Good,
that solved the problem!
Thank you
On Tue, May 7, 2013 at 6:27 PM, China <davide.belloni_at_gmail.com> wrote:
> Ok, tomorrow morning I'll try and reply!
>
> Thank again!
>
> On Tue, May 7, 2013 at 5:46 PM, Amos Jeffries <squid3_at_treenet.co.nz> wrote:
>> On 8/05/2013 3:13 a.m., China wrote:
>>>
>>> The default config restrict methods, not protocol.
>>>
>>> The problem can be translated as: what I've to put in 'acl
>>> allowed_protocols proto ...' to permit https traffic with CONNECT
>>> method?
>>
>>
>> Try "NONE". CONNECT URLs have no protocol scheme, just a TCP IP:port (or
>> FQDN:port).
>>
>>
>> I highly recommend you go back to the settings we distribute with Squid:
>> http_access deny !Safe_ports
>> http_access deny CONNECT !SSL_ports
>>
>> These two rules prohibit traffic going to ports known to be unsafe for HTTP
>> traffic delivery, and prohibit CONNECT tunnels to ports where HTTPS is not
>> normally found.
>> You adjust them further by altering the contents of Safe_ports and SSL_ports
>> ACLs.
>>
>> You seem to have renamed Safe_ports to allowed_ports for some reason, and
>> removed the controls on CONNECT.
>>
>>
>> Amos
>>
>>
>>> If I start Squid in debugging mode this is the trace with problems:
>>>
>>>
>>> kid1| Eui48.cc(262) lookup: Looking up ARP address for X.X.X.X on eth0
>>> kid1| Eui48.cc(262) lookup: Looking up ARP address for X.X.X.X on eth1
>>> kid1| Eui48.cc(303) lookup: Got address MAC on eth1
>>> kid1| FilledChecklist.cc(77) ~ACLFilledChecklist: ACLFilledChecklist
>>> destroyed 0x7fff13776720
>>> kid1| Checklist.cc(334) ~ACLChecklist: ACLChecklist::~ACLChecklist:
>>> destroyed 0x7fff13776720
>>> kid1| Checklist.cc(153) preCheck: 0x1476118 checking slow rules
>>> kid1| Checklist.cc(160) checkAccessList: 0x1476118 checking
>>> 'http_access deny Gopher'
>>> kid1| Acl.cc(336) matches: ACLList::matches: checking Gopher
>>> kid1| Acl.cc(319) checklistMatches: ACL::checklistMatches: checking
>>> 'Gopher'
>>> kid1| Acl.cc(321) checklistMatches: ACL::ChecklistMatches: result for
>>> 'Gopher' is 0
>>> kid1| Acl.cc(339) matches: ACLList::matches: result is false
>>> kid1| Checklist.cc(275) matchNode: 0x1476118 matched=0 async=0 finished=0
>>> kid1| Checklist.cc(299) matchNode: 0x1476118 simple mismatch
>>> kid1| Checklist.cc(160) checkAccessList: 0x1476118 checking
>>> 'http_access deny !allowed_ports'
>>> kid1| Acl.cc(336) matches: ACLList::matches: checking !allowed_ports
>>> kid1| Acl.cc(319) checklistMatches: ACL::checklistMatches: checking
>>> 'allowed_ports'
>>> kid1| Acl.cc(321) checklistMatches: ACL::ChecklistMatches: result for
>>> 'allowed_ports' is 1
>>> kid1| Acl.cc(339) matches: ACLList::matches: result is false
>>> kid1| Checklist.cc(275) matchNode: 0x1476118 matched=0 async=0 finished=0
>>> kid1| Checklist.cc(299) matchNode: 0x1476118 simple mismatch
>>> kid1| Checklist.cc(160) checkAccessList: 0x1476118 checking
>>> 'http_access deny !allowed_protocols'
>>> kid1| Acl.cc(336) matches: ACLList::matches: checking !allowed_protocols
>>> kid1| Acl.cc(319) checklistMatches: ACL::checklistMatches: checking
>>> 'allowed_protocols'
>>> kid1| Acl.cc(321) checklistMatches: ACL::ChecklistMatches: result for
>>> 'allowed_protocols' is 0
>>> kid1| Acl.cc(343) matches: ACLList::matches: result is true
>>> kid1| Checklist.cc(275) matchNode: 0x1476118 matched=1 async=0 finished=0
>>> kid1| Checklist.cc(260) matchNodes: 0x1476118 success: all ACLs matched
