[squid-users] squid with qlproxy on fedora 20 not working for https traffic

Hi have spent two days googling and going through these forums and have not
been able to get https filtering working. I am new to all of this kind of
networking stuff. So i do need a lot of help :)

I have a gateway machine which is my rotuer. On this same gateway i have
squid and qlproxy installed. I want to be able to filter on both http and
https. Only http filtering works now, but not https. So i am not able to
make google default to safe search.

I am going to paste my configuration files, so my apologies for the long
files.

My squid.conf is

acl localnet src 192.168.13.0/24
acl localnet src 127.0.0.1/8
acl wanip src 97.90.225.128
acl SSL_ports port 443
acl Safe_ports port 80 # http
acl Safe_ports port 8080 # http
acl Safe_ports port 21 # ftp
acl Safe_ports port 443 # https
acl Safe_ports port 70 # gopher
acl Safe_ports port 210 # wais
acl Safe_ports port 1025-65535 # unregistered ports
acl Safe_ports port 280 # http-mgmt
acl Safe_ports port 488 # gss-http
acl Safe_ports port 591 # filemaker
acl Safe_ports port 777 # multiling http
acl CONNECT method CONNECT
http_access deny !Safe_ports
http_access allow CONNECT SSL_ports
http_access deny CONNECT !SSL_ports
http_access allow localhost manager
http_access deny manager
http_access deny to_localhost
http_access allow localnet
http_access allow wanip
http_access allow localhost
http_access deny all
http_port 192.168.13.1:3128
http_port 192.168.13.1:3129 intercept
https_port 192.168.13.1:3130 intercept ssl-bump cert=/etc/squid/myCA.pem
acl qlproxy_https_exclusions dstdomain
"/etc/opt/quintolabs/qlproxy/squid/https_exclusions.conf"
acl qlproxy_https_targets dstdomain
"/etc/opt/quintolabs/qlproxy/squid/https_targets.conf"
ssl_bump none localhost
ssl_bump server-first qlproxy_https_targets
always_direct allow all
cache_dir ufs /var/spool/squid 100 16 256
coredump_dir /var/spool/squid
refresh_pattern ^ftp: 1440 20% 10080
refresh_pattern ^gopher: 1440 0% 1440
refresh_pattern -i (/cgi-bin/|\?) 0 0% 0
refresh_pattern . 0 20% 4320
icap_enable on
icap_preview_enable on
icap_preview_size 4096
icap_persistent_connections on
icap_send_client_ip on
icap_send_client_username on
icap_client_username_header X-Client-Username
icap_service qlproxy1 reqmod_precache 0 icap://127.0.0.1:1344/reqmod
icap_service qlproxy2 respmod_precache 0 icap://127.0.0.1:1344/respmod
adaptation_access qlproxy1 allow all
adaptation_access qlproxy2 allow all

