[squid-users] Accessing a SSL site on a different port than 443 from Mike Carpenter on 2004-05-05 (squid-users)

From: Mike Carpenter <MCarpenter@dont-contact.us>
Date: Wed, 5 May 2004 11:35:40 -0400

I have run into an issue where Squid is not allowing an SSL connection to
be made to a diferent port than 443.

Normally, when making a request to Squid, I am prompted for credentials
(smb_auth helper) and then the web page is retrieved. This error is
strange in that we can not access (for example) https://www.foo.org:17780.
All I get back is a 403 error and the strange part is, I am not prompted
for authentication. If I drop the port # at the end of the URL, I am
prompted for credentials but the request fails of course since the server
isn't listening on 443.

I am including the ACL from my config file for reference. By the way, we
are using DansGuardian for content filtering, so all requests come from
the loopback address. Also I have a list of sites that do not require
authentication (bypasslist) and a list of sites that nobody has access to
(denyall). Putting the site in question in the bypasslist does not fix
the problem and still returns a 403 error.

acl unrestrictedu proxy_auth "/etc/squid/unrestricted.users"
acl whitelistu proxy_auth "/etc/squid/whitelist.users"
acl password proxy_auth 300

acl whitelist dstdomain "/etc/squid/whitelist"
acl whitelistip dst "/etc/squid/whitelistip"
acl bypassurl dstdomain "/etc/squid/bypasslist"
acl denyall dst "/etc/squid/denyall"

acl all src 0.0.0.0/0.0.0.0
acl manager proto cache_object
acl localhost src 127.0.0.1/255.255.255.255
acl SSL_ports port 443 563
acl Safe_ports port 80 # http
acl Safe_ports port 21 # ftp
acl Safe_ports port 443 563 # https, snews
acl Safe_ports port 70 # gopher
acl Safe_ports port 210 # wais
acl Safe_ports port 1025-65535 # unregistered ports
acl Safe_ports port 280 # http-mgmt
acl Safe_ports port 488 # gss-http
acl Safe_ports port 591 # filemaker
acl Safe_ports port 777 # multiling http
acl CONNECT method CONNECT

http_access allow manager localhost
http_access deny manager
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
http_access deny localhost denyall
http_access allow localhost bypassurl
http_access allow unrestrictedu
http_access allow whitelistu whitelist
http_access allow whitelistu whitelistip
#http_access allow localhost
http_access deny all

Thanks for any advice you may have..

Michael Carpenter
Network Analyst, NewPenn Motor Express

mcarpenter@newpenn.com
Received on Wed May 05 2004 - 09:36:33 MDT

This archive was generated by hypermail pre-2.1.9 : Tue Jun 01 2004 - 12:00:01 MDT