.

Amos

___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] Squid https bump and google apps

[Amos Jeffries]

On 16/01/2016 3:35 a.m., Lucas Castro wrote:
> I've hard worked against google applications,
> The points is, google use the same certificate for a bunch of different
> apps,
> like google.com, youtube.com, drive.google.com.
> I'd like to know if someone already got terminated youtube.com and
> keep working google.com and others services.

It is possible. Using the Squid-3.5 peek-and-splice feature with SNI
detection.

Amos

___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] squid HTTPs as reverse proxy problem

[Amos Jeffries]

On 21/04/2015 1:17 p.m., snakeeyes wrote:
 Thankx , I will tell u wt I did so far abd hope u help me in the directive 
 squid needed :
 


Squid does not perform SNI based certificate selection for HTTPS
virtual-hosting. You need an IP address for every top level domain being
served, sub-domains can use wildcard certificates.

http://wiki.squid-cache.org/ConfigExamples/Reverse/SslWithWildcardCertifiate


For use of self-signed certificates in https:// reverse-proxy it is
worth ensuring that you have DNSSEC and TLS DANE configured in the
website DNS records.

Amos
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] squid HTTPs as reverse proxy problem

[Yuri Voinov]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256
 
Man,

self-signed sertificate required only for SSL Bump (not pump :)).

For SSL reverse proxy you need CA's signed server certificate.

Feel the difference.

21.04.15 5:16, snakeeyes пишет:
 Hi all , I need a help in setting up squid for https reverse proxy

 I mean I want to  authorize the certificate on my pc so that be able to
 acces https using http not tunnel method

 I have searched a lot and most of docs mention ssl pump , but again im
here
 don't want ssl pump feature and all I need is just reverse proxy.

 

 Here is steps that I did :

 cd /etc/squid

 

 openssl req -new -newkey rsa:1024 -days 3650 -nodes -x509 -subj
 '/C=dsa/ST=asd/L=aaa/O=abcv/CN=abc' -keyout /etc/squid/abc.pem -out

 /etc/squid/abc.pem

 

 openssl x509 -in /etc/squid/abc.pem -outform DER -out /etc/squid/abc.der

 

 whereis ssl_crtd

 

 chown squid:squid /var/lib/ssl_db

 

 after that  edited squid.conf with :

 

 https_port 443 cert=/etc/squid/abc.pem key=/etc/squid/abc.pem

 

 

 

 then went to my browser and added abc.der as authorized certificates

 

 when I connect to proxy I have erros logs :

 

 2015/04/20 15:44:18 kid1| Error negotiating SSL connection on FD 11:
Success
 (0)

 2015/04/20 15:44:19 kid1| Error negotiating SSL connection on FD 11:
Success
 (0)

 2015/04/20 15:44:21 kid1| Error negotiating SSL connection on FD 11:
Success
 (0)

 2015/04/20 15:44:23 kid1| Error negotiating SSL connection on FD 11:
Success
 (0)

 2015/04/20 15:45:33 kid1| Error negotiating SSL connection on FD 11:
Success
 (0)

 2015/04/20 15:45:33 kid1| Error negotiating SSL connection on FD 11:
Success
 (0)

 2015/04/20 15:47:01 kid1| Error negotiating SSL connection on FD 11:
Success
 (0)

 2015/04/20 15:53:44 kid1| Error negotiating SSL connection on FD 11:
Success
 (0)

 2015/04/20 15:53:46 kid1| Error negotiating SSL connection on FD 11:
Success
 (0)

 2015/04/20 15:53:47 kid1| Error negotiating SSL connection on FD 11:
Success
 (0)

 

 

 Where could be the problem ?

 

 

 Here is my squid config :

 

 

 squid -v

 Squid Cache: Version 3.5.1

 Service Name: squid

 configure options:  '--prefix=/usr' '--includedir=/include'
 '--mandir=/share/man' '--infodir=/share/info' '--sysconfdir=/etc'
 '--enable-cachemgr-hostname=drx' '--localstatedir=/var'
 '--libexecdir=/lib/squid' '--disable-maintainer-mode'
 '--disable-dependency-tracking' '--disable-silent-rules' '--srcdir=.'
 '--datadir=/usr/share/squid' '--sysconfdir=/etc/squid'
 '--mandir=/usr/share/man' '--enable-inline' '--enable-async-io=8'
 '--enable-storeio=ufs,aufs,diskd,rock'
'--enable-removal-policies=lru,heap'
 '--enable-delay-pools' '--enable-cache-digests' '--enable-underscores'
 '--enable-icap-client' '--enable-follow-x-forwarded-for' '--enable-auth'

'--enable-basic-auth-helpers=LDAP,MSNT,NCSA,PAM,SASL,SMB,YP,DB,POP3,getpwnam
 ,squid_radius_auth,multi-domain-NTLM' '--enable-ntlm-auth-helpers=smb_lm'
 '--enable-digest-auth-helpers=ldap,password'
 '--enable-negotiate-auth-helpers=squid_kerb_auth' '--enable-esi'
 '--disable-translation' '--with-logdir=/var/log/squid'
 '--with-pidfile=/var/run/squid.pid' '--with-filedescriptors=131072'
 '--with-large-files' '--with-default-user=squid'
'--enable-linux-netfilter'
 '--enable-ltdl-convenience' '--enable-ssl' '--enable-ssl-crtd'
 '--enable-arp-acl' 'CXXFLAGS=-DMAXTCPLISTENPORTS=2' '--with-openssl'
 '--enable-snmp'

 

 

 

 

