Find the answer to your Linux question:
Results 1 to 3 of 3
Enjoy an ad free experience by logging in. Not a member yet? Register.
  1. #1

    https blocked by squid/iptables


    I connect to the internet at work through an authenticating proxy, and to avoid having to enter the proxy info into every app I use (e.g. firefox, wget, kde, etc) I have set up squid as a local transparent proxy which authenticates and routes all traffic to the work proxy. It has been working fine, but lately I haven't been able to connect to any https sites. I don't think I have changed the configuration, so perhaps it is the result of an upgrade, or something badly configured on my system from the start. I have tried connecting to https sites without squid and iptables and it works fine.

    My system is Arch linux, and my squid.conf file is:
    acl all src all
    acl manager proto cache_object
    acl localhost src
    acl to_localhost dst
    acl SSL_ports port 443
    acl Safe_ports port 80		# http
    acl Safe_ports port 21		# ftp
    acl Safe_ports port 443		# https
    acl Safe_ports port 70		# gopher
    acl Safe_ports port 210		# wais
    acl Safe_ports port 1025-65535	# unregistered ports
    acl Safe_ports port 280		# http-mgmt
    acl Safe_ports port 488		# gss-http
    acl Safe_ports port 591		# filemaker
    acl Safe_ports port 777		# multiling http
    acl CONNECT method CONNECT
    http_access allow manager localhost
    http_access deny manager
    http_access allow !Safe_ports
    http_access allow CONNECT !SSL_ports
    http_access allow all
    icp_access allow all
    http_port transparent
    cache_peer parent 8080 8080 login=<my login info> default no-query
    never_direct allow all
    hierarchy_stoplist cgi-bin ?
    access_log /var/log/squid/access.log squid
    refresh_pattern ^ftp:		1440	20%	10080
    refresh_pattern ^gopher:	1440	0%	1440
    refresh_pattern -i (/cgi-bin/|\?) 0	0%	0
    refresh_pattern .		0	20%	4320
    acl shoutcast rep_header X-HTTP09-First-Line ^ICY.[0-9]
    upgrade_http0.9 deny shoutcast
    acl apache rep_header Server ^Apache
    broken_vary_encoding allow apache
    coredump_dir /var/cache/squid
    shutdown_lifetime 1 seconds
    Iptables (from iptables-save) rules are:
    :PREROUTING ACCEPT [301:41956]
    :INPUT ACCEPT [197:33165]
    :OUTPUT ACCEPT [230:13996]
    :POSTROUTING ACCEPT [230:13996]
    -A OUTPUT -p tcp -m tcp --dport 80 -m owner --uid-owner proxy -j ACCEPT 
    -A OUTPUT -p tcp -m tcp --dport 3128 -m owner --uid-owner proxy -j ACCEPT 
    -A OUTPUT -p tcp -m tcp --dport 80 -j REDIRECT --to-ports 3128 
    :INPUT ACCEPT [2894:1147620]
    :OUTPUT ACCEPT [2511:770638]
    Can anyone tell me where I'm going wrong?

  2. #2
    Linux Guru Rubberman's Avatar
    Join Date
    Apr 2009
    I can be found either 40 miles west of Chicago, in Chicago, or in a galaxy far, far away.
    Are you sure your IT people haven't changed the firewall/proxy configuration? As I have said before, if what used to work suddenly stops working, what has changed?
    Sometimes, real fast is almost as good as real time.
    Just remember, Semper Gumbi - always be flexible!

  3. #3
    That's what I thought at first, but it worked if I just bypassed my proxy, so the network proxy can't be the problem. However, a couple of days ago it just mysteriously started working again, so perhaps it was just a minor bug which an update fixed or something.

  4. $spacer_open

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts