Re: [squid-users] unbound and squid not resolving SSL sites

From: <squid_at_proxyplayer.co.uk>
Date: Thu, 07 Aug 2014 20:55:14 +0000

Current config below:

>> In my network I have unbound redirecting some sites through the proxy
>> server and checking authentication, If I redirect www.thisite.com it
>> works corectly. However, as soon as SSL is used https://www.thissite.com
>> it doesn't resolve at all. Any ideas what I have to do to enable ssl
>> redirects in unbound or squid?
>
> Handle port 443 traffic and the encrypted traffic there.
> You are only receiving port 80 traffic in this config file.

I am already redirecting 443 traffic but the proxy won't pick it up.
There is a SSL ports directive in the squid.conf so it should accept them?
For example, this line redirect all HTTP traffic but as soon as the
browser wants a SSL connection, it is dropped:
local-data: "anywhere.mysite.com. 600 IN A 109.xxx.xx.xxx"
local-zone: "identity.mysite.com." redirect

>> external_acl_type time_squid_auth ttl=5 %SRC /usr/local/bin/squidauth
>
> What does this helper do exactly to earn the term "authentication"?
> TCP/IP address alone is insufficient to verify the end-users identity.
This helper checks that an IP address is contained within a database table.
If the IP address exists, then it allows them to use the proxy server.

acl manager proto cache_object
acl localhost src 127.0.0.1/32 ::1
acl to_localhost dst 127.0.0.0/8 0.0.0.0/32 ::1
acl localnet src 10.0.0.0/8 # RFC1918 possible internal network
acl localnet src 172.16.0.0/12 # RFC1918 possible internal network
acl localnet src 192.168.0.0/16 # RFC1918 possible internal network
acl localnet src fc00::/7 # RFC 4193 local private network range
acl localnet src fe80::/10 # RFC 4291 link-local (directly plugged) machines

acl SSL_ports port 443
acl Safe_ports port 80 # http
acl Safe_ports port 21 # ftp
acl Safe_ports port 443 # https
acl Safe_ports port 70 # gopher
acl Safe_ports port 210 # wais
acl Safe_ports port 1025-65535 # unregistered ports
acl Safe_ports port 280 # http-mgmt
acl Safe_ports port 488 # gss-http
acl Safe_ports port 591 # filemaker
acl Safe_ports port 777 # multiling http
acl CONNECT method CONNECT
http_access allow manager localhost
http_access deny manager
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
#http_access deny to_localhost
external_acl_type time_squid_auth ttl=5 %SRC /usr/local/bin/squidauth
acl interval_auth external time_squid_auth
http_access allow interval_auth
#http_access allow all
# And finally deny all other access to this proxy
http_access deny all
# Squid normally listens to port 3128
http_port 80 accel vhost allow-direct
hierarchy_stoplist cgi-bin ?
#cache_dir ufs /var/spool/squid 100 16 256
coredump_dir /var/spool/squid
refresh_pattern ^ftp: 1440 20% 10080
refresh_pattern ^gopher: 1440 0% 1440
refresh_pattern -i (/cgi-bin/|\?) 0 0% 0
refresh_pattern . 0 20% 4320
Received on Thu Aug 07 2014 - 20:52:11 MDT

This archive was generated by hypermail 2.2.0 : Fri Aug 08 2014 - 12:00:04 MDT