LinuxQuestions.org
Download your favorite Linux distribution at LQ ISO.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Server
User Name
Password
Linux - Server This forum is for the discussion of Linux Software used in a server related context.

Notices

Reply
 
LinkBack Search this Thread
Old 11-20-2009, 12:59 AM   #1
gubak
Member
 
Registered: Jul 2004
Posts: 324

Rep: Reputation: 30
HTTPS does't work through Squid


Hi!


I have a small office network with a linux gateway. I use squid proxy on linux to provide internet to the LAN machines. Unfortunately the LAN machines can't reach HTTPS sites (HTTP sites can).


Is it possible to reach https sites through squid proxy?

Thanks
 
Old 11-20-2009, 01:22 AM   #2
janoszen
Member
 
Registered: Oct 2009
Location: Budapest
Distribution: Mostly Gentoo, sometimes Debian/(K)Ubuntu
Posts: 143

Rep: Reputation: 22
Yes

It is possible using HTTP CONNECT oly if you are using non-transparent proxying. You also have to configure your clients to use it.
 
Old 11-20-2009, 01:51 AM   #3
gubak
Member
 
Registered: Jul 2004
Posts: 324

Original Poster
Rep: Reputation: 30
Quote:
Originally Posted by janoszen View Post
It is possible using HTTP CONNECT oly if you are using non-transparent proxying. You also have to configure your clients to use it.
Here is my squid.conf file:

Code:
acl all src 0.0.0.0/0.0.0.0
acl manager proto cache_object
acl localhost src 127.0.0.1/255.255.255.255
acl to_localhost dst 127.0.0.0/8
acl SSL_ports port 443
acl Safe_ports port 80		# http
acl Safe_ports port 21		# ftp
acl Safe_ports port 443		# https
acl Safe_ports port 70		# gopher
acl Safe_ports port 210		# wais
acl Safe_ports port 1025-65535	# unregistered ports
acl Safe_ports port 280		# http-mgmt
acl Safe_ports port 488		# gss-http
acl Safe_ports port 591		# filemaker
acl Safe_ports port 777		# multiling http
acl CONNECT method CONNECT

acl my-lan src 5.2.2.1-5.2.2.255/255.255.255.255
http_access allow my-lan



http_access allow manager localhost
http_access deny manager
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
http_access allow localhost
http_access deny all

icp_access allow all

http_port 3128


access_log /var/log/squid/access.log squid

acl QUERY urlpath_regex cgi-bin \?
cache deny QUERY

refresh_pattern ^ftp:		1440	20%	10080
refresh_pattern ^gopher:	1440	0%	1440
refresh_pattern .		0	20%	4320

acl apache rep_header Server ^Apache
broken_vary_encoding allow apache



coredump_dir /var/spool/squid

What can I change here to allow https traffic?


Thanks!
 
Old 11-20-2009, 02:04 AM   #4
EricTRA
Guru
 
Registered: May 2009
Location: Gibraltar, Gibraltar
Distribution: Fedora 18 with Awesome WM
Posts: 6,805
Blog Entries: 1

Rep: Reputation: 1290Reputation: 1290Reputation: 1290Reputation: 1290Reputation: 1290Reputation: 1290Reputation: 1290Reputation: 1290Reputation: 1290
Hi,

Put in:
Code:
http_access allow CONNECT SSL_ports
before
Code:
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
and try again please.

Kind regards,

Eric
 
Old 11-20-2009, 02:22 AM   #5
gubak
Member
 
Registered: Jul 2004
Posts: 324

Original Poster
Rep: Reputation: 30
Quote:
Originally Posted by EricTRA View Post
Hi,

Put in:
Code:
http_access allow CONNECT SSL_ports
before
Code:
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
and try again please.

Kind regards,

Eric
I've tired it, but unfortunately it did't work!


Do you have any other ideas?
 
Old 11-20-2009, 04:51 AM   #6
EricTRA
Guru
 
Registered: May 2009
Location: Gibraltar, Gibraltar
Distribution: Fedora 18 with Awesome WM
Posts: 6,805
Blog Entries: 1

Rep: Reputation: 1290Reputation: 1290Reputation: 1290Reputation: 1290Reputation: 1290Reputation: 1290Reputation: 1290Reputation: 1290Reputation: 1290
Maybe silly question but did you restart Squid after changing the configuration?

Kind regards,

Eric
 
Old 11-20-2009, 05:11 AM   #7
gubak
Member
 
Registered: Jul 2004
Posts: 324

Original Poster
Rep: Reputation: 30
Quote:
Originally Posted by EricTRA View Post
Maybe silly question but did you restart Squid after changing the configuration?

Kind regards,

Eric
Yes, every time!
 
Old 11-20-2009, 05:15 AM   #8
linuxlover.chaitanya
Senior Member
 
Registered: Apr 2008
Location: Nagpur, India
Distribution: Cent OS 5/6, Ubuntu Server 10.04
Posts: 4,615

Rep: Reputation: Disabled
Is your squid working in transparent mode? I have a transparent squid working fine even for secure sites without any explicit rules.
 
Old 11-20-2009, 07:12 AM   #9
win32sux
Guru
 
Registered: Jul 2003
Location: Los Angeles
Distribution: Ubuntu
Posts: 9,870

Rep: Reputation: 371Reputation: 371Reputation: 371Reputation: 371
Quote:
Originally Posted by EricTRA View Post
Hi,

Put in:
Code:
http_access allow CONNECT SSL_ports
before
Code:
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
and try again please.

Kind regards,

Eric
Right, but at that point the request would already have been allowed by this:
Code:
acl my-lan src 5.2.2.1-5.2.2.255/255.255.255.255
http_access allow my-lan
That is, assuming the requests are indeed coming from those source IPs.

Quote:
Originally Posted by gubak View Post
I've tired it, but unfortunately it did't work!


Do you have any other ideas?
Show us what appears in the access log when HTTPS failure occurs.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off
Trackbacks are Off
Pingbacks are On
Refbacks are Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Does't work mysql on apache? gubak Linux - Server 15 11-06-2009 10:26 AM
apt-get does't work on Kubuntu Pengye Ubuntu 7 09-08-2008 09:17 AM
Utorrent RSS Does't work! (WINE) TruANTOlogy Linux - Software 2 07-25-2006 08:19 PM
Sendmail does't work anymore. lauxen Linux - Newbie 6 12-06-2005 07:50 PM
SOS,please!!i want to make a checksum of kernel ,but it does't work. alphasophie Programming 7 03-29-2005 09:37 AM


All times are GMT -5. The time now is 03:15 PM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration