Re: HTTPS Problem/Question from Panagiotis Malakoudis on 1999-12-31 (squid-users)

From: Panagiotis Malakoudis <pmal@dont-contact.us>
Date: Fri, 31 Dec 1999 14:45:08 +0200

Please send me the log file record.
If just by using the proxy.pac the problem was solved then we are sure that
this is a configuration issue.
We need to see the log.

Panagiotis S. Malakoudis

Systems Administrator
SPACE HELLAS S.A.
----- Original Message -----
From: "Richard van Denzel" <richardd@interaccess.nl>
To: "Panagiotis Malakoudis" <pmal@space.gr>
Cc: <squid-users@ircache.net>
Sent: Friday, December 31, 1999 2:03 PM
Subject: Re: HTTPS Problem/Question

> Hi,
>
> My problem seems to be solved by using my proxy.pac.
>
> The old message I got when using manual proxy, was that the page contained
no
> data.
>
> Richard.
>
> Panagiotis Malakoudis wrote:
>
> > You say that with this config you try to access a secure web site and
> > cannot? What is the error message you get and what is the output to the
log
> > file?
> >
> > Panagiotis S. Malakoudis
> >
> > Systems Administrator
> > SPACE HELLAS S.A.
> > ----- Original Message -----
> > From: "Richard van Denzel" <richardd@interaccess.nl>
> > To: "Panagiotis Malakoudis" <pmal@space.gr>
> > Cc: <squid-users@ircache.net>
> > Sent: Tuesday, December 28, 1999 12:31 PM
> > Subject: Re: HTTPS Problem/Question
> >
> > > Nope, also didn't work. Here's the new config:
> > >
> > > acl all src 0.0.0.0/0.0.0.0
> > > acl manager proto cache_object
> > > acl localhost src 127.0.0.1/255.255.255.255
> > > acl ia-br src 172.16.1.28/255.255.255.255
> > > acl SSL_ports port 443 563 777
> > > acl Safe_ports port 80 21 443 563 777 70 210 1025-65535
> > > acl Dangerous_Ports port 7 9 19
> > > acl CONNECT method CONNECT
> > >
> > > http_access allow manager localhost
> > > http_access allow manager ia-br
> > > http_access deny manager !all
> > > http_access deny !Safe_ports
> > > http_access deny CONNECT !SSL_ports
> > > http_access deny Dangerous_Ports
> > > ###http_access allow ldap
> > > http_access allow all
> > >
> > > Richard.
> > >
> > > Panagiotis Malakoudis wrote:
> > >
> > > > Try something like the following...
> > > >
> > > > acl all src 0.0.0.0/0.0.0.0
> > > > acl manager proto cache_object
> > > > acl localhost src 127.0.0.1/255.255.255.255
> > > > acl SSL_ports port 443 563 777
> > > > acl Dangerous_ports port 7 9 19
> > > > acl CONNECT method CONNECT
> > > >
> > > > http_access deny manager !all
> > > > http_access deny CONNECT !SSL_ports
> > > > http_access deny Dangerous_ports
> > > > http_access allow all
> > > >
> > > > Panagiotis S. Malakoudis
> > > >
> > > > Systems Administrator
> > > > SPACE HELLAS S.A.
> > > > ----- Original Message -----
> > > > From: "Richard van Denzel" <richardd@interaccess.nl>
> > > > To: "Panagiotis Malakoudis" <pmal@space.gr>
> > > > Cc: <squid-users@ircache.net>
> > > > Sent: Monday, December 27, 1999 12:40 PM
> > > > Subject: Re: HTTPS Problem/Question
> > > >
> > > > > Here it is:
> > > > >
> > > > > acl all src 0.0.0.0/0.0.0.0
> > > > > acl manager proto cache_object
> > > > > acl localhost src 127.0.0.1/255.255.255.255
> > > > > acl ia-br src 172.16.1.28/255.255.255.255
> > > > > acl SSL_ports port 443 563 777
> > > > > acl Safe_ports port 80 21 443 563 777 70 210 1025-65535
> > > > > acl CONNECT method CONNECT
> > > > >
> > > > > http_access deny !Safe_ports
> > > > > http_access deny CONNECT !SSL_ports
> > > > > http_access allow all
> > > > >
> > > > > Panagiotis Malakoudis wrote:
> > > > >
> > > > > > How about sending us the access list and http access part again
