[ILUG] Debian squid3 and ssl
lists at cybercolloids.net
Wed Mar 9 13:55:02 GMT 2011
From: Gavin McCullagh <gmccullagh at gmail.com>
Reply-to: Irish Linux Users Group <ilug at linux.ie>
To: ilug at linux.ie
Subject: Re: [ILUG] Debian squid3 and ssl
Date: Wed, 9 Mar 2011 13:51:53 +0000
On Wed, 09 Mar 2011, kevin wrote:
> I am using squid as a proxy for a small network, it works fine but when
> someone logs into an https webpage the proxy doesn't work.
This is usually dealt with under the connect method. Unless something has
changed, when a browser knows it's doing SSL through a proxy, it issues a
message to the proxy like:
connect www.linux.ie:443 HTTP/1.0
which causes the proxy to act as a sort of NAT device, forwarding the TCP
session on to the server. The default squid config usually has lines like
acl SSL_ports port 443 # https
acl SSL_ports port 563 # snews
acl SSL_ports port 8002
acl SSL_ports port 873 # rsync
acl SSL_ports port 2096
acl CONNECT method CONNECT
# Deny CONNECT to other than SSL ports
http_access deny CONNECT !SSL_ports
which in effect allows the connect method, but only on specified ports.
http_access allow .....
should be sufficient otherwise to allow this. All bets are off if you're
using transparent proxying however.
What error message are you getting in the browser?
I think I have found the problem. I moved acl deny/accept list line for port 443 up the list and now everything is working again.
More information about the ILUG