| View previous topic :: View next topic |
| Author |
Message |
solamour
l33t
Joined: 21 Dec 2004
Posts: 733
Location: San Diego, CA
|
 Posted: Wed Dec 20, 2006 9:11 pm Post subject: [Solved] How to allow https (443) in squid? |
 |
|
| Code: | Internet
|
|
+------------+ +------------+
| BoxA | | BoxB |
| |---------| |
| ssh client | | ssh server |
+------------+ | squid |
| +------------+
|
+------------+
| BoxC |
| |
| Firefox |
+------------+
|
BoxA connects to BoxB via ssh, and BoxA's port 3128 is forwarded to BoxB's 3128 (localhost:3128). BoxB also runs squid web proxy.
BoxC can set its proxy to BoxA:3128 and it can access the web. But it seems like only http (80) is working. Is there any way that I can forward https (443) as well?
If that's not possible, what do I need to do to allow BoxC to initiate PPTP? BoxC would like to start a VPN session. Any suggestions welcome.
__
sol
Last edited by solamour on Sun Mar 15, 2009 8:22 am; edited 3 times in total |
|
| Back to top |
|
 |
wah
Guru
Joined: 25 Feb 2005
Posts: 453
Location: Raleigh, NC, USA
|
| Posted: Wed Dec 20, 2006 11:32 pm Post subject: |
|
|
Hi,
I was just fiddling with this today as well. I found that there were "SAFE_ports" ACLs that were predefined, one of which included 443. However, I had not activated that particular ACL (only the Safe_ports 80 acl)...and once I added a rule that did so, I was able to access SSL-enabled pages.
My Squid box is at work, so I cannot quote the code...if you're still stuck, I can do so tomorrow. However, if you find the ACL section, you should find what I'm speaking of.
Cheers,
W.
_________________
- AMD64 3000+, MSI K8N-SLI, Nvidia Geforce 6600 PCIE, 2GB OCZ Dual-Channel PC3200,2x160GB SATA
- Registered Linux User #418541 |
|
| Back to top |
|
|
solamour
l33t
Joined: 21 Dec 2004
Posts: 733
Location: San Diego, CA
|
| Posted: Thu Dec 21, 2006 2:40 am Post subject: |
|
|
It would help me greatly if you'd share the relevant parts of your "squid.conf". Thanks.
__
sol |
|
| Back to top |
|
|
wah
Guru
Joined: 25 Feb 2005
Posts: 453
Location: Raleigh, NC, USA
|
| Posted: Thu Dec 21, 2006 3:00 am Post subject: |
|
|
| solamour wrote: | It would help me greatly if you'd share the relevant parts of your "squid.conf". Thanks.
__
sol |
Cool - will do when I get in to work tomorrow.
W.
_________________
- AMD64 3000+, MSI K8N-SLI, Nvidia Geforce 6600 PCIE, 2GB OCZ Dual-Channel PC3200,2x160GB SATA
- Registered Linux User #418541 |
|
| Back to top |
|
|
wah
Guru
Joined: 25 Feb 2005
Posts: 453
Location: Raleigh, NC, USA
|
| Posted: Thu Dec 21, 2006 1:23 pm Post subject: |
|
|
Here's my squid.conf file, filtered using grep -v ^# /etc/squid/squid.conf. One note - I don't use this on a "production" system. This is restricted to my own private subnet of our corporate network, and therefore, some of these options may not be recommended:
| Code: |
http_port 8080
hierarchy_stoplist cgi-bin ?
acl QUERY urlpath_regex cgi-bin \?
cache deny QUERY
acl apache rep_header Server ^Apache
broken_vary_encoding allow apache
access_log /var/log/squid/access.log squid
refresh_pattern ^ftp: 1440 20% 10080
refresh_pattern ^gopher: 1440 0% 1440
refresh_pattern . 0 20% 4320
acl all src 0.0.0.0/0.0.0.0
acl manager proto cache_object
acl localhost src 127.0.0.1/255.255.255.255
acl SSL_ports port 443 563
acl Safe_ports port 80 # http
acl Safe_ports port 21 # ftp
acl Safe_ports port 443 563 # https, snews
acl Safe_ports port 70 # gopher
acl Safe_ports port 210 # wais
acl Safe_ports port 1025-65535 # unregistered ports
acl Safe_ports port 280 # http-mgmt
acl Safe_ports port 488 # gss-http
acl Safe_ports port 591 # filemaker
acl Safe_ports port 777 # multiling http
acl Safe_ports port 901 # SWAT
acl purge method PURGE
acl CONNECT method CONNECT
acl manager proto cache_object
acl allowed_hosts src 192.168.0.0/255.255.255.0
http_access allow Safe_ports
acl our_networks src 192.168.0.0/24
http_access allow our_networks
http_access allow localhost
icp_access allow allowed_hosts
icp_access deny all
miss_access allow allowed_hosts
miss_access deny all
http_access allow localhost
http_access deny all
http_reply_access allow all
icp_access allow all
forwarded_for off
coredump_dir /var/cache/squid
url_rewrite_program /usr/sbin/wrapzap
url_rewrite_children 15
url_rewrite_access deny localhost
url_rewrite_access deny SSL_ports
|
The items that I speak of are:
| Code: |
acl Safe_ports port 443 563 # https, snews
http_access allow Safe_ports
|
The second option was commented out, so I was not able to access https pages until I uncommented it.
