[squid-users] http -> https transitions timeout

From: Iain Lopata <ilopata1_at_hotmail.com>
Date: Tue, 23 Aug 2011 11:19:35 -0500

I am new to Squid, so please be patient with me.  I have searched the
documentation and user forums for an answer to my problem.  It may well me
out there, but I cannot find it.

I am running Squid 3.0 with Dansguardian on an Ubuntu server on my home
network.  Squid is configured as a transparent proxy.

I have iptables rules on my router to redirect http (Port 80) traffic to the
Ubuntu server [] as follows:

iptables -t mangle -A PREROUTING -j ACCEPT -p tcp --dport 80 -s
iptables -t mangle -A PREROUTING -j MARK --set-mark 3 -p tcp --dport 80
ip rule add fwmark 3 table 2
ip route add default via dev br0 table 2

I then have iptables rules on the Ubuntu server to redirect http traffic to
port 8080, which is where Dansguardian is listening.  The rule is:

iptables -A PREROUTING -t nat -i eth1 -p tcp --dport 80 -j REDIRECT
--to-port 8080.

It is my intent that https requests (on port 443) should not go through the
proxy server.

This all works well.  Every computer on the network has its access routed
through Dansguardian and Squid.  Users are able to browse the web.  I can
see all of the access requests in access.log (and filter requests using

However, there is one type of request that is a problem – switches from http
to https.  I will illustrate by example.  If a user goes to
http://www.linkedin.com the page is returned successfully.  If they are not
signed in, there is a link in the top left of the menu bar that says to
‘Join Today’.  This is a straightforward (non-javascript) html link to
https://www.linkedin.com/secure/register?trk=hb_join.%a0 Note this is https.
If a user clicks on this link, the connection times out (Response 504). 
However,  the address bar in the browser changes to the https url.  If the
user then refreshes the page they can reach it successfully.  This problem
is not unique to linkedin.com but appears to occur on all http -> https
transitions, including those caused by a 302 redirect.

If I bypass Squid by changing the iptables, the problem disappears and users
can switch between http and https pages without problems.

I have checked the Squid logs and the request for the https page does not
appear in the log.  This is as expected, since my iptables are not
redirecting port 443 traffic to the proxy server.

Any pointers on how to resolve this would be greatly appreciated.

Received on Tue Aug 23 2011 - 16:19:41 MDT

This archive was generated by hypermail 2.2.0 : Wed Aug 24 2011 - 12:00:10 MDT