my iptables are

# Generated by iptables-save v1.4.19.1 on Mon Jun 9 20:03:48 2014
*nat
:PREROUTING ACCEPT [683:114416]
:INPUT ACCEPT [477:31902]
:OUTPUT ACCEPT [441:27340]
:POSTROUTING ACCEPT [2:176]
:OUTPUT_direct - [0:0]
:POSTROUTING_ZONES - [0:0]
:POSTROUTING_ZONES_SOURCE - [0:0]
:POSTROUTING_direct - [0:0]
:POST_external - [0:0]
:POST_external_allow - [0:0]
:POST_external_deny - [0:0]
:POST_external_log - [0:0]
:POST_internal - [0:0]
:POST_internal_allow - [0:0]
:POST_internal_deny - [0:0]
:POST_internal_log - [0:0]
:POST_public - [0:0]
:POST_public_allow - [0:0]
:POST_public_deny - [0:0]
:POST_public_log - [0:0]
:PREROUTING_ZONES - [0:0]
:PREROUTING_ZONES_SOURCE - [0:0]
:PREROUTING_direct - [0:0]
:PRE_external - [0:0]
:PRE_external_allow - [0:0]
:PRE_external_deny - [0:0]
:PRE_external_log - [0:0]
:PRE_internal - [0:0]
:PRE_internal_allow - [0:0]
:PRE_internal_deny - [0:0]
:PRE_internal_log - [0:0]
:PRE_public - [0:0]
:PRE_public_allow - [0:0]
:PRE_public_deny - [0:0]
:PRE_public_log - [0:0]
-A PREROUTING -j PREROUTING_direct
-A PREROUTING -j PREROUTING_ZONES_SOURCE
-A PREROUTING -j PREROUTING_ZONES
-A OUTPUT -j OUTPUT_direct
-A POSTROUTING -j POSTROUTING_direct
-A POSTROUTING -j POSTROUTING_ZONES_SOURCE
-A POSTROUTING -j POSTROUTING_ZONES
-A POSTROUTING_ZONES -o p6p1 -g POST_internal
-A POSTROUTING_ZONES -o p2p1 -g POST_external
-A POSTROUTING_ZONES -g POST_public
-A POST_external -j POST_external_log
-A POST_external -j POST_external_deny
-A POST_external -j POST_external_allow
-A POST_external_allow ! -i lo -j MASQUERADE
-A POST_internal -j POST_internal_log
-A POST_internal -j POST_internal_deny
-A POST_internal -j POST_internal_allow
-A POST_public -j POST_public_log
-A POST_public -j POST_public_deny
-A POST_public -j POST_public_allow
-A POST_public_allow ! -i lo -j MASQUERADE
-A PREROUTING_ZONES -i p6p1 -g PRE_internal
-A PREROUTING_ZONES -i p2p1 -g PRE_external
-A PREROUTING_ZONES -g PRE_public
-A PREROUTING_direct -i p6p1 -p tcp -m tcp --dport 80 -j DNAT
--to-destination 192.168.13.1:3129
-A PREROUTING_direct -i p6p1 -p tcp -m tcp --dport 443 -j DNAT
--to-destination 192.168.13.1:3130
-A PREROUTING_direct -i p2p1 -p tcp -m tcp --dport 443 -j REDIRECT
--to-ports 3130
-A PREROUTING_direct -i p2p1 -p tcp -m tcp --dport 80 -j REDIRECT --to-ports
3129
-A PRE_external -j PRE_external_log
-A PRE_external -j PRE_external_deny
-A PRE_external -j PRE_external_allow
-A PRE_external_allow -p tcp -m mark --mark 0x64 -j DNAT --to-destination
192.168.13.108:22
-A PRE_external_allow -p tcp -m mark --mark 0x65 -j DNAT --to-destination
192.168.13.107:22
-A PRE_external_allow -p tcp -m mark --mark 0x66 -j DNAT --to-destination
192.168.13.104:5000-5020
-A PRE_external_allow -p tcp -m mark --mark 0x67 -j DNAT --to-destination
192.168.13.105:22
-A PRE_external_allow -p tcp -m mark --mark 0x68 -j DNAT --to-destination
192.168.13.109:22
-A PRE_external_allow -p tcp -m mark --mark 0x69 -j DNAT --to-destination
192.168.13.104:22
