[squid-users] Odd "https" behaviour.

From: Tim Neto <tneto@dont-contact.us>
Date: Wed, 17 Mar 2004 14:41:52 -0500

Hello,

I'm seeing the following in the Squid's access log when users try
accessing an "https" site.

--------------------------------------------------------------------------------------------------------------------------------------------------------------
1079532258.813 0 172.16.1.13 TCP_DENIED/407 1725 CONNECT
www.komatsuamerica.net:443 - NONE/- text/html
1079532261.705 878 172.16.1.13 TCP_DENIED/403 1453 GET
http://www.komatsuamerica.net/_mem_bin/applicationLogin.asp? - NONE/
-text/html
--------------------------------------------------------------------------------------------------------------------------------------------------------------

Any ideas as to why Squid is changing the request from a "https" request
to a non-secure "http" request. We have several sites that are only
secure sites that our users need to access. If the user first goes to
a non-secure web site, access to the secure web site works. Okay, but
annoying for most browsing; however, now our partner at Komatsu America
has a JAVA script based application that makes a direct connection.

Any ideas?

I've looked at the FAQ, no luck. I do not perceive article "11:34"
applying to the situation. The application is making a straight forward
HTTPS request. I found no other articles that seem related to https in
this maner.

The problem was first noticed with Squid version 2.5.STABLE1. The
default shipped with RedHat 9.1. So before I contact the Squid user
group, I built a test server and upgraded the version of Squid to version:

     -------------------------------------------------
     [root@proxy3 squid]# squid -v
     Squid Cache: Version 2.5.STABLE5
     configure options: --prefix=/usr
     -------------------------------------------------

Only adjustment from the gzip'd tar ball, was to specify a different
root prefix (A RedHat requirement.), and to adjust where the mime.conf
and squid.conf files are found. (/etc/squid instead of /usr/etc)

The problem still exists.

My squid configuration file is:

=================================================================================================
# ----------------------------------------------------------------------
http_port (our_external_IP):80
http_port (our_internal_IP):8080

# ----------------------------------------------------------------------
hierarchy_stoplist cgi-bin ?
acl QUERY urlpath_regex cgi-bin \?
no_cache deny QUERY

cache_effective_user squid
cache_dir ufs /var/spool/squid 100 16 256
cache_access_log /var/log/squid/access.log
cache_log /var/log/squid/cache.log
cache_store_log /var/log/squid/store.log

cache_mgr WebMaster@komatsu.ca
#

# ----------------------------------------------------------------------
auth_param basic program /usr/lib/squid/squid_ldap_auth -h
ldap.komatsu.ca -p (our_port) -P -b o=komatsu -f "uid=%s"

auth_param basic children 20
auth_param basic realm Squid proxy-caching web server
auth_param basic credentialsttl 5 minute

external_acl_type ldap_group %LOGIN /usr/lib/squid/squid_ldap_group -h
ldap.komatsu.ca -p (our_port) -P -b o=komatsu -F "uid=%s" -f
"(&(cn=%g)(uniquemember=%u)(objectClass=groupOfUniqueNames))"

refresh_pattern ^ftp: 1440 20% 10080
refresh_pattern ^gopher: 1440 0% 1440
refresh_pattern . 0 20% 4320

# ----------------------------------------------------------------------
# Default Squid ACL's
acl all src 0.0.0.0/0.0.0.0
acl manager proto cache_object
acl localhost src 127.0.0.1/255.255.255.255
acl to_localhost dst 127.0.0.0/8
acl SSL_ports port 443 563
acl Safe_ports port 21
acl Safe_ports port 70
acl Safe_ports port 80
acl Safe_ports port 81
acl Safe_ports port 89
acl Safe_ports port 210
acl Safe_ports port 280
acl Safe_ports port 488
acl Safe_ports port 443 563
acl Safe_ports port 591
acl Safe_ports port 777
acl Safe_ports port 1025-65535
acl CONNECT method CONNECT

# ----------------------------------------------------------------------
# KCL Defined ACL's and http_access definitions.
acl kcl_users proxy_auth REQUIRED
acl kcl_networks src (our_internal_subnet)/16
acl dmz_networks src (our_external_subnet)/28
acl portal_url url_regex http://portal.komatsu.ca/portal
acl portal_networks src 0.0.0.0/0

# LDAP group acl definitions.
acl puro_group external ldap_group puro
acl proxy_group external ldap_group proxy
acl proxy_komatsu external ldap_group proxy_komatsu

http_access allow manager localhost
http_access allow manager kcl_networks
http_access deny manager
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports

# ----------------------------------------------------------------------
# Note: KCL deny rules must exist before any allow rules.
#
acl no_kazaa dstdomain .kazaa.com
acl no_puretracks dstdomain .puretracks.com
acl no_kilopics dstdomain .kilopics.com
acl no_lingerie-mania dstdomain .lingerie-mania.com
acl no_uproar dstdomain .uproar.com

http_access deny no_kazaa
http_access deny no_puretracks
http_access deny no_kilopics
http_access deny no_lingerie-mania
http_access deny no_uproar