 

 cheers




 ___
 squid-users mailing list
 squid-users@lists.squid-cache.org
 http://lists.squid-cache.org/listinfo/squid-users

-BEGIN PGP SIGNATURE-
Version: GnuPG v2
 
iQEcBAEBCAAGBQJVNP1qAAoJENNXIZxhPexGA7QIAKGDJIOUiKxo0iemYhT2b+dz
YEVjuOMcjOu643MzUpFNJEezD0spQrGk01Lrj9DLJrlTv6fH5CWEAJJcsy/ieyAV
KN/SVxS6v98N5KitIhNGbeSO3OKMASJVvgaSi/MpTEl2snRUNaSSiJDKvu9oJqje
fo19qw+Ce4tH1QjnvRX+v1IHYlBcqBroGnQAR/kNnW1QdC0kXWy2X/hv0eJ5Lmyd
kSLtiSaOVl6qJ64S1UuQWL9mW8phPI/mYJBOZ3AGe535VO+15pXsFrsxfeIIF8ra
DmV6cEKEtMVDikI8n9DvlRvJV/vFMmrtI2vqWgXE6HEjmr1WNiYDqkQVczYXeQk=
=Pb8X
-END PGP SIGNATURE-

___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] squid HTTPs as reverse proxy problem

[Yuri Voinov]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256
 
What does OpenVPN to SQUID ?!

21.04.15 7:17, snakeeyes пишет:
 Thankx , I will tell u wt I did so far abd hope u help me in the directive 
 squid needed :

 Mkdir /etc/openvpn/
 wget https://github.com/OpenVPN/easy-rsa-old/archive/master.zip

 unzip master

 cd easy-rsa-old-master/

 

 cp -R easy-rsa/ /etc/openvpn/

 

 cd /etc/openvpn/easy-rsa/2.0

 chmod 755 *

 source ./vars

 ./vars

 ./clean-all

 

 ./build-ca

 

 ./build-key-server server

 

 ./build-dh

 

 Now I have the files :

 [root@squid keys]# ls -l

 total 76

 -rw-r--r-- 1 root root 4120 Apr 20 17:51 01.pem

 -rw-r--r-- 1 root root 4006 Apr 20 17:52 02.pem

 -rw-r--r-- 1 root root 1383 Apr 20 17:51 ca.crt

 -rw--- 1 root root  912 Apr 20 17:51 ca.key

 -rw-r--r-- 1 root root  245 Apr 20 17:51 dh1024.pem

 -rw-r--r-- 1 root root  276 Apr 20 17:52 index.txt

 -rw-r--r-- 1 root root   21 Apr 20 17:52 index.txt.attr

 -rw-r--r-- 1 root root   21 Apr 20 17:51 index.txt.attr.old

 -rw-r--r-- 1 root root  136 Apr 20 17:51 index.txt.old

 -rw-r--r-- 1 root root3 Apr 20 17:52 serial

 -rw-r--r-- 1 root root3 Apr 20 17:51 serial.old

 -rw-r--r-- 1 root root 4120 Apr 20 17:51 server.crt

 -rw-r--r-- 1 root root  729 Apr 20 17:51 server.csr

 -rw--- 1 root root  920 Apr 20 17:51 server.key

 

 

 

 

 What do I need for squid directive ?

 

 Is what I did above is okay ?

 

 

 cheers

 

 From: squid-users [mailto:squid-users-boun...@lists.squid-cache.org]
On Behalf Of Yuri Voinov
 Sent: Monday, April 20, 2015 6:22 AM
 To: squid-users@lists.squid-cache.org
 Subject: Re: [squid-users] squid HTTPs as reverse proxy problem

 


 Man,

 self-signed sertificate required only for SSL Bump (not pump :)).

 For SSL reverse proxy you need CA's signed server certificate.

 Feel the difference.

 21.04.15 5:16, snakeeyes пишет:
  Hi all , I need a help in

   setting up squid for https reverse proxy







I mean I want to  authorize the certificate on my pc so that

   be able to



acces https using http not tunnel method







I have searched a lot and most of docs mention ssl pump , but

   again im here



don't want ssl pump feature and all I need is just reverse

   proxy.















Here is steps that I did :







cd /etc/squid















openssl req -new -newkey rsa:1024 -days 3650 -nodes -x509

   -subj



'/C=dsa/ST=asd/L=aaa/O=abcv/CN=abc' -keyout

   /etc/squid/abc.pem -out







/etc/squid/abc.pem















openssl x509 -in /etc/squid/abc.pem -outform DER -out

   /etc/squid/abc.der















whereis ssl_crtd















chown squid:squid /var/lib/ssl_db















after that  edited squid.conf with :















https_port 443 cert=/etc/squid/abc.pem key=/etc/squid/abc.pem































then went to my browser and added abc.der as authorized

   certificates















when I connect to proxy I have erros logs :















2015/04/20 15:44:18 kid1| Error negotiating SSL connection on

   FD 11: Success



(0)







2015/04/20 15:44:19 kid1| Error negotiating SSL connection on

   FD 11: Success



(0)







2015/04/20 15:44:21 kid1| Error negotiating SSL connection on

   FD 11: Success



(0)







2015/04/20 15:44:23 kid1| Error negotiating SSL connection on

   FD 11: Success



(0)







2015/04/20 15:45:33 kid1| Error negotiating SSL connection on

   FD 11: Success



(0)







2015/04/20 15:45:33 kid1| Error negotiating SSL connection on

   FD 11: Success



(0)







2015/04/20 15:47:01 kid1| Error negotiating SSL connection on

   FD 11: Success



(0)







2015/04/20 15:53:44 kid1| Error negotiating SSL connection on

   FD 11: Success



(0)







2015/04/20 15:53:46 kid1| Error negotiating SSL connection on

   FD 11: Success



(0)







2015/04/20 15:53:47 kid1| Error negotiating SSL connection on

   FD 11: Success



(0)























Where could be the problem ?