Hope this helps - I've only been playing with squid for two days, so I don't know if I'm going about it correctly...but it does work 
Cheers,
W.
_________________
- AMD64 3000+, MSI K8N-SLI, Nvidia Geforce 6600 PCIE, 2GB OCZ Dual-Channel PC3200,2x160GB SATA
- Registered Linux User #418541 |
|
| Back to top |
|
|
solamour
l33t
Joined: 21 Dec 2004
Posts: 733
Location: San Diego, CA
|
| Posted: Thu Dec 21, 2006 9:43 pm Post subject: |
|
|
Q1) BoxA's port 3128 is forwarded to BoxB's 3128 (that would be 8080 in your case). Do I need to forward anything else?
Q2) Is it OK to set "Use this proxy server for all protocols" in BoxC's Firefox? Or should I set something else for "SSL Proxy" in Firefox?
__
sol |
|
| Back to top |
|
|
ketjap
Tux's lil' helper
Joined: 03 Nov 2005
Posts: 75
Location: The Netherlands
|
| Posted: Thu Dec 21, 2006 10:08 pm Post subject: |
|
|
| solamour wrote: | Q1) BoxA's port 3128 is forwarded to BoxB's 3128 (that would be 8080 in your case). Do I need to forward anything else?
Q2) Is it OK to set "Use this proxy server for all protocols" in BoxC's Firefox? Or should I set something else for "SSL Proxy" in Firefox?
__
sol |
Q1) 3128 will do the job 
Q2) It's okay to set "Use this proxy server for all protocols"
There is another acl that I remember for my time using squid. Something like acl deny !SavePorts. When you put that off, every port will work and you are not restricted to the SafePorts anymore. But thiss is only a guess. I don't have any configuration here. |
|
| Back to top |
|
|
solamour
l33t
Joined: 21 Dec 2004
Posts: 733
Location: San Diego, CA
|
| Posted: Sun Mar 15, 2009 8:03 am Post subject: |
|
|
I believe when it comes to security, I'm supposed to open only what is really necessary, but because I'm lazy, I ended up taking an easy way out, allowing everyone inside my network.
| Code: | /etc/squid/squid.conf
acl our_networks src 192.168.0.0/24
acl SSL_ports port 443
http_access allow our_networks
visible_hostname myhostname
|
__
sol |
|
| Back to top |
|
|
fbcyborg
Advocate
Joined: 16 Oct 2005
Posts: 3056
Location: ROMA
|
| Posted: Wed May 06, 2009 5:30 pm Post subject: |
|
|
Hello wah, hello everybody.
I tried your squid.conf on my server but I can't still browse https pages.
I made a few changes in your config file, to accomodate my needs, but, it doesn't feet my necessities. 
It's about two days I am trying to get it properly working.
Furthermore, it doesn't work in transparent mode. If I put "no proxy" in Firefox settings, there's no way to surf the internet from the subnet I created.
I have to put 10.0.0.1:3128 in the manual configuration for the proxy server, in order to be able to browse (only) some websites (through port 80).
This is my squid.conf:
| Code: | http_port 3128 transparent
hierarchy_stoplist cgi-bin ?
acl QUERY urlpath_regex cgi-bin \?
cache deny QUERY
acl apache rep_header Server ^Apache
broken_vary_encoding allow apache
access_log /var/log/squid/access.log squid
refresh_pattern ^ftp: 1440 20% 10080
refresh_pattern ^gopher: 1440 0% 1440
refresh_pattern . 0 20% 4320
acl all src 0.0.0.0/0.0.0.0
acl manager proto cache_object
acl localhost src 127.0.0.1/255.255.255.255
acl SSL_ports port 443 563
acl Safe_ports port 80 # http
acl Safe_ports port 21 # ftp
acl Safe_ports port 443 563 # https, snews
acl Safe_ports port 70 # gopher
acl Safe_ports port 210 # wais
acl Safe_ports port 1025-65535 # unregistered ports
acl Safe_ports port 280 # http-mgmt
acl Safe_ports port 488 # gss-http
acl Safe_ports port 591 # filemaker
acl Safe_ports port 777 # multiling http
acl Safe_ports port 901 # SWAT
acl purge method PURGE
acl CONNECT method CONNECT
acl manager proto cache_object
acl allowed_hosts src 10.0.0.0/255.0.0.0
http_access allow Safe_ports
acl our_networks src 10.0.0.0/8
http_access allow our_networks
http_access allow localhost
icp_access allow allowed_hosts
icp_access deny all
miss_access allow allowed_hosts
miss_access deny all
http_access allow localhost
http_access deny all
http_reply_access allow all
icp_access allow all
forwarded_for off
coredump_dir /var/cache/squid
url_rewrite_children 15
url_rewrite_access deny localhost
url_rewrite_access deny SSL_ports |
_________________
[HOWTO] Come criptare la /home usando cryptsetup e luks
[HOWTO] Abilitare il supporto al dom0 XEN su kernel 3.X
Help answer the unanswered |
|
| Back to top |
|
|
|
|
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
|
|
Networking & Security
