Thanks for the answers guys,
Really should have looked in the cache.log first before posting here.
cache.log told me that there were errors while initialising SSL. After
a bit of googling around, I changed https_port to http_port and squid
binds everything correctly, as it seems that https_port is needed for
reverse proxying only, and ssl_bump works fine with http_port?
To use the ssl features, I upgraded my squid 3.0 (ubuntu package) to
3.2.11. using the package here -
http://www.mydlp.com/squid-3-2-ssl-packages/
Using the same config as before, I am now ending up in "forwarding
loops" when trying to access a page through the transparent
non-ssl-bump port (client is getting 403). The same (non-ssl) access
worked fine in the previous versions though.
Did something change during the ~3.2 version jump that affects this?
Cheers,
David
On Fri, Jun 21, 2013 at 6:20 PM, Eliezer Croitoru <eliezer_at_ngtech.co.il> wrote:
> What Version of squid??
> 'squid -v' output
> also please tell us what is the purpose of the service?
> is this service for ssl-bumping or just ssl reverse proxy?
> there should be something in the cache.log if there is a problem in binding
> a port.
>
> This is for squid 3.1
> http://wiki.squid-cache.org/Features/SslBump
>
> and it states that you don't need https_port in order to do ssl-bump.
> "http_port 3128 ssl-bump cert=/usr/local/squid3/etc/site_priv+pub.pem"
> but in squid 3.3 it's more complicated.
>
> Do we have docs for that??
>
> Eliezer
>
>
>
> On 06/21/2013 09:46 AM, David Mohl wrote:
>>
>> Okay guys,
>>
>> it looks like squid is not listening on port 443, even though the
>> https_port directive is set to it.
>> I tried playing around with it and changed the port to a higher range,
>> but same result.
>>
>> According to netstat, squid3 listens only to port 80 and 8000, which
>> are set via the http_port directive, but somehow ignoring all the
>> https_ports?
>>
>> Syslog / squid shows no binding / listening errors.
>>
>> Any ideas?
>>
>>
>> Cheers,
>> David
>>
>> On Fri, Jun 21, 2013 at 3:46 PM, David Mohl <dave_at_dave.cx> wrote:
>>>
>>> Okay guys,
>>>
>>> it looks like squid is not listening on port 443, even though the
>>> https_port
>>> directive is set to it.
>>> I tried playing around with it and changed the port to a higher range,
>>> but
>>> same result.
>>>
>>> According to netstat, squid3 listens only to port 80 and 8000, which are
>>> set
>>> via the http_port directive, but somehow ignoring all the https_ports?
>>>
>>> Syslog / squid shows no binding / listening errors.
>>>
>>> Any ideas?
>>>
>>>
>>> Cheers,
>>> David
>>>
>>>
>>> On Fri, Jun 21, 2013 at 2:17 PM, David Mohl <dave_at_dave.cx> wrote:
>>>>
>>>>
>>>> Hey Squid users,
>>>>
>>>> For the last weeks, I've been fighting with Squid3 to get SSL running in
>>>> a
>>>> transparent environment. I followed multiple config guides but still
>>>> seem to
>>>> have problems getting the configuration running. My config file:
>>>>
>>>> acl SSL_ports port 443
>>>> acl Safe_ports port 80 # http
>>>> acl Safe_ports port 21 # ftp
>>>> acl Safe_ports port 443 # https
>>>> acl Safe_ports port 70 # gopher
>>>> acl Safe_ports port 210 # wais
>>>> acl Safe_ports port 1025-65535 (tel://port 1025-65535) # unregistered
>>>> ports
>>>> acl Safe_ports port 280 # http-mgmt
>>>> acl Safe_ports port 488 # gss-http
>>>> acl Safe_ports port 591 # filemaker
>>>> acl Safe_ports port 777 # multiling http
>>>> acl SSL method CONNECT
>>>> acl CONNECT method CONNECT
>>>> http_access deny !Safe_ports
>>>> acl whitelist dstdomain "/etc/squid3/whitelist"
>>>> http_access allow all whitelist
>>>> http_access deny all
>>>>
>>>> # SSL Bump
>>>> always_direct allow all
>>>> ssl_bump allow all
>>>> sslproxy_cert_error allow all
>>>> sslproxy_flags DONT_VERIFY_PEER
>>>>
>>>> http_port 80 transparent
>>>> http_port 8000
>>>> https_port 443 ssl-bump cert=/etc/squid3/ssl_cert/server.crt
>>>> key=/etc/squid3/ssl_cert/server.key transparent
>>>> coredump_dir /var/spool/squid3
>>>>
>>>>
>>>> Last week, using this configuration, I ended up getting "unknown
>>>> protocol"
>>>> errors, but I guess that was caused by something cached. When trying to
>>>> use
>>>> wget now, all I get is "connection refused".
>>>>
>>>> As far as I can tell, squid3 is correctly set up to listen to my https
>>>> port, means it should at least give something else then "connection
>>>> refused"? Maybe a certificate error on the client side? Or at least
>>>> something. Ports (8080, 443, 80) are open and reachable .
>>>>
>>>> Any ideas on what I did wrong?
>>>>
>>>>
>>>> Cheers,
>>>> David
>>>>
>>>
>
Received on Fri Jun 21 2013 - 14:56:33 MDT
This archive was generated by hypermail 2.2.0 : Fri Jun 21 2013 - 12:00:36 MDT