[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: cannot browse https sites



On Thu, 2008-01-31 at 23:29 +0530, Yogesh Patil wrote:
> hi, 
>     I am using SQUID 2.6.STABLE17 with fedora core 8, & BIND
> DNS SERVER configured on the same box, i have configured squid as
> transparent proxy with all default settings , and applied iptables
> rule by using the following
> command
> 
> iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 80 -j REDIRECT
> --to-port 3128
>  
>     i am able to browse http websites, but when i try to open https
> sites, such as, gmail.com, hotmail.com etc.. i am not able to get any
> response from the proxy.
> i have also tryied with forwarding 443 (https) port to the 3128
> (squid) port but still no success., so i think it doesnt seems to be
> netfilter (iptables) problem, it may be problem with the squid
> config, 

Port forwarding isn't the answer.

What have you done to enable the SSL proxying in the Squid
configuration?

Why are you trying to proxy HTTPS?  If you're trying to cache it, you're
violating security, and I don't think it's going to let you do that.
Secure web browsing really needs *NO* man in the middle.

But if you're tunnelling SSL through Squid (uncached proxying), that's a
different matter (still a security risk to those wanting to use secure
websites through your proxy, not always done, but technically feasible).

The last time I set up Squid, was with FC4, so it's an older version,
and options may have changed since then.  But you have to go through the
ACL rules, list the ports used for SSL, and add them to the safe ports
rule.  And allow the safe and SSL ports through the access rules.

Snippets from my configuration:
acl SSL_ports port 443 563
acl Safe_ports port 443 563 # https, snews

http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports

Don't confuse yourself with the SSL accelerator configuration, that's
for using Squid to aid your own secure webserver, if you have one.

Have you looked at:
http://www.squid-cache.org/

-- 
(This computer runs FC7, my others run FC4, FC5 & FC6, in case that's
 important to the thread.)

Don't send private replies to my address, the mailbox is ignored.
I read messages from the public lists.


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]