Re: [squid-users] HTTPS traffic in normal transparent proxy from viveksnv_at

From: <viveksnv_at_aol.in>
Date: Thu, 16 Oct 2008 05:57:13 -0400

Thanks Hendrik.

I tried with both types for blocking https://gmail.com.

My conf is

acl gmail1 url_regex gmail.com mail.google.com
and
acl gmail dstdomain gmail.com mail.google.com

http_access deny gmail gmail1

Now https://gmail.com is blocking..

But all other https sites not working..

Error in browser.

while retrieving the url (disply ip address).
protocol error..

In access.log

only one https request goes..

GET https://gmail.com

Regards
Vivek

On ons, 2008-10-15 at 10:23 -0400, viveksnv_at_aol.in wrote:
> My configuration is...
>
> http_port 0.0.0.0:3128 transparent
>
> https_port 0.0.0.0:3129 transparent
> cert=/usr/local/squid-test/CA/servercert.pem
> key=/usr/local/squid-test/CA/serverkey.pem
>
> Iptable rules are:
>
> iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 80 -j REDIRECT
> --to-port 3128
> iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 443 -j REDIRECT
> --to-port 3129
>
> In cache.log
>
> Accepting transparently proxied HTTP connections at 0.0.0.0, port
3128,
> FD 12.
> Accepting HTTPS connections at 0.0.0.0, port 3129, FD 13
>
> In access.log while accessing https://gmail.com
>
> TCP_MISS/200 2213 CONNECT gmail.com:443

This is not a transparently intercepted https request. This browser is
configured to use the proxy.

The https_port method will only work for transparently intercepted
requests, not when the browser is configured to use the proxy.

For this to work when the browser is configured to use the proxy you
need the sslbump feature available in the upcoming 3.1 release.

> But problem is now gmail not blocked...
>
> In http://gmail.com requests...it's blocked..

CONNECT requests is subject to the same http_access rules as http
access. If GET http://gmail.com is blocked but CONNECT gmail.com:443 is
not then check your access rules. A guess without seeing your ruleset is
that you are using url_regex instead of dstdomain type acls..

Regards
Henrik

________________________________________________________________________
You are invited to Get a Free AOL Email ID. - http://webmail.aol.in
Received on Thu Oct 16 2008 - 09:59:03 MDT

This archive was generated by hypermail 2.2.0 : Thu Oct 16 2008 - 12:00:04 MDT