Here is my squid config :























squid -v







Squid Cache: Version 3.5.1







Service Name: squid







configure options:  '--prefix=/usr' '--includedir=/include'



'--mandir=/share/man' '--infodir=/share/info'

   '--sysconfdir=/etc'



'--enable-cachemgr-hostname=drx' '--localstatedir=/var'



'--libexecdir=/lib/squid' '--disable-maintainer-mode'



'--disable-dependency-tracking' '--disable-silent-rules'

   '--srcdir=.'



'--datadir=/usr/share/squid' '--sysconfdir=/etc/squid'



'--mandir=/usr/share/man' '--enable

Re: [squid-users] squid HTTPs as reverse proxy problem

[snakeeyes]

Thankx , I will tell u wt I did so far abd hope u help me in the directive 
squid needed :

Mkdir /etc/openvpn/
wget https://github.com/OpenVPN/easy-rsa-old/archive/master.zip

unzip master

cd easy-rsa-old-master/

 

cp -R easy-rsa/ /etc/openvpn/

 

cd /etc/openvpn/easy-rsa/2.0

chmod 755 *

source ./vars

./vars

./clean-all

 

./build-ca

 

./build-key-server server

 

./build-dh

 

Now I have the files :

[root@squid keys]# ls -l

total 76

-rw-r--r-- 1 root root 4120 Apr 20 17:51 01.pem

-rw-r--r-- 1 root root 4006 Apr 20 17:52 02.pem

-rw-r--r-- 1 root root 1383 Apr 20 17:51 ca.crt

-rw--- 1 root root  912 Apr 20 17:51 ca.key

-rw-r--r-- 1 root root  245 Apr 20 17:51 dh1024.pem

-rw-r--r-- 1 root root  276 Apr 20 17:52 index.txt

-rw-r--r-- 1 root root   21 Apr 20 17:52 index.txt.attr

-rw-r--r-- 1 root root   21 Apr 20 17:51 index.txt.attr.old

-rw-r--r-- 1 root root  136 Apr 20 17:51 index.txt.old

-rw-r--r-- 1 root root3 Apr 20 17:52 serial

-rw-r--r-- 1 root root3 Apr 20 17:51 serial.old

-rw-r--r-- 1 root root 4120 Apr 20 17:51 server.crt

-rw-r--r-- 1 root root  729 Apr 20 17:51 server.csr

-rw--- 1 root root  920 Apr 20 17:51 server.key

 

 

 

 

What do I need for squid directive ?

 

Is what I did above is okay ?

 

 

cheers

 

From: squid-users [mailto:squid-users-boun...@lists.squid-cache.org] On Behalf 
Of Yuri Voinov
Sent: Monday, April 20, 2015 6:22 AM
To: squid-users@lists.squid-cache.org
Subject: Re: [squid-users] squid HTTPs as reverse proxy problem

 


-BEGIN PGP SIGNED MESSAGE- 
Hash: SHA256 
 
Man,

self-signed sertificate required only for SSL Bump (not pump :)).

For SSL reverse proxy you need CA's signed server certificate.

Feel the difference.

21.04.15 5:16, snakeeyes пишет:
 Hi all , I need a help in

  setting up squid for https reverse proxy 



  



   I mean I want to  authorize the certificate on my pc so that

  be able to



   acces https using http not tunnel method



  



   I have searched a lot and most of docs mention ssl pump , but

  again im here



   don't want ssl pump feature and all I need is just reverse

  proxy.



  







  



   Here is steps that I did :



  



   cd /etc/squid



  







  



   openssl req -new -newkey rsa:1024 -days 3650 -nodes -x509

  -subj



   '/C=dsa/ST=asd/L=aaa/O=abcv/CN=abc' -keyout

  /etc/squid/abc.pem -out 



  



   /etc/squid/abc.pem



  







  



   openssl x509 -in /etc/squid/abc.pem -outform DER -out

  /etc/squid/abc.der



  







  



   whereis ssl_crtd



  







  



   chown squid:squid /var/lib/ssl_db



  







  



   after that  edited squid.conf with :



  







  



   https_port 443 cert=/etc/squid/abc.pem key=/etc/squid/abc.pem



  







  







  







  



   then went to my browser and added abc.der as authorized

  certificates



  







  



   when I connect to proxy I have erros logs :



  







  



   2015/04/20 15:44:18 kid1| Error negotiating SSL connection on

  FD 11: Success



   (0)



  



   2015/04/20 15:44:19 kid1| Error negotiating SSL connection on

  FD 11: Success



   (0)



  



   2015/04/20 15:44:21 kid1| Error negotiating SSL connection on

  FD 11: Success



   (0)



  



   2015/04/20 15:44:23 kid1| Error negotiating SSL connection on

  FD 11: Success



   (0)



  



   2015/04/20 15:45:33 kid1| Error negotiating SSL connection on

  FD 11: Success



   (0)



  



   2015/04/20 15:45:33 kid1| Error negotiating SSL connection on

  FD 11: Success



   (0)



  



   2015/04/20 15:47:01 kid1| Error negotiating SSL connection on

  FD 11: Success



   (0)



  



   2015/04/20 15:53:44 kid1| Error negotiating SSL connection on

  FD 11: Success



   (0)



  



   2015/04/20 15:53:46 kid1| Error negotiating SSL connection on

  FD 11: Success



   (0)



  



   2015/04/20 15:53:47 kid1| Error negotiating SSL connection on

  FD 11: Success



   (0)



  







  







  



   Where could be the problem ?