-A PRE_external_allow -p tcp -m mark --mark 0x6a -j DNAT --to-destination
192.168.13.106:22
-A PRE_external_allow -p udp -m mark --mark 0x6b -j DNAT --to-destination
192.168.13.104:5000-5020
-A PRE_external_allow -p tcp -m mark --mark 0x6c -j DNAT --to-destination
192.168.13.102:22
-A PRE_internal -j PRE_internal_log
-A PRE_internal -j PRE_internal_deny
-A PRE_internal -j PRE_internal_allow
-A PRE_public -j PRE_public_log
-A PRE_public -j PRE_public_deny
-A PRE_public -j PRE_public_allow
COMMIT
# Completed on Mon Jun 9 20:03:48 2014
# Generated by iptables-save v1.4.19.1 on Mon Jun 9 20:03:48 2014
*mangle
:PREROUTING ACCEPT [209855:83194674]
:INPUT ACCEPT [163899:49094240]
:FORWARD ACCEPT [45956:34100434]
:OUTPUT ACCEPT [164192:62941135]
:POSTROUTING ACCEPT [210148:97041569]
:FORWARD_direct - [0:0]
:INPUT_direct - [0:0]
:OUTPUT_direct - [0:0]
:POSTROUTING_direct - [0:0]
:PREROUTING_ZONES - [0:0]
:PREROUTING_ZONES_SOURCE - [0:0]
:PREROUTING_direct - [0:0]
:PRE_external - [0:0]
:PRE_external_allow - [0:0]
:PRE_external_deny - [0:0]
:PRE_external_log - [0:0]
:PRE_internal - [0:0]
:PRE_internal_allow - [0:0]
:PRE_internal_deny - [0:0]
:PRE_internal_log - [0:0]
:PRE_public - [0:0]
:PRE_public_allow - [0:0]
:PRE_public_deny - [0:0]
:PRE_public_log - [0:0]
-A PREROUTING -j PREROUTING_direct
-A PREROUTING -j PREROUTING_ZONES_SOURCE
-A PREROUTING -j PREROUTING_ZONES
-A INPUT -j INPUT_direct
-A FORWARD -j FORWARD_direct
-A OUTPUT -j OUTPUT_direct
-A POSTROUTING -j POSTROUTING_direct
-A PREROUTING_ZONES -i p6p1 -g PRE_internal
-A PREROUTING_ZONES -i p2p1 -g PRE_external
-A PREROUTING_ZONES -g PRE_public
-A PRE_external -j PRE_external_log
-A PRE_external -j PRE_external_deny
-A PRE_external -j PRE_external_allow
-A PRE_external_allow -p tcp -m tcp --dport 2082 -j MARK --set-xmark
0x64/0xffffffff
-A PRE_external_allow -p tcp -m tcp --dport 2072 -j MARK --set-xmark
0x65/0xffffffff
-A PRE_external_allow -p tcp -m tcp --dport 5000:5020 -j MARK --set-xmark
0x66/0xffffffff
-A PRE_external_allow -p tcp -m tcp --dport 2052 -j MARK --set-xmark
0x67/0xffffffff
-A PRE_external_allow -p tcp -m tcp --dport 2092 -j MARK --set-xmark
0x68/0xffffffff
-A PRE_external_allow -p tcp -m tcp --dport 2042 -j MARK --set-xmark
0x69/0xffffffff
-A PRE_external_allow -p tcp -m tcp --dport 2062 -j MARK --set-xmark
0x6a/0xffffffff
-A PRE_external_allow -p udp -m udp --dport 5000:5020 -j MARK --set-xmark
0x6b/0xffffffff
-A PRE_external_allow -p tcp -m tcp --dport 2022 -j MARK --set-xmark
0x6c/0xffffffff
-A PRE_internal -j PRE_internal_log
-A PRE_internal -j PRE_internal_deny
-A PRE_internal -j PRE_internal_allow
-A PRE_public -j PRE_public_log
-A PRE_public -j PRE_public_deny
-A PRE_public -j PRE_public_allow
COMMIT
# Completed on Mon Jun 9 20:03:48 2014
# Generated by iptables-save v1.4.19.1 on Mon Jun 9 20:03:48 2014
*security
:INPUT ACCEPT [162157:48535784]
:FORWARD ACCEPT [45956:34100434]
:OUTPUT ACCEPT [164192:62941135]
:FORWARD_direct - [0:0]
:INPUT_direct - [0:0]
:OUTPUT_direct - [0:0]
-A INPUT -j INPUT_direct
