I am trying to set up Squid as a proxy with HTTPS support.
No matter what I try, I cannot get CONNECT methods to work (via both HTTP and HTTPS protocols).
The problem seems to be very strange and unique, because the connection URL get's converted to something odd.
When I have enabled never_direct allow all option, here is what I get:
TCP_MISS/503 0 CONNECT https:443 - NONE/- -
TCP_MISS/503 0 CONNECT http:443 - NONE/- -
TCP_HIT/301 647 GET https://google.com/ - NONE/- text/html
Without this option, the logs turns into:
TCP_MISS/404 0 CONNECT https:443 - DIRECT/- -
TCP_MISS/404 0 CONNECT http:443 - DIRECT/- -
Note, how "//google.com" turns into ":443".
Here is the part of detailed log, where this mysterious turn occurs:
2014/02/04 22:29:38.958| The request CONNECT https://google.com is ALLOWED, because it matched 'all' 2014/02/04 22:29:38.958| cbdataReferenceValid: 0x9e468a8 2014/02/04 22:29:38.958| cbdataReferenceValid: 0x9e468a8 2014/02/04 22:29:38.958| AccessCheck.cc(31) Start: adaptation off, skipping 2014/02/04 22:29:38.958| client_side_request.cc(1351) doCallouts: Doing calloutContext->clientAccessCheck2() 2014/02/04 22:29:38.958| client_side_request.cc(556) clientAccessCheck2: No adapted_http_access configuration. 2014/02/04 22:29:38.958| The request CONNECT https:443 is ALLOWED, because it matched 'all'
acl all src acl localnet src 10.0.0.0/8 acl localnet src 192.168.1.0/24 # Your network here acl localhost src 127.0.0.1/32 acl safeports port 21 70 80 210 280 443 488 563 591 631 777 901 81 3128 1025-65535 acl sslports port 443 563 81 2087 10000 acl manager proto cache_object acl purge method PURGE http_access allow manager localhost http_access allow purge localhost http_access allow localhost http_access allow localnet http_access allow sslports acl SSL method CONNECT acl POST method POST http_access allow all never_direct allow all http_port 3128 cache_mem 8 MB maximum_object_size_in_memory 32 KB memory_replacement_policy heap GDSF cache_replacement_policy heap LFUDA cache_dir aufs /home/precise/cache 1024 16 256 maximum_object_size 128000 KB cache_swap_low 95 cache_swap_high 99 access_log /var/log/squid3/access.log cache_log /var/log/squid3/cache.log debug_options ALL,9 cache_store_log none logfile_rotate 5 log_icp_queries off quick_abort_min 0 KB quick_abort_max 0 KB quick_abort_pct 100 store_avg_object_size 13 KB vary_ignore_expire on # # ANONIMITY OPTIONS # =============== # request_header_access From deny all request_header_access Server deny all request_header_access Link deny all request_header_access Via deny all request_header_access X-Forwarded-For deny all # # TIMEOUTS # ======= # forward_timeout 240 second connect_timeout 30 second peer_connect_timeout 5 second read_timeout 600 second request_timeout 60 second shutdown_lifetime 10 second cache_mgr vps cache_effective_user proxy cache_effective_group proxy httpd_suppress_version_string on visible_hostname vps ftp_list_width 32 ftp_passive on ftp_sanitycheck on dns_timeout 10 seconds dns_nameservers 192.168.1.1 188.8.131.52 184.108.40.206 # DNS Server memory_pools off client_db off reload_into_ims on coredump_dir /cache pipeline_prefetch on offline_mode off error_default_language en-us
This is the version output:
# /usr/local/squid/sbin/squid -v Squid Cache: Version 3.1.19 configure options: '--enable-ecap' '--enable-removal-policies=lru heap' '--with-default-user=proxy' '--enable-ssl' '--enable-storeio=ufs aufs' '--with-large-files' '--enable-icap-client' --with-squid=/root/squid-3.1.19 --enable-ltdl-convenience
When I use the one installed from Ubuntu 12.04 with the same configuration, I cannot even get to "GET https://google.com" to work.
On 5/02/2014 12:49 p.m., b0tm1nd wrote:
> I am trying to set up Squid as a proxy with HTTPS support.
> No matter what I try, I cannot get CONNECT methods to work (via both HTTP
> and HTTPS protocols).
Problem 1) CONNECT is not valid in HTTPS. It is a client->proxy method
and only expected to work in HTTP where proxies are defined to exist.
HTTPS is defined to be an end-to-end client->origin server connection.
> The problem seems to be very strange and unique, because the connection URL
> get's converted to something odd.
> When I have enabled *never_direct allow all* option, here is what I get:
> CONNECT https://google.com
> CONNECT http://google.com
> GET https://google.com
Problem 2) none of the above are valid HTTP requests.
This is what a valid equivalent requests would look like:
CONNECT google.com:443 HTTP/1.1
CONNECT google.com:80 HTTP/1.1
GET https://google.com/ HTTP/1.1
This might help
> TCP_MISS/503 0 CONNECT https:443 - NONE/- -
> TCP_MISS/503 0 CONNECT http:443 - NONE/- -
> TCP_HIT/301 647 GET https://google.com/ - NONE/- text/html
> Without this option, the logs turns into:
> TCP_MISS/404 0 CONNECT https:443 - DIRECT/- -
> TCP_MISS/404 0 CONNECT http:443 - DIRECT/- -
> Note, how "//google.com" turns into ":443".
Strange. Your Squid is assuming that anything using CONNECT is port 443.
I usually see text strings being converted to the value 0.
> Here is the part of detailed log, where this mysterious turn occurs:
> My configuraion:
> This is the version output:
Email strangely missing any of your embeded details ... oh wait. Nabble
bites again. :-(
> When I use the one installed from Ubuntu 12.04 with the same configuration,
> I cannot even get to "GET https://google.com" to work.
Squid and OpenSSL licenses clash a little bit. The Debian and Ubuntu OS
distributors have chosen for legal policy reasons not to provide a Squid
binary with HTTPS support so long as that support requires OpenSSL to be
linked to Squid.
You will need to build your own Squid with --enable-ssl or somewhere
locate a Squid .deb package with SSL support enabled. I dont know one
might be found where sorry.
> Squid and OpenSSL licenses clash a little bit. The Debian and Ubuntu OS
> distributors have chosen for legal policy reasons not to provide a Squid
> binary with HTTPS support so long as that support requires OpenSSL to be
> linked to Squid.
> You will need to build your own Squid with --enable-ssl or somewhere
> locate a Squid .deb package with SSL support enabled. I dont know one
> might be found where sorry.
The following HOWTO shows how to rebuild stock Squid in Ubuntu 13.10 *with* all flags required for HTTPS filtering.
Thanks for the replies everyone!
In fact, I have figured out by myself that the stock Ubuntu 12.04 (at least) Squid does not provide the SSL/HTTPS support, so I have compiled it by myself. After this "GET https://.." requests became working, but not any of the CONNECT.
It was also correct, that when I was testing the proxy via telnet, I used the wrong syntax for the CONNECT method.
Here is the result from access.log produced by the Firefox:
TCP_MISS/503 0 CONNECT www.google.com:443 - NONE/- -
The host is now shown correct, but still throws 503 error.
I thought the best I could get now is the guide on how to compile Squid with SSL (probably, --enable-ssl was not enough).
And thanks to Rafael Akchurin seems like I've just received it!
Will try now to compile again using the guide and see if anything changed.
|Free forum by Nabble||Edit this page|