LinuxQuestions.org - HTTPS does't work through Squid

- Linux - Server (https://www.linuxquestions.org/questions/linux-server-73/)

- - HTTPS does't work through Squid (https://www.linuxquestions.org/questions/linux-server-73/https-doest-work-through-squid-770374/)

HTTPS does't work through Squid

Hi!

I have a small office network with a linux gateway. I use squid proxy on linux to provide internet to the LAN machines. Unfortunately the LAN machines can't reach HTTPS sites (HTTP sites can).

Is it possible to reach https sites through squid proxy?

Thanks

It is possible using HTTP CONNECT oly if you are using non-transparent proxying. You also have to configure your clients to use it.

Quote:

Originally Posted by janoszen (Post 3763555)

It is possible using HTTP CONNECT oly if you are using non-transparent proxying. You also have to configure your clients to use it.

Here is my squid.conf file:

Code:

acl all src 0.0.0.0/0.0.0.0

acl manager proto cache_object

acl localhost src 127.0.0.1/255.255.255.255

acl to_localhost dst 127.0.0.0/8

acl SSL_ports port 443

acl Safe_ports port 80                # http

acl Safe_ports port 21                # ftp

acl Safe_ports port 443                # https

acl Safe_ports port 70                # gopher

acl Safe_ports port 210                # wais

acl Safe_ports port 1025-65535        # unregistered ports

acl Safe_ports port 280                # http-mgmt

acl Safe_ports port 488                # gss-http

acl Safe_ports port 591                # filemaker

acl Safe_ports port 777                # multiling http

acl CONNECT method CONNECT



acl my-lan src 5.2.2.1-5.2.2.255/255.255.255.255

http_access allow my-lan







http_access allow manager localhost

http_access deny manager

http_access deny !Safe_ports

http_access deny CONNECT !SSL_ports

http_access allow localhost

http_access deny all



icp_access allow all



http_port 3128





access_log /var/log/squid/access.log squid



acl QUERY urlpath_regex cgi-bin \?

cache deny QUERY



refresh_pattern ^ftp:                1440        20%        10080

refresh_pattern ^gopher:        1440        0%        1440

refresh_pattern .                0        20%        4320



acl apache rep_header Server ^Apache

broken_vary_encoding allow apache







coredump_dir /var/spool/squid

What can I change here to allow https traffic?

Thanks!

Hi,

Put in:

Code:

http_access allow CONNECT SSL_ports

before

Code:

http_access deny !Safe_ports

http_access deny CONNECT !SSL_ports

and try again please.

Kind regards,

Eric

Quote:

Originally Posted by EricTRA (Post 3763588)

Hi,

Put in:

Code:

http_access allow CONNECT SSL_ports

before

Code:

http_access deny !Safe_ports

http_access deny CONNECT !SSL_ports

and try again please.

Kind regards,

Eric

I've tired it, but unfortunately it did't work!

Do you have any other ideas?

Maybe silly question but did you restart Squid after changing the configuration?

Kind regards,

Eric

Quote:

Originally Posted by EricTRA (Post 3763699)

Maybe silly question but did you restart Squid after changing the configuration?

Kind regards,

Eric

Yes, every time!

Is your squid working in transparent mode? I have a transparent squid working fine even for secure sites without any explicit rules.

Quote:

Originally Posted by EricTRA (Post 3763588)

Hi,

Put in:

Code:

http_access allow CONNECT SSL_ports

before

Code:

http_access deny !Safe_ports

http_access deny CONNECT !SSL_ports

and try again please.

Kind regards,

Eric

Right, but at that point the request would already have been allowed by this:

Code:

acl my-lan src 5.2.2.1-5.2.2.255/255.255.255.255

http_access allow my-lan

That is, assuming the requests are indeed coming from those source IPs.

Quote:

Originally Posted by gubak (Post 3763595)

I've tired it, but unfortunately it did't work!

Do you have any other ideas?

Show us what appears in the access log when HTTPS failure occurs.