  







  







  



   Here is my squid config :



  







  







  



   squid -v



  



   Squid Cache: Version 3.5.1



  



   Service Name: squid



  



   configure options:  '--prefix=/usr' '--includedir=/include'



   '--mandir=/share/man' '--infodir=/share/info'

  '--sysconfdir=/etc'



   '--enable-cachemgr-hostname=drx' '--localstatedir=/var

Re: [squid-users] Squid https caching

[Amos Jeffries]

On 19/12/2013 8:28 a.m., 0bj3ct wrote:
 Hello. Can anybody tell me can I cache https requests with squid options
 described below?

snip
 
 I've configured iptables to redirect 443 to squid https_port number, tcpdump
 shows that machine accepts request on port 443. But client cannot open https
 sites, with http everything is ok. That is why I want to know, maybe I must
 compile squid source with --enable-ssl option.

That would be a good start. After that you need to configure
interception with ssl-bump. The caching part happens by default as much
as safely possible once the traffic us decrypted.

PS. Are you getting errors about https_port in this build of Squid
without --enable-ssl?

Amos

Re: [squid-users] squid https certificate validation failed

[Amos Jeffries]

boipie01 wrote:

Every time a user try to access https web site they got and error about
certificate not been emit by certificate authority. Removing the proxy from
internet setting, i got rid of these warning. I got squid 2.16 Stable 16
with squidGuard. 
Tried with 3.1.0.12 and got the same thing.

Anybody have this problem before, i searched this mailing list and google
and didn't find any solution.

Thanks


Hmm, symptoms identical to someone trying to intercept HTTPS destined 
for websites they do not own.


Amos

Re: [squid-users] squid https

[Indunil Jayasooriya]

On Tue, Sep 2, 2008 at 11:30 AM, İsmail ÖZATAY [EMAIL PROTECTED] wrote:
 Hi,

 I am trying to redirect https traffic to squid for days. 2 weeks ago i sent
 a post to this group and tried some advices but could not fix my problem. If
 i use server ip and squid port with any browser ( without redirecting https
 or ftp port with iptables ) it works ( both https anf ftp ) but when i
 redirect https this error accurs ;

 192.168.1.105 TCP_DENIED/400 2194 GET error:invalid-request - NONE/-
 text/html

 After that i used this advice  ;

 https_port 443 cert=/etc/squid/cert.pem key=/etc/squid/private.pem

 Last i tried this one that does not work with squid on OpenBSD4.3 ;

I use OpenBSD 4.3

I think you are trying to redirect https and ftp.

Transparent interception of HTTPS traffic is (by design) not possible.
Squid 3HEAD includes a feature called sslbump

Pls visit below Urls

http://markmail.org/message/5d7rtqbhwwcivkkx?q=transparent+httpspage=1refer=vhkzezxg7n643ik2

http://markmail.org/message/mkgy5jjr6wdthi5k?q=transparent+httpspage=1refer=vhkzezxg7n643ik2



-- 
Thank you
Indunil Jayasooriya

Re: [squid-users] squid https

[İsmail ÖZATAY]

Indunil Jayasooriya yazmış:

On Tue, Sep 2, 2008 at 11:30 AM, İsmail ÖZATAY [EMAIL PROTECTED] wrote:
  

Hi,

I am trying to redirect https traffic to squid for days. 2 weeks ago i sent
a post to this group and tried some advices but could not fix my problem. If
i use server ip and squid port with any browser ( without redirecting https
or ftp port with iptables ) it works ( both https anf ftp ) but when i
redirect https this error accurs ;

192.168.1.105 TCP_DENIED/400 2194 GET error:invalid-request - NONE/-
text/html

After that i used this advice  ;

https_port 443 cert=/etc/squid/cert.pem key=/etc/squid/private.pem

Last i tried this one that does not work with squid on OpenBSD4.3 ;



I use OpenBSD 4.3

I think you are trying to redirect https and ftp.

Transparent interception of HTTPS traffic is (by design) not possible.
Squid 3HEAD includes a feature called sslbump

Pls visit below Urls

http://markmail.org/message/5d7rtqbhwwcivkkx?q=transparent+httpspage=1refer=vhkzezxg7n643ik2

http://markmail.org/message/mkgy5jjr6wdthi5k?q=transparent+httpspage=1refer=vhkzezxg7n643ik2



  

Hi Indunil,

I am using Squid Cache: Version 2.6.STABLE18 and when i applied sslBump 
i got error. Can you use this option with the same version of mine ? I 
think you are using squid 3. I tried this option like this ;


http_port 127.0.0.1:3128 transparent sslBump cert=/etc/squid/cert.pem 
key=/etc/squid/private.pem


Regards

ismail

Re: [squid-users] squid https

[Indunil Jayasooriya]

 I am using Squid Cache: Version 2.6.STABLE18 and when i applied sslBump i
 got error. Can you use this option with the same version of mine ? I think
 you are using squid 3. I tried this option like this ;

I also use squid Version 2.6.STABLE18 from OpenBSD port tree as
transparent interception.

I think below may help you

http://wiki.squid-cache.org/Features/SslBump?highlight=%28C%7B1%7DategoryWish%29%7C%28C%7B1%7DategoryFeature%29%7C%28completed%29%7C%28Version...%3A.%2A3.1%29%7C%28Status...%3A%29%7C%28ETA...%3A%29

Happy Squiding

-- 
Thank you
Indunil Jayasooriya

Re: [squid-users] squid https

[I . smail ÖZATAY]

Indunil Jayasooriya yazm?s,:

I am using Squid Cache: Version 2.6.STABLE18 and when i applied sslBump i
got error. Can you use this option with the same version of mine ? I think
you are using squid 3. I tried this option like this ;



I also use squid Version 2.6.STABLE18 from OpenBSD port tree as
transparent interception.

