Re: Squid / ssl / behind firewall from Michael Samuel on 1998-05-18 (squid-users)

From: Michael Samuel <michael@dont-contact.us>
Date: Mon, 18 May 1998 19:31:51 +1000 (EST)

Squid is not a SSL proxy in the lynx terms of things. It supports only
the CONNECT method.

Did you try it through lynx or Netscape?

On Mon, 18 May 1998, Stephan Sachweh wrote:

> I am using squid 1.1.20 on Solaris 2.6 x86.
> I tried to connect to a https site outside my local network via a netscape
> proxy server 2.5. The netscape proxy server has authentification enabled!
>
>
> After a long period of time i got the message "proxy authentification
> failed" and was not able to get requested pages via https.
>
>
> I think i have found two bugs in squid 1.1.20.
>
>
> 1. Squid performs DNS tests for https Servers outside the firewall which
> causes the long delay.
> 2. Squid does not forward the basic authentification data to the parent
> proxy if accessing SSL sites.
>
>
> Perhaps there is something wrong with my configuration but otherwise i
> would like to know when these bugs will be fixed or if they are fixed in
> later versions of squid?
>
>
> Best regards,
>
>
> Stephan
>
>
> Here is the relevant part from the configuration file squid.conf:
> -----------------------------------------------------------------
> cache_host firewall.intern parent 8080 0 no-query default
> inside_firewall intern
> single_parent_bypass off
> #hierarchy_stoplist cgi-bin ?
> cache_stoplist cgi-bin ?
> acl manager proto cache_object
> acl localhost src 127.0.0.1/255.255.255.255
> acl all src 0.0.0.0/0.0.0.0
>
>
> acl SSL_ports port 443 563
> acl Dangerous_ports port 7 9 19
> acl CONNECT method CONNECT
>
>
> acl SISWEST src 18.0.0.0/255.0.0.0 17.0.0.0/255.0.0.0
> 127.0.0.1/255.255.255.255
>
>
> http_access deny manager !SISWEST
> http_access deny CONNECT !SSL_ports
> http_access deny Dangerous_ports
>
>
> http_access allow SISWEST
> icp_access allow all
> ssl_proxy firewall.intern
> #http_anonymizer off
>
>
> DNS Tests are disable via startoption -D
>
>
> Here is part of the logfile generated using debug_options ALL,9:
> ----------------------------------------------------------------
> 1998/05/14 16:08:42| dnsOpenServers: FD 6 connected to
> /usr/local/squid/bin/dnsserver #1.
> 1998/05/14 16:08:42| dnsOpenServers: 'dns_server' 0 started
> 1998/05/14 16:08:42| ipcache_nbgethostbyname: FD 183935: Name
> 'firewall.intern'.
> 1998/05/14 16:08:42| ipcache_nbgethostbyname: HIT for 'firewall.intern'
> 1998/05/14 16:08:42| Configuring Parent firewall.intern/8080/0
> 1998/05/14 16:08:42| --> IP address #0: 18.121.6.1
> 1998/05/14 16:08:42| clientReadRequest: FD 17: reading request...
> 1998/05/14 16:08:42| clientReadRequest: len = 4095
> 1998/05/14 16:08:42| parseHttpRequest: Method is 'CONNECT'
> 1998/05/14 16:08:42| parseHttpRequest: Request is 'banking.sonline.de:443'
> 1998/05/14 16:08:42| parseHttpRequest: HTTP version is 'HTTP/1.0
> Proxy-authorization: B'
> 1998/05/14 16:08:42| parseHttpRequest: Request Header is