-A FORWARD -j FORWARD_direct
-A OUTPUT -j OUTPUT_direct
COMMIT
# Completed on Mon Jun 9 20:03:48 2014
# Generated by iptables-save v1.4.19.1 on Mon Jun 9 20:03:48 2014
*raw
:PREROUTING ACCEPT [209855:83194674]
:OUTPUT ACCEPT [164192:62941135]
:OUTPUT_direct - [0:0]
:PREROUTING_direct - [0:0]
-A PREROUTING -j PREROUTING_direct
-A OUTPUT -j OUTPUT_direct
COMMIT
# Completed on Mon Jun 9 20:03:48 2014
# Generated by iptables-save v1.4.19.1 on Mon Jun 9 20:03:48 2014
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [164192:62941135]
:FORWARD_IN_ZONES - [0:0]
:FORWARD_IN_ZONES_SOURCE - [0:0]
:FORWARD_OUT_ZONES - [0:0]
:FORWARD_OUT_ZONES_SOURCE - [0:0]
:FORWARD_direct - [0:0]
:FWDI_external - [0:0]
:FWDI_external_allow - [0:0]
:FWDI_external_deny - [0:0]
:FWDI_external_log - [0:0]
:FWDI_internal - [0:0]
:FWDI_internal_allow - [0:0]
:FWDI_internal_deny - [0:0]
:FWDI_internal_log - [0:0]
:FWDI_public - [0:0]
:FWDI_public_allow - [0:0]
:FWDI_public_deny - [0:0]
:FWDI_public_log - [0:0]
:FWDO_external - [0:0]
:FWDO_external_allow - [0:0]
:FWDO_external_deny - [0:0]
:FWDO_external_log - [0:0]
:FWDO_internal - [0:0]
:FWDO_internal_allow - [0:0]
:FWDO_internal_deny - [0:0]
:FWDO_internal_log - [0:0]
:FWDO_public - [0:0]
:FWDO_public_allow - [0:0]
:FWDO_public_deny - [0:0]
:FWDO_public_log - [0:0]
:INPUT_ZONES - [0:0]
:INPUT_ZONES_SOURCE - [0:0]
:INPUT_direct - [0:0]
:IN_external - [0:0]
:IN_external_allow - [0:0]
:IN_external_deny - [0:0]
:IN_external_log - [0:0]
:IN_internal - [0:0]
:IN_internal_allow - [0:0]
:IN_internal_deny - [0:0]
:IN_internal_log - [0:0]
:IN_public - [0:0]
:IN_public_allow - [0:0]
:IN_public_deny - [0:0]
:IN_public_log - [0:0]
:OUTPUT_direct - [0:0]
-A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -j INPUT_direct
-A INPUT -j INPUT_ZONES_SOURCE
-A INPUT -j INPUT_ZONES
-A INPUT -p icmp -j ACCEPT
-A INPUT -j REJECT --reject-with icmp-host-prohibited
-A FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -i lo -j ACCEPT
-A FORWARD -j FORWARD_direct
-A FORWARD -j FORWARD_IN_ZONES_SOURCE
-A FORWARD -j FORWARD_IN_ZONES
-A FORWARD -j FORWARD_OUT_ZONES_SOURCE
-A FORWARD -j FORWARD_OUT_ZONES
-A FORWARD -p icmp -j ACCEPT
-A FORWARD -j REJECT --reject-with icmp-host-prohibited
-A OUTPUT -j OUTPUT_direct
-A FORWARD_IN_ZONES -i p6p1 -g FWDI_internal
-A FORWARD_IN_ZONES -i p2p1 -g FWDI_external
-A FORWARD_IN_ZONES -g FWDI_public
-A FORWARD_OUT_ZONES -o p6p1 -g FWDO_internal
-A FORWARD_OUT_ZONES -o p2p1 -g FWDO_external
-A FORWARD_OUT_ZONES -g FWDO_public
-A FWDI_external -j FWDI_external_log
-A FWDI_external -j FWDI_external_deny
-A FWDI_external -j FWDI_external_allow
-A FWDI_external_allow -m conntrack --ctstate NEW -m mark --mark 0x64 -j
ACCEPT
-A FWDI_external_allow -m conntrack --ctstate NEW -m mark --mark 0x65 -j
ACCEPT
-A FWDI_external_allow -m conntrack --ctstate NEW -m mark --mark 0x66 -j
ACCEPT
-A FWDI_external_allow -m conntrack --ctstate NEW -m mark --mark 0x67 -j
ACCEPT
-A FWDI_external_allow -m conntrack --ctstate NEW -m mark --mark 0x68 -j
ACCEPT
