Hey Ali,
You seem to have hit upon a bug in the squid code-base. I am copying
a patch to fix this bug(somehow i am unable to add attachment). If you
are unable to apply the patch directly,because of code version, just
apply it manually. Its a one liner.
Let us know how it goes.
Patch:
=== modified file 'src/client_side.cc'
--- src/client_side.cc 2011-03-02 07:27:24 +0000
+++ src/client_side.cc 2011-03-02 20:54:41 +0000
@@ -2016,21 +2016,21 @@
return; /* already in good shape */
/* BUG: Squid cannot deal with '*' URLs (RFC2616 5.1.2) */
+ // BUG 2976: Squid only accepts intercepted HTTP.
if ((host = mime_get_header(req_hdr, "Host")) != NULL) {
int url_sz = strlen(url) + 32 + Config.appendDomainLen +
strlen(host);
http->uri = (char *)xcalloc(url_sz, 1);
- snprintf(http->uri, url_sz, "%s://%s%s",
- conn->port->protocol, host, url);
+ snprintf(http->uri, url_sz, "http://%s%s",
/*conn->port->protocol*/, host, url);
debugs(33, 5, "TRANSPARENT HOST REWRITE: '" << http->uri <<"'");
} else {
/* Put the local socket IP address as the hostname. */
int url_sz = strlen(url) + 32 + Config.appendDomainLen;
http->uri = (char *)xcalloc(url_sz, 1);
http->getConn()->me.ToHostname(ipbuf,MAX_IPSTRLEN),
- snprintf(http->uri, url_sz, "%s://%s:%d%s",
- http->getConn()->port->protocol,
+ snprintf(http->uri, url_sz, "http://%s:%d%s",
+ // http->getConn()->port->protocol,
ipbuf, http->getConn()->me.GetPort(), url);
debugs(33, 5, "TRANSPARENT REWRITE: '" << http->uri << "'");
}
On Tue, Dec 18, 2012 at 8:58 PM, Ali Jawad <alijawad1_at_gmail.com> wrote:
> OK I finally know what the problem is, I did use tcpdump and when I do
> make an ssl request squid intercepts it and sends it as http to the
> destination website, this causes the website to redirect to https and
> then squid in turn makes another http request, I did make a few tests
> with different sites an I am sure about this.
>
> Any clues about what I did wrong to cause this ? I did try with
> https_port intercept and with ssl-bump + both.
>
> Thanks !
>
> On Tue, Dec 18, 2012 at 12:41 PM, Ali Jawad <alijawad1_at_gmail.com> wrote:
>> Hi
>> I am trying to setup a squid proxy with transparent https, but I am
>> getting "Error 310 (net::ERR_TOO_MANY_REDIRECTS): There were too many
>> redirects." I am using the default CentOS installation with
>> --enable-ssl "3.1". http is working fine, for https I get the ssl
>> certificate error page and then the loop error. My config is pretty
>> simple and I did try to change from intercept to sslbump and a
>> combination of both, but nothing of that seems to make any
>> difference.The problem is the same for all https sites.
>>
>> See below, the config please :
>>
>> acl manager proto cache_object
>> acl localhost src 127.0.0.1/32 ::1
>> acl to_localhost dst 127.0.0.0/8 0.0.0.0/32 ::1
>> acl trusted src all # internal IP from venet0:1 and ISP IP (Cable/DSL)
>> acl SSL_ports port 443
>> acl Safe_ports port 80 # http
>> acl Safe_ports port 21 # ftp
>> acl Safe_ports port 443 # https
>> acl Safe_ports port 70 # gopher
>> acl Safe_ports port 210 # wais
>> acl Safe_ports port 1025-65535 # unregistered ports
>> acl Safe_ports port 280 # http-mgmt
>> acl Safe_ports port 488 # gss-http
>> acl Safe_ports port 591 # filemaker
>> acl Safe_ports port 777 # multiling http
>> acl CONNECT method CONNECT
>> http_access allow manager localhost
>> http_access deny manager
>> http_access deny !Safe_ports
>> http_access deny CONNECT !SSL_ports
>> http_access allow trusted
>> http_access allow localhost
>> http_access deny all
>> http_port 0.0.0.0:3128
>> http_port 0.0.0.0:8128 transparent
>> https_port 0.0.0.0:8129 transparent ssl-bump intercept
>> cert=/usr/local/squid/CA/servercert.pem
>> key=/usr/local/squid/CA/serverkey.pem
>> debug_options ALL,3
>> coredump_dir /var/spool/squid3
>> cache deny all
>> refresh_pattern ^ftp: 1440 20% 10080
>> refresh_pattern ^gopher: 1440 0% 1440
>> refresh_pattern -i (/cgi-bin/|\?) 0 0% 0
>> refresh_pattern . 0 20% 4320
>> request_header_access Proxy-Connection deny all
>> request_header_access X-Forwarded-For deny all
>> request_header_access Connection deny all
>> request_header_access Via deny all
>> forwarded_for off
-- Regards, -Ahmed Talha KhanReceived on Tue Dec 18 2012 - 19:36:04 MST
This archive was generated by hypermail 2.2.0 : Wed Dec 19 2012 - 12:00:15 MST