RE: [squid-users] Cannot access google search results and other https sites through squid proxy.

From: Development Team <>
Date: Tue, 3 Jun 2014 11:28:53 -0700

>Note the need for separate forward-proxy and intercept-proxy listening
ports in Squid is a MUST.
>Forward-proxy is the better mode of operation, if you have clients already
using it leave them. Add the interception as a secondary http(s)_port for
the >clients that cannot be configured with the proxy.

This issue with ssl_bump has really been confusing me! If I have the line

    http_port 3128 ssl-bump generate-host-certificates=on
dynamic_cert_mem_cache_size=4MB cert=bla.crt key=bla.key intercept

Then squid will not start unless I also have an additional config line like

    http_port 3129

What does specifying two http_port mean? How do I configure my iptables and
dansguardian to use these ports? Currently, DG is configured with
"proxyport = 3128" Do I change that, add to it or what?

Without ssl_bump my router's NAT rules are

-A OUTPUT -p tcp -m tcp --dport 80 -m owner --uid-owner squid -j ACCEPT
-A OUTPUT -p tcp -m tcp --dport 3128 -m owner --uid-owner squid -j ACCEPT
-A PREROUTING -p tcp -m tcp --dport 80 -j REDIRECT --to-ports 8080

In English:
When they are output from a squid process, accept packets that are destined
for ports 80 or 3128,
Before other routing , redirect packets destined for port 80 to port 8080

How must I change this when I am using ssl_bump?

Received on Tue Jun 03 2014 - 18:29:02 MDT

This archive was generated by hypermail 2.2.0 : Wed Jun 04 2014 - 12:00:06 MDT