RE: [squid-users] secure web sites wont show on my clients

From: <trainier@dont-contact.us>
Date: Mon, 31 Oct 2005 15:16:42 -0500

> I have a brand new Gentoo Linux install set up with the following:
>
> Arno's Firewall 1.8.4d is firewalling my internet connection and
> forwarding all outgoing port 80 traffic through a transparent proxy
> setup.

Cool. Is it doing the same for outgoing port 443?
If not, that's why secure websites aren't working.

Tim Rainier
Information Services, Kalsec, INC
trainier@kalsec.com

> > -----Original Message-----
> > From: rance@frontiernet.net [mailto:rance@frontiernet.net]
> > Sent: Saturday, October 29, 2005 4:35 PM
> > To: squid-users@squid-cache.org
> > Subject: [squid-users] secure web sites wont show on my clients
> >
> >
> > I have a brand new Gentoo Linux install set up with the following:
> >
> > Arno's Firewall 1.8.4d is firewalling my internet connection and
> > forwarding all outgoing port 80 traffic through a transparent proxy
> > setup.
> >
>
> Is it preventing clients from accessing the outside world on port 443?
>
> > dnsmasq is both my dns server and dhcp server (both of these
> > work no problem.
> >
> > I've installed dansguardian with the default config file (for now)
> >
> > Ive install squid 2.5 stable11 with an alered
> > /etc/squid/squid.conf file.
> >
> > My sequence is internal internet request -> dansguardian -> squid ->
> > out to internet
> >
> > I just couldnt follow all the comments in such a large config
> > file so I
> > copied the sample one that comes with squid to squid.conf.sample
> >
> > and started over with a blank squid.conf file
> >
> > here it is:
> >
> >
> > http_port 127.0.0.1:3128
> > httpd_accel_host virtual
> > httpd_accel_port 80
> > httpd_accel_with_proxy on
> > httpd_accel_uses_host_header on
> >
> >
> > acl all src 0.0.0.0/0.0.0.0
> > acl localhost src 127.0.0.1
> > follow_x_forwarded_for allow localhost
> > acl_uses_indirect_client on
> > delay_pool_uses_indirect_client on
> > log_uses_indirect_client on
> >
> >
> > acl homenet src 192.168.0.0/24
> >
> > http_access allow localhost
> > http_access allow homenet
> > http_access deny all
> >
> > Ok:
> >
> > this setup seems to work for regular port 80 traffic ok
>
> So Squid is working fine...
>
> >
> > (please note, Im going for an unfiltered setup for now, I
> > want to make
> > sure everything that needs to work does, BEFORE the access
> > rules start
> > changing stuff, I want to know for sure that my problem was
> > in my last
> > rule change, not a setup issue
> >
> > My problem with this setup is web sites that require you to log in.
> >
> > EG www.hotmail.com
> >
> > dont work for the log in part.
> >
> > there are no error messages, just timeouts on the connection and
> > windows shows the DNS error page.
>
> It's likely not a squid problem. You can't intercept SSL traffic
> (and it doesn't look like you are trying), so you have to let it go
> direct, (and obviously let the responses back in). Check your firewall
rules.
>
> >
> > What am I missing? Is it safe_ports? (I read about those in
> > my master
> > copy of the .conf.default file)
> >
> > I want to make sure that squid allows all of my normal
> > traffic before I
> > start restricting any.
> >
> > Could someone please tell me what I've missed here, Thanks
> >
> > Rance
> >
> >
>
> Chris
Received on Mon Oct 31 2005 - 13:16:27 MST

This archive was generated by hypermail pre-2.1.9 : Tue Nov 01 2005 - 12:00:05 MST