Re: [squid-users] problem whith squid and google search engine

On 9/06/2014 6:24 p.m., Дмитрий Шиленко wrote:
> This is my config file:
>
> http_port 127.0.0.1:3128
> http_port 127.0.0.1:3129 intercept

Okay, so Squid takes in:
 * forward-proxy traffic to port 3128
 * NAT intercepted port 80 traffc (via port 3129)

Google does not use HTTP anymore. They use HTTPS almost exclusively.
Which means port 443 TLS encrypted traffic or CONNECT requests over port
3128.

But...

> connect_timeout 20 second
> dns_v4_first on
> shutdown_lifetime 1 seconds
> cache deny all
> #cache_mem 256 MB
> #maximum_object_size_in_memory 512 KB
> coredump_dir /usr/local/squid
> access_log daemon:/usr/local/squid/log/access.log squid
> #strip_query_terms off
> log_mime_hdrs on
> #forwarded_for transparent
> #via off
> cache_mgr root_at_localhost
> visible_hostname proxy.localnet.local
>
> acl localnet src 192.168.0.0/24 # RFC1918 possible internal network
> acl CONNECT method CONNECT
> acl AdminsIP src "/usr/local/etc/squid/AccessLists/AdminsIP.txt"
> acl RestrictedDomains dstdomain
> "/usr/local/etc/squid/AccessLists/RestrictedDomains.txt"
> acl MimeAudioVideo rep_mime_type audio video
> acl UrlIP url_regex -i
> ^http://[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}/.*
>
> http_access allow manager localhost
> #http_access allow manager CacheManagerIP
> http_access deny manager
> #Значение disable all отключает управление кэшем
> #cachemgr_passwd disable all
>
> http_access deny CONNECT

... you have denied all use of CONNECT. Even to transfer HTTPS.

The default recommended config has "!SSL_Ports" on the end of that line
in order to permit HTTPS traffic like google through the proxy.

Also, check that you are NOT intercepting or bocking port 443. Your
Squid is currently not setup to handle TLS/SSL.

Amos

> http_access deny to_localhost
> http_access allow AdminsIP
> http_access deny RestrictedDomains
> #http_access deny UrlIP
> http_access allow localnet
> http_access deny all
> #http_reply_access allow AdminsIP
> #http_reply_access deny MimeAudioVideo
> http_reply_access allow all
> #refresh_pattern ^ftp: 1440 20% 10080
> refresh_pattern -i (/cgi-bin/|\?) 0 0% 0
> refresh_pattern . 0 20% 4320
>
> Amos Jeffries писал 09.06.2014 04:11:
>> On 9/06/2014 3:10 a.m., Дмитрий Шиленко wrote:
>>> There is a very strange problem. I have freebsd 9.1 gateway configured
>>> with ipfv ipnat and I decided to set up a squid. Installed from ports
>>> SQUID 3.3. As soon as I run it - gugle.tsom immediately blocks my
>>> network and try to access the search engine says that my requests are
>>> sent automatically.Once turn off the squid - all ok. Prompt in what
>>> could be the problem?
>>>
>>
>> Something in the configuration. But you omitted those details aong with
>> the actual error message details. So we cannot help more than that.
>>
>> Amos
>
>
Received on Mon Jun 09 2014 - 07:12:37 MDT