I think below may help you

http://wiki.squid-cache.org/Features/SslBump?highlight=%28C%7B1%7DategoryWish%29%7C%28C%7B1%7DategoryFeature%29%7C%28completed%29%7C%28Version...%3A.%2A3.1%29%7C%28Status...%3A%29%7C%28ETA...%3A%29

Happy Squiding

  

Hi Indunil ;

Could you send me your squid.conf file from the version of squid 2.6 , 
please ?


Regards

ismail

Re: [squid-users] squid https

[İsmail ÖZATAY]

Indunil Jayasooriya yazmış:

Could you send me your squid.conf file from the version of squid 2.6 ,
please ?




this is the file on openbsd 3.4




  

Hi again ;

This your configuration and i can not see any https configuration in it. 
This is a standart config. I just want to use redirected https and ftp 
traffic to my squid server.


Ragards


acl all src 0.0.0.0/0.0.0.0
acl manager proto cache_object
acl localhost src 127.0.0.1/255.255.255.255
acl to_localhost dst 127.0.0.0/8
acl SSL_ports port 443
acl Safe_ports port 80# http
acl Safe_ports port 21# ftp
acl Safe_ports port 443# https
acl Safe_ports port 70# gopher
acl Safe_ports port 210# wais
acl Safe_ports port 1025-65535# unregistered ports
acl Safe_ports port 280# http-mgmt
acl Safe_ports port 488# gss-http
acl Safe_ports port 591# filemaker
acl Safe_ports port 777# multiling http
acl CONNECT method CONNECT


http_access allow manager localhost
http_access deny manager
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
acl our_networks src 192.168.9.0/24
http_access allow our_networks

http_access deny all

icp_access allow all

http_port 3128 transparent

access_log /var/squid/logs/access.log squid

acl QUERY urlpath_regex cgi-bin \?
cache deny QUERY

refresh_pattern ^ftp:144020%10080
refresh_pattern ^gopher:14400%1440
refresh_pattern .020%4320

acl apache rep_header Server ^Apache
broken_vary_encoding allow apache

Re: [squid-users] squid https

[Amos Jeffries]

 Indunil Jayasooriya yazmýþ:
 Could you send me your squid.conf file from the version of squid 2.6 ,
 please ?



 this is the file on openbsd 3.4


 Hi again ;

 This your configuration and i can not see any https configuration in it.
 This is a standart config. I just want to use

 redirected https and

Not really possible without SSLBump (which means any Squid earlier than
3.1/HEAD).

Some have hacked up a simulation of HTTPS interception using reverse-proxy
mode and https_port, but that breaks a lot of things in the network and
causes much grief to all users.

If you want happy users, do away with the interception altogether.

 [redirected] ftp

Not possible in any Squid. Squid is an HTTP proxy not an FTP proxy.
There is another proxy called 'Froxy' which can be used for that.

Amos

Re: [squid-users] squid https

[I . smail ÖZATAY]

Amos Jeffries yazm?s,:

Indunil Jayasooriya yazmýþ:


Could you send me your squid.conf file from the version of squid 2.6 ,
please ?




this is the file on openbsd 3.4


  

Hi again ;

This your configuration and i can not see any https configuration in it.
This is a standart config. I just want to use



  

redirected https and



Not really possible without SSLBump (which means any Squid earlier than
3.1/HEAD).

Some have hacked up a simulation of HTTPS interception using reverse-proxy
mode and https_port, but that breaks a lot of things in the network and
causes much grief to all users.

If you want happy users, do away with the interception altogether.

  

[redirected] ftp



Not possible in any Squid. Squid is an HTTP proxy not an FTP proxy.
There is another proxy called 'Froxy' which can be used for that.

Amos




  

Hi Amos ,

If i use server_ip and squid_port with my browser, i mean without 
redirecting 80,443, or 21, all of them works properly. Squid can do this 
perfectly. I do not understand why does not work after redirecting them ?


Regards

Re: [squid-users] squid https

[Amos Jeffries]

 Amos Jeffries yazm?s,:
 Indunil Jayasooriya yazmýþ:

 Could you send me your squid.conf file from the version of squid 2.6
 ,
 please ?



 this is the file on openbsd 3.4



 Hi again ;

 This your configuration and i can not see any https configuration in
 it.
 This is a standart config. I just want to use



 redirected https and


 Not really possible without SSLBump (which means any Squid earlier than
 3.1/HEAD).

 Some have hacked up a simulation of HTTPS interception using
 reverse-proxy
 mode and https_port, but that breaks a lot of things in the network and
 causes much grief to all users.

 If you want happy users, do away with the interception altogether.


 [redirected] ftp


 Not possible in any Squid. Squid is an HTTP proxy not an FTP proxy.
 There is another proxy called 'Froxy' which can be used for that.

 Amos





 Hi Amos ,

 If i use server_ip and squid_port with my browser, i mean without
 redirecting 80,443, or 21, all of them works properly. Squid can do this
 perfectly. I do not understand why does not work after redirecting them ?


Because when your browser is configured to use a proxy. It sends
completely different protocol requests.

It wraps the FTP up in HTTP headers for Squid to understand whats going
on. For HTTPS it does not perform any encryption, or if Squid is
configured to allow it, it uses a single encryption key belonging to Squid
for all requests.

When configured to connect directly to the internet, the browser sends FTP
protocol requests across multiple ports simultaneously in a mixture of
binary and ASCII. And securely encrypts all traffic to HTTPS servers with
unique encryption keys for each destination.

Squid is not designed to intercept the FTP tangle. And the HTTPS
encryption is specifically designed to prevent quiet interception. Nobody
wants anyone playing with their private encrypted details without them
knowing.