# ----------------------------------------------------------------------
# Puro group allowed list of web sites.
# ACLs
#
acl puro204_101_91_186 src 204.101.91.186/32
acl puro207_139_227_2 src 207.139.227.2/32
acl puro208_243_115_241 src 208.243.115.241/32
acl puro216_13_143_230 src 216.13.143.230/32
acl puro_actparts_com dstdomain .actparts.com
acl puro_aircanada_ca dstdomain .aircanada.ca
acl puro_alcan_com dstdomain .alcan.com
acl puro_alliedsystems_com dstdomain .alliedsystems.com
acl puro_atlascopco-cmna_com dstdomain .atlascopco-cmna.com
acl puro_atlascopco_com dstdomain .atlascopco.com
acl puro_atlas-compressors dstdomain .atlascopco-compressors-can.com
acl puro_canadapost_ca dstdomain .canadapost.ca
acl puro_canadayellowpages_com dstdomain .canadayellowpages.com
acl puro_coneco_ca dstdomain .coneco.ca
acl puro_cranab_com dstdomain .cranab.com
acl puro_cummins_com dstdomain .cummins.com
acl puro_denharco_com dstdomain .denharco.com
acl puro_efni_com dstdomain .efni.com
acl puro_epartscentral_com dstdomain .epartscentral.com
acl puro_equifax_ca dstdomain .equifax.ca
acl puro_equifax_com dstdomain .equifax.com
acl puro_equipmentcentral_com dstdomain .equipmentcentral.com
acl puro_federal-equip_com dstdomain .federal-equip.com
acl puro_fedex_com dstdomain .fedex.com
acl puro_fleetguard_com dstdomain .fleetguard.com
acl puro_granddictionaire_com dstdomain .granddictionaire.com
acl puro_hexaware_com dstdomain .hexaware.com
acl puro_hrparts_com dstdomain .hrparts.com
acl puro_ingersoll-rand_com dstdomain .ingersoll-rand.com
acl puro_ir-atcs_com dstdomain .ir-atcs.com
acl puro_ircommerce_com dstdomain .ircommerce.com
acl puro_komatsuamerica_com dstdomain .komatsuamerica.com
acl puro_komatsuamerica_net dstdomain .komatsuamerica.net
acl puro_komatsu_co_jp dstdomain .komatsu.co.jp
acl puro_komatsu_com dstdomain .komatsu.com
acl puro_lmtruckparts_com dstdomain .lmtruckparts.com
acl puro_machinerytrader_com dstdomain .machinerytrader.com
acl puro_machinetrader_com dstdomain .machinetrader.com
acl puro_mailposte_ca dstdomain .mailposte.ca
acl puro_mylabs_ca dstdomain .mylabs.ca
acl puro_nido_nl dstdomain .nido.nl
acl puro_oilanalysis_net dstdomain .oilanalysis.net
acl puro_partekforest_ca dstdomain .partekforest.ca
acl puro_partekforest_com dstdomain .partekforest.com
acl puro_partekforestusa_com dstdomain .partekforestusa.com
acl puro_partfinder_pfw_com dstdomain .partfinder.pfw.com
acl puro_phoenixreman_com dstdomain .phoenixreman.com
acl puro_point2_com dstdomain .point2.com
acl puro_postescanada_ca dstdomain .postescanada.ca
acl puro_purolator_ca dstdomain .purolator.ca
acl puro_purolator_com dstdomain .purolator.com
acl puro_pwce_com dstdomain .pwce.com
acl puro_rightparts_com dstdomain .rightparts.com
acl puro_sumitomo_com dstdomain .sumitomo.com
acl puro_sympatico_ca dstdomain .sympatico.ca
acl puro_terratech_ca dstdomain .terratech.ca
acl puro_timbcohyd_com dstdomain .timbcohyd.com
acl puro_ups_ca dstdomain .ups.ca
acl puro_ups_com dstdomain .ups.com
acl puro_valuepart_com dstdomain .valuepart.com
acl puro_waratah_net dstdomain .waratah.net
acl puro_wearcheck_ca dstdomain .wearcheck.ca
acl puro_mapquest_com dstdomain mapquest.com
acl puro_mapquest_ca dstdomain mapquest.ca
# ----------------------------------------------------------------------
# Access enablers
#
http_access allow kcl_networks puro_group puro204_101_91_186
http_access allow kcl_networks puro_group puro207_139_227_2
http_access allow kcl_networks puro_group puro208_243_115_241
http_access allow kcl_networks puro_group puro216_13_143_230
http_access allow kcl_networks puro_group puro_actparts_com
http_access allow kcl_networks puro_group puro_aircanada_ca
http_access allow kcl_networks puro_group puro_alcan_com
http_access allow kcl_networks puro_group puro_alliedsystems_com
http_access allow kcl_networks puro_group puro_atlascopco-cmna_com
http_access allow kcl_networks puro_group puro_atlascopco_com
http_access allow kcl_networks puro_group puro_atlas-compressors
http_access allow kcl_networks puro_group puro_canadapost_ca
http_access allow kcl_networks puro_group puro_canadayellowpages_com
http_access allow kcl_networks puro_group puro_coneco_ca
http_access allow kcl_networks puro_group puro_cranab_com
http_access allow kcl_networks puro_group puro_cummins_com
http_access allow kcl_networks puro_group puro_denharco_com
http_access allow kcl_networks puro_group puro_efni_com
