[squid-users] strange https problem from Arkadi Colson on 2002-07-10 (squid-users)

From: Arkadi Colson <arc@dont-contact.us>
Date: Wed, 10 Jul 2002 11:33:58 +0200

Hi all,

I`m having a very strange problem on my firewall.

Here is the situation:
I`m running squid on my firewall to proxy the http traffic.
Squid is configured to go via my isp proxy (proxy.pandora.be:8080), I can`t go directly to port 80. My isp is blocking this.
I did internally a redirect from port 80 to 3128 with iptables.
Internal traffic to port 443 is masquerade to the outsite. I can go directly to port 443, my isp allows this.

All the http sites are working correctly.
Now the problem is that https isn`t.
When I login to hotmail for exapmle, that part works. It also uses https shortly. But when I want to send a mail via compose or delete a mail in tha inbox, nothing happens. This happens also to some other https sites.
I`m not sure if this is a squid problem because I masquerade all the 443 traffic ...

When I watch my loggings I can see a deny of traffic to hotmail on port 80 on my external interface. The deny is normal because I can`t go directly anyway to sites on port 80 because my isp is blocking this. I have to go via my isp proxy. Squid is configured and should do this. Even when I allow this traffic, it still doesn`t work.

versions
iptables: 1.2.5-5
squid: 2.4.STABLE6-6.7.3

my squid.conf

http_port 3128
icp_port 0
acl QUERY urlpath_regex cgi-bin \?
no_cache deny QUERY
acl all src 0/0
no_cache deny all
cache_mem 10 MB
maximum_object_size 1 KB
cache_peer proxy.pandora.be parent 8080 0 no-query default
emulate_httpd_log on
cache_dir ufs /var/spool/squid 100 16 256
cache_access_log /var/log/squid/access.log
acl all src 0.0.0.0/0.0.0.0
acl manager proto cache_object
acl localhost src 127.0.0.1/255.255.255.255
acl SSL_ports port 443 563
acl Safe_ports port 80 21 443 563 70 210 1025-65535
acl CONNECT method CONNECT
acl flapkefw src 10.1.5.100/255.255.255.255
acl flapkelt src 10.1.5.12/255.255.255.255
http_access allow manager localhost
http_access deny manager
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
http_access allow flapkelt
http_access allow flapkefw
http_access deny all
httpd_accel_host virtual
httpd_accel_port 80
httpd_accel_with_proxy on
httpd_accel_uses_host_header on
logfile_rotate 1000

iptables

iptables -t nat -A PREROUTING -i eth1 -p tcp --dport 80 -j REDIRECT --to-port 3128

I hope someone can help me

thanks allready

Arkadi
Received on Wed Jul 10 2002 - 03:36:23 MDT

This archive was generated by hypermail pre-2.1.9 : Tue Dec 09 2003 - 17:09:12 MST