Amos

Re: [squid-users] Squid / HTTPS / Java

[Amos Jeffries]

Thompson, Scott (WA) wrote:

Hi all
We had this problem with Squid 2.5 and I am seeing it also with 2.6
which I was hoping would fix it
Every time we try to access a site using HTTPS that uses Java we keep
getting proxy authentication popups
The specific site in question is gotomeeting.com when you attempt to
join a meeting

I remember some time back looking into this there was a Java ACL that
could be added to the squid.conf file, this didn't work in 2.5 for me

Does anyone know of a work around?


Just the browser ACL type.

Note however that the browser ACL can be trivially forged to bypass your 
controls, so should be linked with another ACL such as src or dstdomain 
to restrict its abuse.


Amos
--
Please use Squid 2.7.STABLE3 or 3.0.STABLE8

Re: [squid-users] Squid, https , MITM and Antivirus

[Jakob Curdes]

Andreas Moroder schrieb:


Hello,

today on our proxy server we have a antivirus between the client and 
squid. The antivirus listens on 3128 an then passes the packets to 
squid via 3130. Thats fine with http. The problem is that users access 
external webmail sites via https and download virus infected files 
that can not be scanned by the antivirus.


You cannot intercept https communications with squid. This would only be 
possible after checking the certificates belonging to the connection, 
decrypting the traffice , inspecting it , caching it and afterwards 
re-encrypting it. Squid cannot do this, it is a http proxy.
Be aware that by allowing https to everywhere you are encountering 
bigger risks than your attachments only, keyword tunneling the proxy.


JC

Re: [squid-users] Squid, https , MITM and Antivirus

[Jakob Curdes]

Andreas Moroder schrieb:


Hello Jakob,

I know about the tunneling problem. We discovered one PC in our 
hospital last week with a tunneling softwar einstalled.

On the other hand there are sites you need https to log in.


There are commercial interception solutions on the market. I do not know 
of an open source project. One easy solution would be to limit https 
access to a list of well-known sites such as some webmailers (but then 
you are back at the attachment problem) anf homebanking sites.


JC

Re: [squid-users] squid https login error

[Ben Sagal]

The https port is not related to https proxying and should probably be
removed.  To proxy https, in your browser, set the https proxy port to
3128 (or whatever you have set the standard http port to).

Ben

On 07/10/05, Ibrahim Calisir [EMAIL PROTECTED] wrote:
 thank you, for your quick reply..

 However there is no line that relate to https connection that I write,
 except the default acl rules as:

 acl Safe_ports port 443 563 # https, snews
 http_access deny !Safe_ports

 acl SSL_ports port 443 563
 http_access deny CONNECT !SSL_ports

 I do not have a firewall rule yet, and I can connect https site from
 proxy machine with firefox.

 I check with Mozilla, Netscape and IE and all of them lost their
 connection with web sites as I addressed https port of my proxy.

 not: I assigned 443 as https port of proxy, and nothing changed.

 Yours,
 Ibrahim Calisir
 METU

 Jakob Curdes wrote:
  Ibrahim Calisir schrieb:
 
  Hi
 
  I am not very good in squid. I configured squid-2.5.STABLE11 with LDAP
  and SSL enabled. Connecitons to https port had page cannot be
  displayed error message in IE6, however connections to http port had no
  problem and asks username and password. I did not understad why https
  port connections give such error.
 
  not: configuration string:
  ./configure --enable-ssl --with-openssl
  --enable-digest-auth-helpers=password --enable-basic-auth-helpers=LDAP
 
  The error message from IE 6 does not really help. You will have to find
  out why you get the error.
  How are  your acl ant http_access configuration lines ? Can you browse
  https sites from the proxy machine itself without using a proxy, i.e.
  are you sure your firewall permits https connections out ?
 
  Yours,
  Jakob Curdes

Re: [squid-users] squid https login error

[Jakob Curdes]

Ibrahim Calisir schrieb:


Hi

I am not very good in squid. I configured squid-2.5.STABLE11 with LDAP
and SSL enabled. Connecitons to https port had page cannot be
displayed error message in IE6, however connections to http port had no
problem and asks username and password. I did not understad why https
port connections give such error.

not: configuration string:
./configure --enable-ssl --with-openssl
--enable-digest-auth-helpers=password --enable-basic-auth-helpers=LDAP

The error message from IE 6 does not really help. You will have to find 
out why you get the error.
How are  your acl ant http_access configuration lines ? Can you browse 
https sites from the proxy machine itself without using a proxy, i.e. 
are you sure your firewall permits https connections out ?


Yours,
Jakob Curdes

Re: [squid-users] squid https login error

[Ibrahim Calisir]

thank you, for your quick reply..

However there is no line that relate to https connection that I write, 
except the default acl rules as:


acl Safe_ports port 443 563 # https, snews
http_access deny !Safe_ports

acl SSL_ports port 443 563
http_access deny CONNECT !SSL_ports

I do not have a firewall rule yet, and I can connect https site from 
proxy machine with firefox.


I check with Mozilla, Netscape and IE and all of them lost their 
connection with web sites as I addressed https port of my proxy.


not: I assigned 443 as https port of proxy, and nothing changed.

Yours,
Ibrahim Calisir
METU

Jakob Curdes wrote:

Ibrahim Calisir schrieb:


Hi

I am not very good in squid. I configured squid-2.5.STABLE11 with LDAP
and SSL enabled. Connecitons to https port had page cannot be
displayed error message in IE6, however connections to http port had no
problem and asks username and password. I did not understad why https
port connections give such error.

not: configuration string:
./configure --enable-ssl --with-openssl
--enable-digest-auth-helpers=password --enable-basic-auth-helpers=LDAP

The error message from IE 6 does not really help. You will have to find 
out why you get the error.
How are  your acl ant http_access configuration lines ? Can you browse 
https sites from the proxy machine itself without using a proxy, i.e. 
are you sure your firewall permits https connections out ?