> Proxy-authorization: Basic c3liMzY6c293aWVzbw== User-Agent: Mozilla/4.05
> [en] (WinNT; I)
> 1998/05/14 16:08:42| parseHttpRequest: Complete request received
> 1998/05/14 16:08:42| mime_get_header: looking for 'User-Agent'
> 1998/05/14 16:08:42| mime_get_header: checking 'User-Agent: Mozilla/4.05
> [en] (WinNT; I)'
> 1998/05/14 16:08:42| mime_get_header: returning 'Mozilla/4.05 [en] (WinNT;
> I)'
> 1998/05/14 16:08:42| aclCheck: checking 'http_access deny manager !SISWEST'
> 1998/05/14 16:08:42| aclMatchAclList: checking manager
> 1998/05/14 16:08:42| aclMatchAcl: checking 'acl manager proto cache_object'
> 1998/05/14 16:08:42| aclMatchAclList: returning 0
> 1998/05/14 16:08:42| aclCheck: checking 'http_access deny CONNECT
> !SSL_ports'
> 1998/05/14 16:08:42| aclMatchAclList: checking CONNECT
> 1998/05/14 16:08:42| aclMatchAcl: checking 'acl CONNECT method CONNECT'
> 1998/05/14 16:08:42| aclMatchAclList: checking !SSL_ports
> 1998/05/14 16:08:42| aclMatchAcl: checking 'acl SSL_ports port 443 563'
> 1998/05/14 16:08:42| aclMatchAclList: returning 0
> 1998/05/14 16:08:42| aclCheck: checking 'http_access deny Dangerous_ports'
> 1998/05/14 16:08:42| aclMatchAclList: checking Dangerous_ports
> 1998/05/14 16:08:42| aclMatchAcl: checking 'acl Dangerous_ports port 7 9
> 19'
> 1998/05/14 16:08:42| aclMatchAclList: returning 0
> 1998/05/14 16:08:42| aclCheck: checking 'http_access allow SISWEST '
> 1998/05/14 16:08:42| aclMatchAclList: checking SISWEST
> 1998/05/14 16:08:42| aclMatchAcl: checking 'acl SISWEST src
> 18.0.0.0/255.0.0.0 17.0.0.0/255.0.0.0 127.0.0.1/255.255.255.255'
> 1998/05/14 16:08:42| aclMatchIp: h = 18.0.0.0
> 1998/05/14 16:08:42| aclMatchIp: addr1 = 18.0.0.0
> 1998/05/14 16:08:42| aclMatchIp: addr2 = 0.0.0.0
> 1998/05/14 16:08:42| aclMatchIp: returning 1
> 1998/05/14 16:08:42| aclMatchAclList: returning 1
> 1998/05/14 16:08:42| aclCheck: match found, returning 1
> 1998/05/14 16:08:42| clientAccessCheckDone: 'banking.sonline.de:443'
> answer=1
> 1998/05/14 16:08:42| redirectStart: 'banking.sonline.de:443'
> 1998/05/14 16:08:42| clientRedirectDone: 'banking.sonline.de:443'
> result=NULL
> 1998/05/14 16:08:42| mime_get_header: looking for 'If-Modified-Since'
> 1998/05/14 16:08:42| mime_get_header: looking for 'Pragma'
> 1998/05/14 16:08:42| mime_get_header: looking for 'Range'
> 1998/05/14 16:08:42| mime_get_header: looking for 'Request-Range'
> 1998/05/14 16:08:42| mime_get_header: looking for 'Authorization'
> 1998/05/14 16:08:42| mime_get_header: looking for 'Via'
> 1998/05/14 16:08:42| mime_get_header: looking for 'Cache-control'
> 1998/05/14 16:08:42| icpProcessRequest: CONNECT 'banking.sonline.de:443'
> 1998/05/14 16:08:42| sslStart: 'CONNECT banking.sonline.de:443'
> 1998/05/14 16:08:42| comm_add_close_handler: FD 20, handler=8075740,
> data=9424108
> 1998/05/14 16:08:42| comm_add_close_handler: FD 17, handler=80756f0,
> data=9424108
> 1998/05/14 16:08:42| ipcache_nbgethostbyname: FD 20: Name
