Re: [squid-users] SSL tunnel for soon to go Live site not working

From: Amos Jeffries <>
Date: Tue, 08 Oct 2013 15:17:34 +1300

On 8/10/2013 3:01 a.m., IggyDolby wrote:
> Hi I'm a Squid newbie and need to configure Squid to proxy HTTP and HTTPS
> (Tunnel) requests from external users on Browsers and iPads and resolve to
> an IP address were the DNS has not been switched yet.
> We can manually change the iPads proxy configuration to point to this proxy.
> The site has a Browser popup authentication on the first redirect from HTTP
> to HTTPS.
> I never see the browser popup....
> I am able to configure Squid properly I believe for HTTP proxy
> But when I request and HTTPS page I get this error:
> 1381116961.902 0 NONE/400 3841 CONNECT
> error:method-not-allowed - NONE/- text/html
> On an HTTP request I actually get the page:
> 1381116975.786 60 TCP_MISS/200 551 GET
> text/html
> This is my squid.conf
> acl our_sites dstdomain
> http_access allow our_sites
> cache_peer xx.xx.xx.xx parent 80 0 no-query originserver name=myAccel
> cache_peer_access myAccel allow our_sites
> cache_peer_access myAccel deny all
> #
> # Recommended minimum Access Permission configuration:
> #
> # Only allow cachemgr access from localhost
> http_access allow manager localhost
> http_access deny manager
> # Deny requests to certain unsafe ports
> http_access deny !Safe_ports
> # Deny CONNECT to other than secure SSL ports
> #http_access deny CONNECT !SSL_ports
> # We strongly recommend the following be uncommented to protect innocent
> # web applications running on the proxy server who think the only
> # one who can access services on "localhost" is a local user
> #http_access deny to_localhost
> #
> #
> # Example rule allowing access from your local networks.
> # Adapt localnet in the ACL section to list your (internal) IP networks
> # from where browsing should be allowed
> http_access allow localnet
> http_access allow localhost
> # And finally deny all other access to this proxy
> http_access deny all
> # Squid normally listens to port 3128
> http_port 80

The defaultsite= parameter implies "accel" mode (reverse-proxy). CONNECT
is a HTTP method reserved for use between a client and a proxy. It is
not permitted to be used directly on origin servers or reverse-proxy.
Thus the 400.

If I am understanding your requirements description properly what you
need can be served by the default Squid configuration with a cache_peer.

* change http_port back to 3128 and remove the defaultsite= option.

* configure your browser and clients to use port 3128 instead of port 80
for the proxy.

Your test should start working with just those changes.

Regarding the never_direct rule and "our_sites" ACL. You may or may not
want to use them. This is what they will do for your:

* "never_direct allow all" will force all traffic through this proxy to
use the cache_peer.

* the http_access and cache_peer_access use of our_sites restricts
acceptible traffic to only the domains listed in our_sites. Any other
requests will get rejected with a CANNOT_FORWARD error.

Received on Tue Oct 08 2013 - 02:17:49 MDT

This archive was generated by hypermail 2.2.0 : Tue Oct 08 2013 - 12:00:21 MDT