>>> kid1| Checklist.cc(146) markFinished: 0x1476118 answer DENIED for
>>> first matching rule won
>>> kid1| Checklist.cc(88) matchNonBlocking: ACLChecklist::check:
>>> 0x1476118 match found, calling back with DENIED
>>> kid1| Checklist.cc(182) checkCallback: ACLChecklist::checkCallback:
>>> 0x1476118 answer=DENIED
>>> kid1| Gadgets.cc(85) aclIsProxyAuth: aclIsProxyAuth: called for
>>> allowed_protocols
>>> kid1| Acl.cc(61) FindByName: ACL::FindByName 'allowed_protocols'
>>> kid1| Gadgets.cc(93) aclIsProxyAuth: aclIsProxyAuth: returning 0
>>> kid1| Gadgets.cc(58) aclGetDenyInfoPage: got called for allowed_protocols
>>> kid1| Gadgets.cc(77) aclGetDenyInfoPage: aclGetDenyInfoPage: no match
>>> kid1| FilledChecklist.cc(77) ~ACLFilledChecklist: ACLFilledChecklist
>>> destroyed 0x7fff13775b80
>>> kid1| Checklist.cc(334) ~ACLChecklist: ACLChecklist::~ACLChecklist:
>>> destroyed 0x7fff13775b80
>>> kid1| FilledChecklist.cc(77) ~ACLFilledChecklist: ACLFilledChecklist
>>> destroyed 0x7fff13775a60
>>> kid1| Checklist.cc(334) ~ACLChecklist: ACLChecklist::~ACLChecklist:
>>> destroyed 0x7fff13775a60
>>> kid1| FilledChecklist.cc(77) ~ACLFilledChecklist: ACLFilledChecklist
>>> destroyed 0x1476118
>>> kid1| Checklist.cc(334) ~ACLChecklist: ACLChecklist::~ACLChecklist:
>>> destroyed 0x1476118
>>> kid1| FilledChecklist.cc(77) ~ACLFilledChecklist: ACLFilledChecklist
>>> destroyed 0x1476118
>>> kid1| Checklist.cc(334) ~ACLChecklist: ACLChecklist::~ACLChecklist:
>>> destroyed 0x1476118
>>> kid1| client_side.cc(784) swanSong: local=Y.Y.Y.Y:Y remote=X.X.X.X:X
>>> flags=1
>>>
>>>
>>> Thank you
>>>
>>>
>>> On Tue, May 7, 2013 at 4:54 PM, Amos Jeffries <squid3_at_treenet.co.nz>
>>> wrote:
>>>>
>>>> On 8/05/2013 1:31 a.m., China wrote:
>>>>>
>>>>> Hi,
>>>>> I've some squid servers (until 3.1.20 version) which has the following
>>>>> configuration and works great:
>>>>>
>>>>> acl allowed_protocols proto HTTP HTTPS CONNECT FTP
>>>>> http_access deny !allowed_protocols
>>>>>
>>>>> After the upgrade to 3.3.3 version, sqiud print the following warning
>>>>> in the configuration check:
>>>>>
>>>>> WARNING: Ignoring unknown protocol 'CONNECT' in the ACL named
>>>>> 'allowed_protocols'
>>>>
>>>>
>>>> Squid does not at this time support URL starting with "connect://". That
>>>> is all this means. The older versions accepted it, but did nothing with it.
>>>> So it would seem to be unrelated to the actual problem you are now having.
>>>>
>>>>
>>>>
>>>>> and squid clients can't no more connect to HTTPS sites.
>>>>
>>>>
>>>> There is a CONNECT *method* in HTTP protocol, which is used to pass HTTPS
>>>> traffic through HTTP proxies.
>>>>
>>>> Please check your http_access lines to see what they do when an HTTP
>>>> request with method CONNECT happens. The default config provided with Squid
>>>> restricts CONNECT requests to opening tunnels to a specific set of SSL_Ports
>>>> where HTTPS is normally seen - if you have altered that set or changed the
>>>> http_access lines those changes may be the cause of your problem.
>>>>
>>>>
>>>>> How can I check the protocols like configuration in old versions?--
>>>>
>>>>
>>>> Please run "squid -k parse" on your squid.conf file. It should highlight
>>>> any other problems you have in the config.
>>>>
>>>>
>>>>
>>>> Amos
>>>>
>>>
>>>
>>> --
>>>
>>> Davide Belloni
>>
>>
>
>
>
> --
>
> Davide Belloni
-- Davide BelloniReceived on Wed May 08 2013 - 05:56:42 MDT
This archive was generated by hypermail 2.2.0 : Wed May 08 2013 - 12:00:07 MDT