You are not logged in.

#1 2008-08-13 15:41:31

NeOnsKuLL
Member
From: Havana, Cuba
Registered: 2005-03-29
Posts: 117

[PROBLEM] Squid: I can't navigate via https

Hi all:
I'm configuring a squid proxy. I have installed "squid 2.7.STABLE2-1". I can navigate, except via https

This is my network config:

{ My Proxy ---> My Firewall } ---> A parent proxy (172.16.2.8:8080) (which is not under my fingers') ---> Their firewall ---> Internet

Only the part between curly braces is under my control.

By other part, If I try to go to "https://www.blogger.com/", I get a similar error:

While trying to retrieve the URL: www.blogger.com/:443

The following error was encountered:

    Unable to determine IP address from host name for 

The dnsserver returned:

    Name Error: The domain name does not exist. 

This means that:

 The cache was not able to resolve the hostname presented in the URL. 
 Check if the address is correct. 

Your cache administrator is admin@hb.minaz.cu.
Generated Wed, 13 Aug 2008 17:35:58 GMT by TEICO_STH-Proxy (squid/2.7.STABLE2)

My squid.conf:

auth_param basic program /usr/lib/squid/ncsa_auth /etc/squid/passwd
auth_param basic children 5
auth_param basic realm Squid proxy-caching web server
auth_param basic credentialsttl 2 hours
auth_param basic casesensitive off
acl all src all
acl manager proto cache_object
acl localhost src 127.0.0.1/32
acl to_localhost dst 127.0.0.0/8
acl localnet src 172.18.1.73
acl SSL_ports port 443 563
acl Safe_ports port 80-82       # http
acl Safe_ports port 21          # ftp
acl Safe_ports port 443 563     # https
acl Safe_ports port 70          # gopher
acl Safe_ports port 210         # wais
acl Safe_ports port 1025-65535  # unregistered ports
acl Safe_ports port 280         # http-mgmt
acl Safe_ports port 488         # gss-http
acl Safe_ports port 591         # filemaker
acl Safe_ports port 777         # multiling http
acl CONNECT method CONNECT
http_access allow manager localhost
http_access deny manager
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
acl PASSWORD proxy_auth REQUIRED
acl PAVEL_IP src 172.18.1.73/32
acl PAVEL_MAC arp 00:15:F2:00:2B:2F
http_access allow PAVEL_IP PAVEL_MAC PASSWORD
http_access allow localhost
http_access deny all
icp_access allow localnet
icp_access deny all
http_port 172.18.1.96:3128
cache_peer 172.16.2.8 parent 8080 0 no-query default
cache_dir ufs /var/cache/squid 400 16 256
access_log /var/log/squid/access.log squid
refresh_pattern ^ftp:           1440    20%     10080
refresh_pattern ^gopher:        1440    0%      1440
refresh_pattern .               0       20%     4320
acl apache rep_header Server ^Apache
broken_vary_encoding allow apache
cache_mgr admin@hb.minaz.cu
visible_hostname TEICO_STH-Proxy
coredump_dir /var/cache/squid

access.log:

1218655688.570      2 172.18.1.73 TCP_MISS/404 0 CONNECT www.blogger.com:443 pavel DIRECT/- -

I have seen in some proxies with GUI admin interfaces an option called "Allow tunneled connections... (Needed for https)", and they work in my scenario, but I don't know how to implement that with squid.

See you

NeOnsKuLL


Intel Core 2 Duo E8400 3.0 GHz | 2x1GB 667MHz | 250+750GB Seageate SATAII | Samsung 19" TFT 1440x900
Openbox + obmenugen + PyTyle | bmpanel2 | oblogout | conky | pyBgSetter (with Esetroot as backend)
Projects: obmenugen, pyBgSetter

Offline

#2 2008-08-18 17:40:11

derelict
Member
Registered: 2006-07-25
Posts: 81

Re: [PROBLEM] Squid: I can't navigate via https

The error you've posted indicates that there is no DNS entry for "www.blogger.com/:443"
You can test this yourself from a non-proxied machine somewhere. Your access log is simply telling you the same thing, that the requested url was not found in the cache either. The "404" is a telltale sign.

My first guess based on your post is that you mistyped the url or that one or more proxies between you and the internet has a rewrite rule to prevent you from accessing the site. Try typing the full https url without specifying the port.

Offline

Board footer

Powered by FluxBB