-A FWDI_external_allow -m conntrack --ctstate NEW -m mark --mark 0x69 -j
ACCEPT
-A FWDI_external_allow -m conntrack --ctstate NEW -m mark --mark 0x6a -j
ACCEPT
-A FWDI_external_allow -m conntrack --ctstate NEW -m mark --mark 0x6b -j
ACCEPT
-A FWDI_external_allow -m conntrack --ctstate NEW -m mark --mark 0x6c -j
ACCEPT
-A FWDI_internal -j FWDI_internal_log
-A FWDI_internal -j FWDI_internal_deny
-A FWDI_internal -j FWDI_internal_allow
-A FWDI_public -j FWDI_public_log
-A FWDI_public -j FWDI_public_deny
-A FWDI_public -j FWDI_public_allow
-A FWDO_external -j FWDO_external_log
-A FWDO_external -j FWDO_external_deny
-A FWDO_external -j FWDO_external_allow
-A FWDO_external_allow -j ACCEPT
-A FWDO_internal -j FWDO_internal_log
-A FWDO_internal -j FWDO_internal_deny
-A FWDO_internal -j FWDO_internal_allow
-A FWDO_public -j FWDO_public_log
-A FWDO_public -j FWDO_public_deny
-A FWDO_public -j FWDO_public_allow
-A FWDO_public_allow -j ACCEPT
-A INPUT_ZONES -i p6p1 -g IN_internal
-A INPUT_ZONES -i p2p1 -g IN_external
-A INPUT_ZONES -g IN_public
-A INPUT_direct -s 192.168.13.0/24 -p tcp -m tcp --dport 3129 -j ACCEPT
-A INPUT_direct -s 192.168.13.0/24 -p tcp -m tcp --dport 3130 -j ACCEPT
-A IN_external -j IN_external_log
-A IN_external -j IN_external_deny
-A IN_external -j IN_external_allow
-A IN_external_allow -p tcp -m tcp --dport 2012 -m conntrack --ctstate NEW
-j ACCEPT
-A IN_internal -j IN_internal_log
-A IN_internal -j IN_internal_deny
-A IN_internal -j IN_internal_allow
-A IN_internal_allow -d 224.0.0.251/32 -p udp -m udp --dport 5353 -m
conntrack --ctstate NEW -j ACCEPT
-A IN_internal_allow -p udp -m udp --dport 631 -m conntrack --ctstate NEW -j
ACCEPT
-A IN_internal_allow -p tcp -m tcp --dport 5900:5903 -m conntrack --ctstate
NEW -j ACCEPT
-A IN_internal_allow -p tcp -m tcp --dport 22 -m conntrack --ctstate NEW -j
ACCEPT
-A IN_internal_allow -p tcp -m tcp --dport 53 -m conntrack --ctstate NEW -j
ACCEPT
-A IN_internal_allow -p udp -m udp --dport 53 -m conntrack --ctstate NEW -j
ACCEPT
-A IN_internal_allow -p udp -m udp --dport 67 -m conntrack --ctstate NEW -j
ACCEPT
-A IN_internal_allow -p udp -m udp --dport 137 -m conntrack --ctstate NEW -j
ACCEPT
-A IN_internal_allow -p udp -m udp --dport 138 -m conntrack --ctstate NEW -j
ACCEPT
-A IN_internal_allow -p tcp -m tcp --dport 2032 -m conntrack --ctstate NEW
-j ACCEPT
-A IN_internal_allow -p tcp -m tcp --dport 10000 -m conntrack --ctstate NEW
-j ACCEPT
-A IN_public -j IN_public_log
-A IN_public -j IN_public_deny
-A IN_public -j IN_public_allow
-A IN_public_allow -d 224.0.0.251/32 -p udp -m udp --dport 5353 -m conntrack
--ctstate NEW -j ACCEPT
-A IN_public_allow -p tcp -m tcp --dport 22 -m conntrack --ctstate NEW -j
ACCEPT
COMMIT
# Completed on Mon Jun 9 20:03:48 2014

can someone please help.

--
View this message in context: http://squid-web-proxy-cache.1019090.n4.nabble.com/squid-with-qlproxy-on-fedora-20-not-working-for-https-traffic-tp4666277.html
Sent from the Squid - Users mailing list archive at Nabble.com.