HTTPS does't work through Squid

gubak · 11-20-2009, 12:59 AM

Hi!

I have a small office network with a linux gateway. I use squid proxy on linux to provide internet to the LAN machines. Unfortunately the LAN machines can't reach HTTPS sites (HTTP sites can).

Is it possible to reach https sites through squid proxy?

Thanks

janoszen · 11-20-2009, 01:22 AM

It is possible using HTTP CONNECT oly if you are using non-transparent proxying. You also have to configure your clients to use it.

gubak · 11-20-2009, 01:51 AM

Quote:

Originally Posted by janoszen

It is possible using HTTP CONNECT oly if you are using non-transparent proxying. You also have to configure your clients to use it.

Here is my squid.conf file:

Code:

acl all src 0.0.0.0/0.0.0.0
acl manager proto cache_object
acl localhost src 127.0.0.1/255.255.255.255
acl to_localhost dst 127.0.0.0/8
acl SSL_ports port 443
acl Safe_ports port 80		# http
acl Safe_ports port 21		# ftp
acl Safe_ports port 443		# https
acl Safe_ports port 70		# gopher
acl Safe_ports port 210		# wais
acl Safe_ports port 1025-65535	# unregistered ports
acl Safe_ports port 280		# http-mgmt
acl Safe_ports port 488		# gss-http
acl Safe_ports port 591		# filemaker
acl Safe_ports port 777		# multiling http
acl CONNECT method CONNECT

acl my-lan src 5.2.2.1-5.2.2.255/255.255.255.255
http_access allow my-lan



http_access allow manager localhost
http_access deny manager
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
http_access allow localhost
http_access deny all

icp_access allow all

http_port 3128


access_log /var/log/squid/access.log squid

acl QUERY urlpath_regex cgi-bin \?
cache deny QUERY

refresh_pattern ^ftp:		1440	20%	10080
refresh_pattern ^gopher:	1440	0%	1440
refresh_pattern .		0	20%	4320

acl apache rep_header Server ^Apache
broken_vary_encoding allow apache



coredump_dir /var/spool/squid

What can I change here to allow https traffic?

Thanks!

EricTRA · 11-20-2009, 02:04 AM

Hi,

Put in:

Code:

http_access allow CONNECT SSL_ports

before

Code:

http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports

and try again please.

Kind regards,

Eric

gubak · 11-20-2009, 02:22 AM

Quote:

Originally Posted by EricTRA

Hi,

Put in:

Code:

http_access allow CONNECT SSL_ports

before

Code:

http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports

and try again please.

Kind regards,

Eric

I've tired it, but unfortunately it did't work!

Do you have any other ideas?

EricTRA · 11-20-2009, 04:51 AM

Maybe silly question but did you restart Squid after changing the configuration?

Kind regards,

Eric

gubak · 11-20-2009, 05:11 AM

Quote:

Originally Posted by EricTRA

Maybe silly question but did you restart Squid after changing the configuration?

Kind regards,

Eric

Yes, every time!

linuxlover.chaitanya · 11-20-2009, 05:15 AM

Is your squid working in transparent mode? I have a transparent squid working fine even for secure sites without any explicit rules.

win32sux · 11-20-2009, 07:12 AM

Quote:

Originally Posted by EricTRA

Hi,

Put in:

Code:

http_access allow CONNECT SSL_ports

before

Code:

http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports

and try again please.

Kind regards,

Eric

Right, but at that point the request would already have been allowed by this:

Code:

acl my-lan src 5.2.2.1-5.2.2.255/255.255.255.255
http_access allow my-lan

That is, assuming the requests are indeed coming from those source IPs.

Quote:

Originally Posted by gubak

I've tired it, but unfortunately it did't work!

Do you have any other ideas?

Show us what appears in the access log when HTTPS failure occurs.