Re: [squid-users] SSL sites bypass authentication

On 20/03/2012 07:31, Vishal Agarwal wrote:
> Hi Amos,
>
> You are right.
>
> Will this work with transferring all the traffic to http port from iptables ?
>
> Iptables -t nat -A PREROUTING -s 192.168.1.0/24 -p tcp --dport 80 -j REDIRECT --to-destination serverip:3128

you do recall that https is suppose to be on port 443 ? right?
just block the https\443 for users outside the proxy with:
iptables -t filter -I FORWARD 1 -s 192.168.1.0/24 -p tcp --dport 443 -j DROP

this will make this DROP rule first and will force users\clients to use
the proxy for ssl connections.

Regards,
Eliezer
>
> And further checking the traffic in squid
>
> Acl safe_ports port 443 # Secure port
> http_access allow safe_ports
>
>
>
> Thanks/regards,
> Vishal Agarwal
>
>
> -----Original Message-----
> From: Amos Jeffries [mailto:squid3_at_treenet.co.nz]
> Sent: Tuesday, March 20, 2012 11:11 AM
> To: squid-users_at_squid-cache.org
> Subject: Re: [squid-users] SSL sites bypass authentication
>
> On 20/03/2012 5:26 p.m., Vishal Agarwal wrote:
>> Hi,
>>
>> You require to deny the db_auto just after the allow statement (See below ). I hope that will work.
>
> That should be meaningless: if logged in will allow, else if logged in
> will deny.
>
> Missing a '!' ?
>
> The final diagnosis of this problem is that the traffic was not even
> entering Squid. No amount of Squid config will cause it to respond to
> packets which dont even arrive.
>
> Amos
>
>

-- 
Eliezer Croitoru
https://www1.ngtech.co.il
IT consulting for Nonprofit organizations
elilezer <at> ngtech.co.il