Yours,
Jakob Curdes

Re: [squid-users] Squid + https : Connection failed

[Shafeek Sumser]

Here is the access.log

1112855949.835  60538 192.168.1.150 TCP_MISS/503 0
CONNECT www.google.com:443 test DIRECT/216.239.59.99

Which gives error 503 service unavailable





--- Shafeek Sumser [EMAIL PROTECTED] wrote:
 Hi,
 
 I am having a problem since i have install squid
 after
 my adsl connection.  Here goes the problem:
 
 The proxy function pretty well accept that i am
 having
 problem to access https pages.  
 
 When i disable proxy on my Mozilla Browser, it just
 works fine without any problem to access my
 gmail.com
 but when I activates the proxy in my Mozilla Browser
 and I connect to gmail.com,  it  gives me this
 message
 error:
 
 ERROR
 The requested URL could not be retrieved
 
 While trying to retrieve the URL: www.google.com:443
 
 The following error was encountered:
 
 * Connection Failed 
 
 The system returned:
 
 (110) Connection timed out
 
 The remote host or network may be down. Please try
 the
 request again.
 
 Your cache administrator is webmaster. 
 
 
 I am using squid/2.5.STABLE9 with NCSA_AUTH module
 to
 authenticate my users.  
 
 When I telnetting gmail.com gives the following:
 
 debian-acer:/home/Free# telnet www.gmail.com 443
 Trying 64.233.161.105...
 Connected to www.gmail.com.
 Escape character is '^]'.
 exit
 Connection closed by foreign host.
 
 My network config is as follows: 
 
 Internet -- ADSL -- Proxy/Firewall -- LAN
 
 Note that on the proxy/Firewall, squid and iptables
 are running.
 
 
 Thanks for your helps and quick responds.
 
 
 A+ 
 
 Shafeek
 
 
   
 __ 
 Do you Yahoo!? 
 Yahoo! Personals - Better first dates. More second
 dates. 
 http://personals.yahoo.com
 
 



__ 
Yahoo! Messenger 
Show us what our next emoticon should look like. Join the fun. 
http://www.advision.webevents.yahoo.com/emoticontest

RE: [squid-users] Squid + https : Connection failed

[Elsen Marc]

 
 Hi,
 
 I am having a problem since i have install squid after
 my adsl connection.  Here goes the problem:
 
 The proxy function pretty well accept that i am having
 problem to access https pages.  
 
 When i disable proxy on my Mozilla Browser, it just
 works fine without any problem to access my gmail.com
 but when I activates the proxy in my Mozilla Browser
 and I connect to gmail.com,  it  gives me this message
 error:
 
 ERROR
 The requested URL could not be retrieved
 
 While trying to retrieve the URL: www.google.com:443
 
 The following error was encountered:
 
 * Connection Failed 
 
 The system returned:
 
 (110) Connection timed out
 
 The remote host or network may be down. Please try the
 request again.
 
 Your cache administrator is webmaster. 
 
 
 I am using squid/2.5.STABLE9 with NCSA_AUTH module to
 authenticate my users.  
 
 When I telnetting gmail.com gives the following:
 
 debian-acer:/home/Free# telnet www.gmail.com 443
 Trying 64.233.161.105...
 Connected to www.gmail.com.
 Escape character is '^]'.
 exit
 Connection closed by foreign host.
 
 My network config is as follows: 
 
 Internet -- ADSL -- Proxy/Firewall -- LAN
 
 Note that on the proxy/Firewall, squid and iptables
 are running.
 
 
 Thanks for your helps and quick responds.
 
 
 
 - What's in SQUID's access.log , for this failed request ?
 
 M.

RE: [squid-users] Squid + https : Connection failed

[Shafeek Sumser]

Here is the access.log

1112855949.835  60538 192.168.1.150 TCP_MISS/503 0
CONNECT www.google.com:443 test DIRECT/216.239.59.99

Which gives error 503 service unavailable




--- Elsen Marc [EMAIL PROTECTED] wrote:
 
  
  Hi,
  
  I am having a problem since i have install squid
 after
  my adsl connection.  Here goes the problem:
  
  The proxy function pretty well accept that i am
 having
  problem to access https pages.  
  
  When i disable proxy on my Mozilla Browser, it
 just
  works fine without any problem to access my
 gmail.com
  but when I activates the proxy in my Mozilla
 Browser
  and I connect to gmail.com,  it  gives me this
 message
  error:
  
  ERROR
  The requested URL could not be retrieved
  
  While trying to retrieve the URL:
 www.google.com:443
  
  The following error was encountered:
  
  * Connection Failed 
  
  The system returned:
  
  (110) Connection timed out
  
  The remote host or network may be down. Please try
 the
  request again.
  
  Your cache administrator is webmaster. 
  
  
  I am using squid/2.5.STABLE9 with NCSA_AUTH module
 to
  authenticate my users.  
  
  When I telnetting gmail.com gives the following:
  
  debian-acer:/home/Free# telnet www.gmail.com 443
  Trying 64.233.161.105...
  Connected to www.gmail.com.
  Escape character is '^]'.
  exit
  Connection closed by foreign host.
  
  My network config is as follows: 
  
  Internet -- ADSL -- Proxy/Firewall -- LAN
  
  Note that on the proxy/Firewall, squid and
 iptables
  are running.
  
  
  Thanks for your helps and quick responds.
  
  
  
  - What's in SQUID's access.log , for this failed
 request ?
  
  M.
 



__ 
Yahoo! Messenger 
Show us what our next emoticon should look like. Join the fun. 
http://www.advision.webevents.yahoo.com/emoticontest

RE: [squid-users] Squid + https : Connection failed

[Shafeek Sumser]

--- Elsen Marc [EMAIL PROTECTED] wrote:
 
  
  Hi,
  
  I am having a problem since i have install squid
 after
  my adsl connection.  Here goes the problem:
  
  The proxy function pretty well accept that i am
 having
  problem to access https pages.  
  
