https blocked by squid/iptables

[aquavitae]

Hi

I connect to the internet at work through an authenticating proxy, and to avoid having to enter the proxy info into every app I use (e.g. firefox, wget, kde, etc) I have set up squid as a local transparent proxy which authenticates and routes all traffic to the work proxy. It has been working fine, but lately I haven't been able to connect to any https sites. I don't think I have changed the configuration, so perhaps it is the result of an upgrade, or something badly configured on my system from the start. I have tried connecting to https sites without squid and iptables and it works fine.

My system is Arch linux, and my squid.conf file is:

Code:

acl all src all
acl manager proto cache_object
acl localhost src 127.0.0.1/32
acl to_localhost dst 127.0.0.0/8
acl SSL_ports port 443
acl Safe_ports port 80		# http
acl Safe_ports port 21		# ftp
acl Safe_ports port 443		# https
acl Safe_ports port 70		# gopher
acl Safe_ports port 210		# wais
acl Safe_ports port 1025-65535	# unregistered ports
acl Safe_ports port 280		# http-mgmt
acl Safe_ports port 488		# gss-http
acl Safe_ports port 591		# filemaker
acl Safe_ports port 777		# multiling http
acl CONNECT method CONNECT
http_access allow manager localhost
http_access deny manager
http_access allow !Safe_ports
http_access allow CONNECT !SSL_ports
http_access allow all
icp_access allow all
http_port 127.0.0.1:3128 transparent
cache_peer 192.168.10.50 parent 8080 8080 login=<my login info> default no-query
never_direct allow all
hierarchy_stoplist cgi-bin ?
access_log /var/log/squid/access.log squid
refresh_pattern ^ftp:		1440	20%	10080
refresh_pattern ^gopher:	1440	0%	1440
refresh_pattern -i (/cgi-bin/|\?) 0	0%	0
refresh_pattern .		0	20%	4320
acl shoutcast rep_header X-HTTP09-First-Line ^ICY.[0-9]
upgrade_http0.9 deny shoutcast
acl apache rep_header Server ^Apache
broken_vary_encoding allow apache
coredump_dir /var/cache/squid
shutdown_lifetime 1 seconds

Iptables (from iptables-save) rules are:

Code:

*nat
:PREROUTING ACCEPT [301:41956]
:INPUT ACCEPT [197:33165]
:OUTPUT ACCEPT [230:13996]
:POSTROUTING ACCEPT [230:13996]
-A OUTPUT -p tcp -m tcp --dport 80 -m owner --uid-owner proxy -j ACCEPT 
-A OUTPUT -p tcp -m tcp --dport 3128 -m owner --uid-owner proxy -j ACCEPT 
-A OUTPUT -p tcp -m tcp --dport 80 -j REDIRECT --to-ports 3128 
COMMIT

*filter
:INPUT ACCEPT [2894:1147620]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [2511:770638]
COMMIT

Can anyone tell me where I'm going wrong?

[Rubberman]

Are you sure your IT people haven't changed the firewall/proxy configuration? As I have said before, if what used to work suddenly stops working, what has changed?

[aquavitae]

That's what I thought at first, but it worked if I just bypassed my proxy, so the network proxy can't be the problem. However, a couple of days ago it just mysteriously started working again, so perhaps it was just a minor bug which an update fixed or something.