(the
> > new
> > > > one
> > > > > > that is)
> > > > > >
> > > > > > Panagiotis S. Malakoudis
> > > > > >
> > > > > > Systems Administrator
> > > > > > SPACE HELLAS S.A.
> > > > > > ----- Original Message -----
> > > > > > From: "Richard van Denzel" <richardd@interaccess.nl>
> > > > > > To: "Panagiotis Malakoudis" <pmal@space.gr>
> > > > > > Cc: <squid-users@ircache.net>
> > > > > > Sent: Friday, December 24, 1999 3:36 PM
> > > > > > Subject: Re: HTTPS Problem/Question
> > > > > >
> > > > > > > Nope, that didn't work.
> > > > > > >
> > > > > > > Panagiotis Malakoudis wrote:
> > > > > > >
> > > > > > > > Squid stops when it founds a match from an access list.
> > > > > > > > In your case "http_access deny !Safe_ports" is the first
access
> > list
> > > > to
> > > > > > > > check and this is why you cannot see https localy.
> > > > > > > > It is a very generic acl and it blocks your access.
> > > > > > > > You basically say to the system "deny everything but safe
ports"
> > .
> > > > When
> > > > > > your
> > > > > > > > request goes through the proxy it matches this first acl and
> > exits
> > > > with
> > > > > > the
> > > > > > > > message you see.
> > > > > > > > You need to rearrange you acls in a way that are not so
generic.
> > > > > > > > Why define all these safe ports and not define only
dangerous
> > ports?
> > > > > > This
> > > > > > > > way you could just say
> > > > > > > >
> > > > > > > > acl all src 0.0.0.0/0.0.0.0
> > > > > > > > acl SSL_ports port 443 563 777
> > > > > > > > acl Dangerous_ports port 7 9 19
> > > > > > > > acl CONNECT method CONNECT
> > > > > > > >
> > > > > > > > http_access deny Dangerous_ports
> > > > > > > > http_access deny CONNECT !SSL_ports
> > > > > > > > http_access allow all
> > > > > > > >
> > > > > > > > Panagiotis S. Malakoudis
> > > > > > > >
> > > > > > > > Systems Administrator
> > > > > > > > SPACE HELLAS S.A.
> > > > > > > >
> > > > > > > > ----- Original Message -----
> > > > > > > > From: "Richard van Denzel" <richardd@interaccess.nl>
> > > > > > > > To: <squid-users@ircache.net>; "Paul Gomersbach"
> > > > <paulg@interaccess.nl>
> > > > > > > > Sent: Tuesday, December 21, 1999 1:54 PM
> > > > > > > > Subject: HTTPS Problem/Question
> > > > > > > >
> > > > > > > > > Hi All,
> > > > > > > > >
> > > > > > > > > I've got a strange problem with https. Our firewall is
> > web-capable
> > > > by
> > > > > > > > > using:
> > > > > > > > > https://gw:777.
> > > > > > > > > When I access https pages on the Internet, there are no
> > problems.
> > > > But
> > > > > > > > > internal Netscape (4.7) responds with an error receiving
data
> > > > > > > > > (connection refused). When I bypass the squid proxy (using
> > direct
> > > > > > > > > connection) it works, or even when using our old Netscape
3.5
> > > > Proxy
> > > > > > > > > Server it works.
> > > > > > > > >
> > > > > > > > > The following lines are from squid.conf (2.2S5):
> > > > > > > > >
> > > > > > > > > acl SSL_ports port 443 563 777
> > > > > > > > > acl Safe_ports port 80 21 443 563 777 70 210 1025-65535
> > > > > > > > > acl CONNECT method CONNECT
> > > > > > > > >
> > > > > > > > > http_access deny !Safe_ports
> > > > > > > > > http_access deny CONNECT !SSL_ports
> > > > > > > > >
> > > > > > > > > Can anyone tell me what I'm doing wrong?
> > > > > > > > >
> > > > > > > > > Thanx,
> > > > > > > > >
> > > > > > > > > Richard.
> > > > > > >
> > > > > > >
> > > > >
> > > > >
> > >
> > >
>
>
Received on Fri Dec 31 1999 - 05:59:04 MST

This archive was generated by hypermail pre-2.1.9 : Tue Dec 09 2003 - 16:50:08 MST