On 8/05/2013 3:13 a.m., China wrote:
> The default config restrict methods, not protocol.
>
> The problem can be translated as: what I've to put in 'acl
> allowed_protocols proto ...' to permit https traffic with CONNECT
> method?
Try "NONE". CONNECT URLs have no protocol scheme, just a TCP IP:port (or
FQDN:port).
I highly recommend you go back to the settings we distribute with Squid:
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
These two rules prohibit traffic going to ports known to be unsafe for
HTTP traffic delivery, and prohibit CONNECT tunnels to ports where HTTPS
is not normally found.
You adjust them further by altering the contents of Safe_ports and
SSL_ports ACLs.
You seem to have renamed Safe_ports to allowed_ports for some reason,
and removed the controls on CONNECT.
Amos
> If I start Squid in debugging mode this is the trace with problems:
>
>
> kid1| Eui48.cc(262) lookup: Looking up ARP address for X.X.X.X on eth0
> kid1| Eui48.cc(262) lookup: Looking up ARP address for X.X.X.X on eth1
> kid1| Eui48.cc(303) lookup: Got address MAC on eth1
> kid1| FilledChecklist.cc(77) ~ACLFilledChecklist: ACLFilledChecklist
> destroyed 0x7fff13776720
> kid1| Checklist.cc(334) ~ACLChecklist: ACLChecklist::~ACLChecklist:
> destroyed 0x7fff13776720
> kid1| Checklist.cc(153) preCheck: 0x1476118 checking slow rules
> kid1| Checklist.cc(160) checkAccessList: 0x1476118 checking
> 'http_access deny Gopher'
> kid1| Acl.cc(336) matches: ACLList::matches: checking Gopher
> kid1| Acl.cc(319) checklistMatches: ACL::checklistMatches: checking 'Gopher'
> kid1| Acl.cc(321) checklistMatches: ACL::ChecklistMatches: result for
> 'Gopher' is 0
> kid1| Acl.cc(339) matches: ACLList::matches: result is false
> kid1| Checklist.cc(275) matchNode: 0x1476118 matched=0 async=0 finished=0
> kid1| Checklist.cc(299) matchNode: 0x1476118 simple mismatch
> kid1| Checklist.cc(160) checkAccessList: 0x1476118 checking
> 'http_access deny !allowed_ports'
> kid1| Acl.cc(336) matches: ACLList::matches: checking !allowed_ports
> kid1| Acl.cc(319) checklistMatches: ACL::checklistMatches: checking
> 'allowed_ports'
> kid1| Acl.cc(321) checklistMatches: ACL::ChecklistMatches: result for
> 'allowed_ports' is 1
> kid1| Acl.cc(339) matches: ACLList::matches: result is false
> kid1| Checklist.cc(275) matchNode: 0x1476118 matched=0 async=0 finished=0
> kid1| Checklist.cc(299) matchNode: 0x1476118 simple mismatch
> kid1| Checklist.cc(160) checkAccessList: 0x1476118 checking
> 'http_access deny !allowed_protocols'
> kid1| Acl.cc(336) matches: ACLList::matches: checking !allowed_protocols
> kid1| Acl.cc(319) checklistMatches: ACL::checklistMatches: checking
> 'allowed_protocols'
> kid1| Acl.cc(321) checklistMatches: ACL::ChecklistMatches: result for
> 'allowed_protocols' is 0
> kid1| Acl.cc(343) matches: ACLList::matches: result is true
> kid1| Checklist.cc(275) matchNode: 0x1476118 matched=1 async=0 finished=0
> kid1| Checklist.cc(260) matchNodes: 0x1476118 success: all ACLs matched
> kid1| Checklist.cc(146) markFinished: 0x1476118 answer DENIED for
> first matching rule won
> kid1| Checklist.cc(88) matchNonBlocking: ACLChecklist::check:
> 0x1476118 match found, calling back with DENIED
> kid1| Checklist.cc(182) checkCallback: ACLChecklist::checkCallback:
> 0x1476118 answer=DENIED
> kid1| Gadgets.cc(85) aclIsProxyAuth: aclIsProxyAuth: called for
> allowed_protocols
> kid1| Acl.cc(61) FindByName: ACL::FindByName 'allowed_protocols'
> kid1| Gadgets.cc(93) aclIsProxyAuth: aclIsProxyAuth: returning 0
> kid1| Gadgets.cc(58) aclGetDenyInfoPage: got called for allowed_protocols
> kid1| Gadgets.cc(77) aclGetDenyInfoPage: aclGetDenyInfoPage: no match
> kid1| FilledChecklist.cc(77) ~ACLFilledChecklist: ACLFilledChecklist
> destroyed 0x7fff13775b80
> kid1| Checklist.cc(334) ~ACLChecklist: ACLChecklist::~ACLChecklist:
> destroyed 0x7fff13775b80
> kid1| FilledChecklist.cc(77) ~ACLFilledChecklist: ACLFilledChecklist
> destroyed 0x7fff13775a60
> kid1| Checklist.cc(334) ~ACLChecklist: ACLChecklist::~ACLChecklist:
> destroyed 0x7fff13775a60
> kid1| FilledChecklist.cc(77) ~ACLFilledChecklist: ACLFilledChecklist
> destroyed 0x1476118
> kid1| Checklist.cc(334) ~ACLChecklist: ACLChecklist::~ACLChecklist:
> destroyed 0x1476118
> kid1| FilledChecklist.cc(77) ~ACLFilledChecklist: ACLFilledChecklist
> destroyed 0x1476118
> kid1| Checklist.cc(334) ~ACLChecklist: ACLChecklist::~ACLChecklist:
> destroyed 0x1476118
> kid1| client_side.cc(784) swanSong: local=Y.Y.Y.Y:Y remote=X.X.X.X:X flags=1
>
>
> Thank you
>
>
> On Tue, May 7, 2013 at 4:54 PM, Amos Jeffries <squid3_at_treenet.co.nz> wrote:
>> On 8/05/2013 1:31 a.m., China wrote:
>>> Hi,
>>> I've some squid servers (until 3.1.20 version) which has the following
>>> configuration and works great:
>>>
>>> acl allowed_protocols proto HTTP HTTPS CONNECT FTP
>>> http_access deny !allowed_protocols
>>>
>>> After the upgrade to 3.3.3 version, sqiud print the following warning
>>> in the configuration check:
>>>
>>> WARNING: Ignoring unknown protocol 'CONNECT' in the ACL named
>>> 'allowed_protocols'
>>
>> Squid does not at this time support URL starting with "connect://". That is all this means. The older versions accepted it, but did nothing with it. So it would seem to be unrelated to the actual problem you are now having.
>>
>>
>>
>>> and squid clients can't no more connect to HTTPS sites.
>>
>> There is a CONNECT *method* in HTTP protocol, which is used to pass HTTPS traffic through HTTP proxies.
>>
>> Please check your http_access lines to see what they do when an HTTP request with method CONNECT happens. The default config provided with Squid restricts CONNECT requests to opening tunnels to a specific set of SSL_Ports where HTTPS is normally seen - if you have altered that set or changed the http_access lines those changes may be the cause of your problem.
>>
>>
>>> How can I check the protocols like configuration in old versions?--
>>
>> Please run "squid -k parse" on your squid.conf file. It should highlight any other problems you have in the config.
>>
>>
>>
>> Amos
>>
>
>
> --
>
> Davide Belloni
Received on Tue May 07 2013 - 15:46:38 MDT
This archive was generated by hypermail 2.2.0 : Tue May 07 2013 - 12:00:04 MDT