> 'banking.sonline.de'.
> 1998/05/14 16:08:42| ipcache_nbgethostbyname: MISS for 'banking.sonline.de'
> 1998/05/14 16:08:42| ipcache_add_to_hash: name <banking.sonline.de>
> 1998/05/14 16:08:42| comm_write: FD 6: sz 19: tout 0: hndl 0: data 0.
> 1998/05/14 16:08:42| ipcache_dnsDispatch: Request sent to DNS server #1.
>
>
> 1998/05/14 16:09:34| ipcache_dnsHandleRead: Result from DNS ID 1 (99 bytes)
> 1998/05/14 16:09:34| ipcache_parsebuffer: parsing:
> $fail banking.sonline.de
> $message Name Server for domain 'banking.sonline.de' is unavailable.
> $end
> 1998/05/14 16:09:34| ipcache_nbgethostbyname: FD 20: Name
> 'firewall.intern'.
> 1998/05/14 16:09:34| ipcache_nbgethostbyname: HIT for 'firewall.intern'
> 1998/05/14 16:09:34| sslConnect: client=17 server=20
> 1998/05/14 16:09:34| sslProxyConnected: FD 20 sslState=9424108
> 1998/05/14 16:09:34| sslProxyConnected: Sending 'CONNECT
> banking.sonline.de:443 HTTP/1.0'
> 1998/05/14 16:09:34| comm_set_fd_lifetime: FD 20 lft 86400
> 1998/05/14 16:09:34| comm_select: 1 sockets ready at 895158574
> 1998/05/14 16:09:34| comm_select: FD 20 ready for writing
> 1998/05/14 16:09:34| sslWriteServer FD 20, wrote 43 bytes
> 1998/05/14 16:09:34| comm_select: 1 sockets ready at 895158574
> 1998/05/14 16:09:34| comm_select: FD 20 ready for reading
> 1998/05/14 16:09:34| sslReadServer FD 20, read 217 bytes
> 1998/05/14 16:09:34| comm_select: 1 sockets ready at 895158574
> 1998/05/14 16:09:34| comm_select: FD 17 ready for writing
> 1998/05/14 16:09:34| sslWriteClient FD 17 len=217 offset=0
> 1998/05/14 16:09:34| sslWriteClient FD 17, wrote 217 bytes
> 1998/05/14 16:09:34| comm_select: 1 sockets ready at 895158574
> 1998/05/14 16:09:34| comm_select: FD 20 ready for reading
> 1998/05/14 16:09:34| sslReadServer FD 20, read 271 bytes
> 1998/05/14 16:09:34| comm_select: 1 sockets ready at 895158574
> 1998/05/14 16:09:34| comm_select: FD 17 ready for writing
> 1998/05/14 16:09:34| sslWriteClient FD 17 len=271 offset=0
> 1998/05/14 16:09:34| sslWriteClient FD 17, wrote 271 bytes
> 1998/05/14 16:09:34| comm_select: 1 sockets ready at 895158574
> 1998/05/14 16:09:34| comm_select: FD 20 ready for reading
> 1998/05/14 16:09:34| sslReadServer FD 20, read 0 bytes
> 1998/05/14 16:09:34| comm_close: FD 17
> 1998/05/14 16:09:34| commCallCloseHandlers: FD 17
> 1998/05/14 16:09:34| comm_close: FD 20
> 1998/05/14 16:09:34| commCallCloseHandlers: FD 20
> 1998/05/14 16:09:34| sslStateFree: FD 20, sslState=9424108
>
>
> ---------------------------------------------------------------
> Stephan Sachweh, Dipl.-Inform. Tel: +49 231 9704 221
> ExperTeam GmbH Fax: +49 231 9704 299
> Emil-Figge-Str. 85, 44227 Dortmund Mobile: +49 171 4632098
>
>

Michael Samuel,

Surf-Net City - Internet Cafe and Internet Service Providers
Phone: +61 3 9593-9977
E-Mail: <michael@surfdirect.com.au>
WWW: http://www.surfnetcity.com.au/~michael/
Received on Mon May 18 1998 - 01:38:04 MDT

This archive was generated by hypermail pre-2.1.9 : Tue Dec 09 2003 - 16:40:13 MST