  When i disable proxy on my Mozilla Browser, it
 just
  works fine without any problem to access my
 gmail.com
  but when I activates the proxy in my Mozilla
 Browser
  and I connect to gmail.com,  it  gives me this
 message
  error:
  
  ERROR
  The requested URL could not be retrieved
  
  While trying to retrieve the URL:
 www.google.com:443
  
  The following error was encountered:
  
  * Connection Failed 
  
  The system returned:
  
  (110) Connection timed out
  
  The remote host or network may be down. Please try
 the
  request again.
  
  Your cache administrator is webmaster. 
  
  
  I am using squid/2.5.STABLE9 with NCSA_AUTH module
 to
  authenticate my users.  
  
  When I telnetting gmail.com gives the following:
  
  debian-acer:/home/Free# telnet www.gmail.com 443
  Trying 64.233.161.105...
  Connected to www.gmail.com.
  Escape character is '^]'.
  exit
  Connection closed by foreign host.
  
  My network config is as follows: 
  
  Internet -- ADSL -- Proxy/Firewall -- LAN
  
  Note that on the proxy/Firewall, squid and
 iptables
  are running.
  
  
  Thanks for your helps and quick responds.
  
  
  
  - What's in SQUID's access.log , for this failed
 request ?
  
  M.
 

tail -f /var/log/squid/access.log

1112857550.905  61288 192.168.1.150 TCP_MISS/503 0
CONNECT www.google.com:443 test DIRECT/216.239.59.99 -


It says 503:  Service unavailable


S.








__
Do You Yahoo!?
Tired of spam?  Yahoo! Mail has the best spam protection around 
http://mail.yahoo.com 

RE: [squid-users] Squid + https : Connection failed

[Elsen Marc]

...
...
 
 tail -f /var/log/squid/access.log
 
 1112857550.905  61288 192.168.1.150 TCP_MISS/503 0
 CONNECT www.google.com:443 test DIRECT/216.239.59.99 -
 
 
 It says 503:  Service unavailable
 
 
   - Is there any addiditional info in cache.log ?
   - Does DNS (lookup) work on the squidbox (try via 'nslookup' e.d.)

   M.

RE: [squid-users] Squid + https : Connection failed

[Shafeek Sumser]

--- Elsen Marc [EMAIL PROTECTED] wrote:
 ...
 ...
  
  tail -f /var/log/squid/access.log
  
  1112857550.905  61288 192.168.1.150 TCP_MISS/503 0
  CONNECT www.google.com:443 test
 DIRECT/216.239.59.99 -
  
  
  It says 503:  Service unavailable
  
  
- Is there any addiditional info in cache.log ?

No I have info only in access.log

1112861648.674   1529 192.168.1.150 TCP_MISS/302 1130
GET http://gmail.google.com/gmail test
DIRECT/64.233.185.106 text/html
1112861709.845  61165 192.168.1.150 TCP_MISS/503 0
CONNECT www.google.com:443 test DIRECT/216.239.59.104
-




- Does DNS (lookup) work on the squidbox (try via
 'nslookup' e.d.)
 
M.

Yes

debian-acer:~# nslookup www.gmail.com
Server: 202.123.2.6
Address:202.123.2.6#53

Non-authoritative answer:
www.gmail.com   canonical name = gmail.google.com.
gmail.google.comcanonical name =
gmail.google.akadns.net.
Name:   gmail.google.akadns.net
Address: 64.233.179.106
Name:   gmail.google.akadns.net
Address: 64.233.179.107



Note: All other webpages i can access on https i
cannot.  

Thanks


S.



__ 
Do you Yahoo!? 
Yahoo! Personals - Better first dates. More second dates. 
http://personals.yahoo.com

RE: [squid-users] Squid + https : Connection failed

[Shafeek Sumser]

A gret Thanks to you all.  


I have been able to solve the problem.  In fact, it is
not in squid.  The problem is in iptables.  

I just forgot to add https in the OUTPUT part.  

The problem has been solved.  

Thanks

A+

Shafeek Sumser


--- Elsen Marc [EMAIL PROTECTED] wrote:
 
 
  - Is there any addiditional info in cache.log
 ?
  
  No I have info only in access.log
  
  1112861648.674   1529 192.168.1.150 TCP_MISS/302
 1130
  GET http://gmail.google.com/gmail test
  DIRECT/64.233.185.106 text/html
  1112861709.845  61165 192.168.1.150 TCP_MISS/503 0
  CONNECT www.google.com:443 test
 DIRECT/216.239.59.104
  -
  
  
  
  
  - Does DNS (lookup) work on the squidbox (try
 via
   'nslookup' e.d.)
   
  M.
  
  Yes
  
  debian-acer:~# nslookup www.gmail.com
  Server: 202.123.2.6
  Address:202.123.2.6#53
  
  Non-authoritative answer:
  www.gmail.com   canonical name = gmail.google.com.
  gmail.google.comcanonical name =
  gmail.google.akadns.net.
  Name:   gmail.google.akadns.net
  Address: 64.233.179.106
  Name:   gmail.google.akadns.net
  Address: 64.233.179.107
  
  
  
  Note: All other webpages i can access on https i
  cannot.  
  
  Thanks
  
   
  Strange (very), let me elaborate somemore in
 private;to not clog the list :
 
  So I assume the telnet test was done, on the box,
 squid runs on ?
  I assume that is this proxy firewall ?
 
  Is squid configured to use any peers (parents) ?
 
  Marc.
 

__
Do You Yahoo!?
Tired of spam?  Yahoo! Mail has the best spam protection around 
http://mail.yahoo.com