LinuxQuestions.org
Visit Jeremy's Blog.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Server
User Name
Password
Linux - Server This forum is for the discussion of Linux Software used in a server related context.

Notices


Reply
  Search this Thread
Old 07-27-2013, 10:09 PM   #1
gqqnbig
LQ Newbie
 
Registered: Apr 2011
Posts: 12

Rep: Reputation: 1
Squid as child proxy and cannot service HTTPS requests


My system has two proxies. One is Squid and the other is 127.0.0.1:8087.

I can directly connect to https://en.wikipedia.org/wiki/Main_Page and http://en.wikipedia.org/wiki/Main_Page (One is HTTP and one is HTTPS).

I set my browser to use proxy 127.0.0.1:8087 and I can access both https and http.

I set my browser to use Squid and I can access both https and http.

Now I chain Squid and 127.0.0.1:8087, ie 127.0.0.1:8087 is a parent proxy of Squid and I set my browser to use Squid. However, I find I can access http://en.wikipedia.org/wiki/Main_Page but not https one. Actually I cannot visit all https sites. Chrome tells me the error is ERR_SSL_PROTOCOL_ERROR or ERR_TIMED_OUT.

This is my config file. Can anyone tell me what's wrong with it?

I'm doing proof of concept and hoping the problem solved within the scope of Squid. (So do not suggest me to use iptable or other tools. Sorry.)

Code:
acl all src all
acl manager proto cache_object
acl localhost src 127.0.0.1/32
acl to_localhost dst 127.0.0.0/8 0.0.0.0/32
acl localnet src 10.0.0.0/8    # RFC1918 possible internal network
acl localnet src 172.16.0.0/12    # RFC1918 possible internal network
acl localnet src 192.168.0.0/16    # RFC1918 possible internal network
acl SSL_ports port 443
acl Safe_ports port 80        # http
acl Safe_ports port 21        # ftp
acl Safe_ports port 443        # https
acl Safe_ports port 70        # gopher
acl Safe_ports port 210        # wais
acl Safe_ports port 1025-65535    # unregistered ports
acl Safe_ports port 280        # http-mgmt
acl Safe_ports port 488        # gss-http
acl Safe_ports port 591        # filemaker
acl Safe_ports port 777        # multiling http
acl CONNECT method CONNECT
http_access allow all
icp_access allow all
http_port 3128
hierarchy_stoplist cgi-bin ?
cache_dir ufs B:/SquidCache 200 16 256
cache_swap_low 80
cache_swap_high 90
access_log c:/squid/var/logs/access.log squid
refresh_pattern -i msdn\.microsoft\.com/.+/library 10080 20% 10080 ignore-private ignore-no-cache
refresh_pattern -i microsoft\.com/ 14400 50% 43200 ignore-private ignore-no-cache
acl shoutcast rep_header X-HTTP09-First-Line ^ICY.[0-9]
upgrade_http0.9 deny shoutcast
acl apache rep_header Server ^Apache
broken_vary_encoding allow apache
coredump_dir c:/squid/var/cache
cache_peer 127.0.0.1 parent 8087 0 default no-query

Last edited by gqqnbig; 07-28-2013 at 08:40 PM.
 
Old 07-28-2013, 05:14 AM   #2
GlennsPref
Senior Member
 
Registered: Apr 2004
Location: Brisbane, Australia
Distribution: Devuan
Posts: 3,411
Blog Entries: 33

Rep: Reputation: 222Reputation: 222Reputation: 222
Hi,
Quote:
http_port 3128
I usually apply this to an IP address, like

http_port 10.0.0.1:3128

The other thing is,

portforward enabled in /etc/sysctl.conf
Code:
net.ipv4.ip_forward = 1
 
Old 07-28-2013, 08:07 AM   #3
SAbhi
Member
 
Registered: Aug 2009
Location: Bangaluru, India
Distribution: CentOS 6.5, SuSE SLED/ SLES 10.2 SP2 /11.2, Fedora 11/16
Posts: 665

Rep: Reputation: Disabled
Code:
acl SSL_ports port 443 563 1863 5190 5222 5050 6667

http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
Try adding these lines in the configuration and then restart the service.
 
Old 07-28-2013, 08:21 PM   #4
gqqnbig
LQ Newbie
 
Registered: Apr 2011
Posts: 12

Original Poster
Rep: Reputation: 1
Quote:
Originally Posted by SAbhi View Post
Code:
acl SSL_ports port 443 563 1863 5190 5222 5050 6667

http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
Try adding these lines in the configuration and then restart the service.
Sorry, it doesn't work.

The error is ERR_SSL_PROTOCOL_ERROR.
 
Old 07-28-2013, 08:28 PM   #5
SAbhi
Member
 
Registered: Aug 2009
Location: Bangaluru, India
Distribution: CentOS 6.5, SuSE SLED/ SLES 10.2 SP2 /11.2, Fedora 11/16
Posts: 665

Rep: Reputation: Disabled
Did you replace the line acl SSL_ports port 443 with this acl SSL_ports port 443 563 1863 5190 5222 5050 6667
?
 
Old 07-28-2013, 08:57 PM   #6
gqqnbig
LQ Newbie
 
Registered: Apr 2011
Posts: 12

Original Poster
Rep: Reputation: 1
Quote:
Originally Posted by SAbhi View Post
Did you replace the line acl SSL_ports port 443 with this acl SSL_ports port 443 563 1863 5190 5222 5050 6667
?
Oh, I didn't. Now I replaced it.

I find my previous experiment may have some mistake.

My Squid has a parent proxy of 127.0.0.1:8087 and I can access both http and https. Now I close the program listening 127.0.0.1:8087, I can still visit both sites. It seems Squid doesn't forward requests to 127.0.0.1:8087. But when I visit http site, I do see some log produced by 127.0.0.1:8087.

I'm confused by the behavior.
 
Old 07-28-2013, 09:14 PM   #7
gqqnbig
LQ Newbie
 
Registered: Apr 2011
Posts: 12

Original Poster
Rep: Reputation: 1
Hahaha, I solved the problem!!! Just inspired by the strange behavior stated in #6.

Squid sometime uses direct connection even through a parent proxy exists. So I add never_direct allow all.

You can refer to http://www.christianschenk.org/blog/...xy-with-squid/.

Quote:
If we wouldn’t use the second directive there may be certain circumstances where Squid would ask directly for content and would ignore the parent proxy; this isn’t what we want.

Last edited by gqqnbig; 07-28-2013 at 09:16 PM.
 
Old 07-28-2013, 09:53 PM   #8
SAbhi
Member
 
Registered: Aug 2009
Location: Bangaluru, India
Distribution: CentOS 6.5, SuSE SLED/ SLES 10.2 SP2 /11.2, Fedora 11/16
Posts: 665

Rep: Reputation: Disabled
hmm that's great you solved the problem o your own...that means you were using a proxy to respond directly for the content and not to the webserver.
you can mark the thread as SOLVED now.
 
  


Reply

Tags
squid


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
Squid HTTPS-proxy and certificate Lexus45 Linux - Server 2 11-14-2011 12:14 PM
Https bypasses squid proxy amreshfaldesai Linux - Networking 2 10-01-2011 01:00 AM
Squid Proxy: DNS Requests vaibhavs Linux - Software 7 07-11-2009 03:39 AM
iptables + squid cannot serve https requests omidm Linux - Networking 4 01-07-2009 02:04 PM
Squid proxy and https roba Linux - Software 2 08-14-2002 04:15 AM

LinuxQuestions.org > Forums > Linux Forums > Linux - Server

All times are GMT -5. The time now is 10:07 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration