Results 1 to 3 of 3
Hi I connect to the internet at work through an authenticating proxy, and to avoid having to enter the proxy info into every app I use (e.g. firefox, wget, kde, ...
Enjoy an ad free experience by logging in. Not a member yet? Register.
- 11-29-2010 #1
- Join Date
- Sep 2009
https blocked by squid/iptables
I connect to the internet at work through an authenticating proxy, and to avoid having to enter the proxy info into every app I use (e.g. firefox, wget, kde, etc) I have set up squid as a local transparent proxy which authenticates and routes all traffic to the work proxy. It has been working fine, but lately I haven't been able to connect to any https sites. I don't think I have changed the configuration, so perhaps it is the result of an upgrade, or something badly configured on my system from the start. I have tried connecting to https sites without squid and iptables and it works fine.
My system is Arch linux, and my squid.conf file is:
acl all src all acl manager proto cache_object acl localhost src 127.0.0.1/32 acl to_localhost dst 127.0.0.0/8 acl SSL_ports port 443 acl Safe_ports port 80 # http acl Safe_ports port 21 # ftp acl Safe_ports port 443 # https acl Safe_ports port 70 # gopher acl Safe_ports port 210 # wais acl Safe_ports port 1025-65535 # unregistered ports acl Safe_ports port 280 # http-mgmt acl Safe_ports port 488 # gss-http acl Safe_ports port 591 # filemaker acl Safe_ports port 777 # multiling http acl CONNECT method CONNECT http_access allow manager localhost http_access deny manager http_access allow !Safe_ports http_access allow CONNECT !SSL_ports http_access allow all icp_access allow all http_port 127.0.0.1:3128 transparent cache_peer 192.168.10.50 parent 8080 8080 login=<my login info> default no-query never_direct allow all hierarchy_stoplist cgi-bin ? access_log /var/log/squid/access.log squid refresh_pattern ^ftp: 1440 20% 10080 refresh_pattern ^gopher: 1440 0% 1440 refresh_pattern -i (/cgi-bin/|\?) 0 0% 0 refresh_pattern . 0 20% 4320 acl shoutcast rep_header X-HTTP09-First-Line ^ICY.[0-9] upgrade_http0.9 deny shoutcast acl apache rep_header Server ^Apache broken_vary_encoding allow apache coredump_dir /var/cache/squid shutdown_lifetime 1 seconds
*nat :PREROUTING ACCEPT [301:41956] :INPUT ACCEPT [197:33165] :OUTPUT ACCEPT [230:13996] :POSTROUTING ACCEPT [230:13996] -A OUTPUT -p tcp -m tcp --dport 80 -m owner --uid-owner proxy -j ACCEPT -A OUTPUT -p tcp -m tcp --dport 3128 -m owner --uid-owner proxy -j ACCEPT -A OUTPUT -p tcp -m tcp --dport 80 -j REDIRECT --to-ports 3128 COMMIT *filter :INPUT ACCEPT [2894:1147620] :FORWARD ACCEPT [0:0] :OUTPUT ACCEPT [2511:770638] COMMIT
- 12-08-2010 #2
- Join Date
- Apr 2009
- I can be found either 40 miles west of Chicago, in Chicago, or in a galaxy far, far away.
Are you sure your IT people haven't changed the firewall/proxy configuration? As I have said before, if what used to work suddenly stops working, what has changed?Sometimes, real fast is almost as good as real time.
Just remember, Semper Gumbi - always be flexible!
- 12-09-2010 #3
- Join Date
- Sep 2009
That's what I thought at first, but it worked if I just bypassed my proxy, so the network proxy can't be the problem. However, a couple of days ago it just mysteriously started working again, so perhaps it was just a minor bug which an update fixed or something.