Re: [squid-users] unbound and squid not resolving SSL sites

From: Eliezer Croitoru <eliezer_at_ngtech.co.il>
Date: Wed, 20 Aug 2014 04:12:46 +0300

I wasn't sure but I am now.
You are doing something wrong and I cannot tell what exactly.
Try to share this script output:
http://www1.ngtech.co.il/squid/basic_data.sh

There are missing parts in the whole setup such as clients IP and server
IP, what GW are you using etc..

Eliezer

On 08/19/2014 02:37 PM, squid_at_proxyplayer.co.uk wrote:
>
>> Take a look at:
>> http://wiki.squid-cache.org/EliezerCroitoru/Drafts/SSLBUMP
>>
>> Your squid.conf seems to be too incomplete to allow SSL-Bump to work.
>>
>> Eliezer
>
> I recompiled to 3.4.6 and ran everything in your page there.
> squid started correctly.
> However, it is the same problem. Any https page that I had configured
> does not resolve. It is being redirected by unbound but as soon as it
> hits the proxy, it just gets dropped somehow:
>
> # Generated by iptables-save v1.4.7 on Tue Aug 19 03:14:13 2014
> *filter
> :INPUT ACCEPT [0:0]
> :FORWARD ACCEPT [0:0]
> :OUTPUT ACCEPT [5454:2633080]
> -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
> -A INPUT -i lo -j ACCEPT
> -A INPUT -p tcp -m tcp --dport 22 -m state --state NEW -j ACCEPT
> -A INPUT -s 213.171.217.173/32 -p udp -m udp --dport 161 -m state
> --state NEW -j ACCEPT
> -A INPUT -p udp -m udp --dport 161 -m state --state NEW -j ACCEPT
> -A INPUT -p tcp -m tcp --dport 161 -m state --state NEW -j ACCEPT
> -A INPUT -p tcp -m tcp --dport 80 -m state --state NEW -j ACCEPT
> -A INPUT -p tcp -m tcp --dport 443 -m state --state NEW -j ACCEPT
> -A INPUT -p udp -m udp --dport 53 -m state --state NEW -j ACCEPT
> -A INPUT -p tcp -m tcp --dport 53 -m state --state NEW -j ACCEPT
> -A INPUT -p tcp -m tcp --dport 25 -m state --state NEW -j ACCEPT
> -A INPUT -p tcp -m tcp --dport 110 -m state --state NEW -j ACCEPT
> -A INPUT -p tcp -m tcp --dport 143 -m state --state NEW -j ACCEPT
> -A INPUT -p tcp -m tcp --dport 20 -m state --state NEW -j ACCEPT
> -A INPUT -p tcp -m tcp --dport 21 -m state --state NEW -j ACCEPT
> -A INPUT -p tcp -m tcp --dport 3306 -m state --state NEW -j ACCEPT
> -A INPUT -p udp -m udp --dport 3306 -m state --state NEW -j ACCEPT
> -A INPUT -j REJECT --reject-with icmp-port-unreachable
> -A OUTPUT -o lo -j ACCEPT
> -A OUTPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
> -A OUTPUT -m state --state NEW -j ACCEPT
> COMMIT
> # Completed on Tue Aug 19 03:14:13 2014
> # Generated by iptables-save v1.4.7 on Tue Aug 19 03:14:13 2014
> *nat
> :PREROUTING ACCEPT [23834173:1866373947]
> :POSTROUTING ACCEPT [22194:1519446]
> :OUTPUT ACCEPT [22194:1519446]
> -A PREROUTING -i eth0 -p tcp -m tcp --dport 443 -j REDIRECT --to-ports 3130
> -A POSTROUTING -s 0.0.0.0/32 -o eth0 -j MASQUERADE
> COMMIT
> # Completed on Tue Aug 19 03:14:13 2014
Received on Wed Aug 20 2014 - 01:12:53 MDT

This archive was generated by hypermail 2.2.0 : Wed Aug 20 2014 - 12:00:06 MDT