http_access allow kcl_networks puro_group puro_epartscentral_com
http_access allow kcl_networks puro_group puro_equifax_ca
http_access allow kcl_networks puro_group puro_equifax_com
http_access allow kcl_networks puro_group puro_equipmentcentral_com
http_access allow kcl_networks puro_group puro_federal-equip_com
http_access allow kcl_networks puro_group puro_fedex_com
http_access allow kcl_networks puro_group puro_fleetguard_com
http_access allow kcl_networks puro_group puro_granddictionaire_com
http_access allow kcl_networks puro_group puro_hexaware_com
http_access allow kcl_networks puro_group puro_hrparts_com
http_access allow kcl_networks puro_group puro_ingersoll-rand_com
http_access allow kcl_networks puro_group puro_ir-atcs_com
http_access allow kcl_networks puro_group puro_ircommerce_com
http_access allow kcl_networks puro_group puro_komatsuamerica_com
http_access allow kcl_networks puro_group puro_komatsuamerica_net
http_access allow kcl_networks puro_group puro_komatsu_co_jp
http_access allow kcl_networks puro_group puro_komatsu_com
http_access allow kcl_networks puro_group puro_lmtruckparts_com
http_access allow kcl_networks puro_group puro_machinerytrader_com
http_access allow kcl_networks puro_group puro_machinetrader_com
http_access allow kcl_networks puro_group puro_mailposte_ca
http_access allow kcl_networks puro_group puro_mapquest_ca
http_access allow kcl_networks puro_group puro_mapquest_com
http_access allow kcl_networks puro_group puro_mylabs_ca
http_access allow kcl_networks puro_group puro_nido_nl
http_access allow kcl_networks puro_group puro_oilanalysis_net
http_access allow kcl_networks puro_group puro_partekforest_ca
http_access allow kcl_networks puro_group puro_partekforest_com
http_access allow kcl_networks puro_group puro_partekforestusa_com
http_access allow kcl_networks puro_group puro_partfinder_pfw_com
http_access allow kcl_networks puro_group puro_phoenixreman_com
http_access allow kcl_networks puro_group puro_point2_com
http_access allow kcl_networks puro_group puro_postescanada_ca
http_access allow kcl_networks puro_group puro_purolator_ca
http_access allow kcl_networks puro_group puro_purolator_com
http_access allow kcl_networks puro_group puro_pwce_com
http_access allow kcl_networks puro_group puro_rightparts_com
http_access allow kcl_networks puro_group puro_sumitomo_com
http_access allow kcl_networks puro_group puro_sympatico_ca
http_access allow kcl_networks puro_group puro_terratech_ca
http_access allow kcl_networks puro_group puro_timbcohyd_com
http_access allow kcl_networks puro_group puro_ups_ca
http_access allow kcl_networks puro_group puro_ups_com
http_access allow kcl_networks puro_group puro_valuepart_com
http_access allow kcl_networks puro_group puro_waratah_net
http_access allow kcl_networks puro_group puro_wearcheck_ca
#
# End of Puro definitions.
# ----------------------------------------------------------------------

# ----------------------------------------------------------------------
# Allow all proxy users to all web addresses.
#
http_access allow kcl_networks proxy_group
http_access allow kcl_networks proxy_komatsu

# ----------------------------------------------------------------------
# Allow access from the Internet for portal.
#
http_access allow portal_url portal_networks
# ----------------------------------------------------------------------

http_access allow localhost
http_access deny all
http_reply_access allow all
icp_access allow all

# ----------------------------------------------------------------------
httpd_accel_host (our_internal_web_server)
httpd_accel_port 80
httpd_accel_single_host on
httpd_accel_with_proxy on
httpd_accel_uses_host_header on

# ----------------------------------------------------------------------
coredump_dir /var/spool/squid
=================================================================================================

-- 
----------------------------------------------------------------------
Timothy E. Neto
 Computer Systems Engineer              Komatsu Canada Limited
 Ph#: 905-625-6292 x265                 1725B Sismet Road
 Fax: 905-625-6348                      Mississauga, Ontario, Canada
 E-Mail: tneto@komatsu.ca               L4W 1P9
----------------------------------------------------------------------
Received on Wed Mar 17 2004 - 12:42:41 MST

This archive was generated by hypermail pre-2.1.9 : Thu Apr 01 2004 - 12:00:02 MST