Re: cannot browse https sites

On Thu, 2008-01-31 at 23:29 +0530, Yogesh Patil wrote:
> hi,
> I am using SQUID 2.6.STABLE17 with fedora core 8, & BIND
> DNS SERVER configured on the same box, i have configured squid as
> transparent proxy with all default settings , and applied iptables
> rule by using the following
> command
>
> iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 80 -j REDIRECT
> --to-port 3128
>
> i am able to browse http websites, but when i try to open https
> sites, such as, gmail.com, hotmail.com etc.. i am not able to get any
> response from the proxy.
> i have also tryied with forwarding 443 (https) port to the 3128
> (squid) port but still no success., so i think it doesnt seems to be
> netfilter (iptables) problem, it may be problem with the squid
> config,

Port forwarding isn't the answer.

What have you done to enable the SSL proxying in the Squid configuration?

Why are you trying to proxy HTTPS? If you're trying to cache it, you're violating security, and I don't think it's going to let you do that. Secure web browsing really needs *NO* man in the middle.

But if you're tunnelling SSL through Squid (uncached proxying), that's a different matter (still a security risk to those wanting to use secure websites through your proxy, not always done, but technically feasible).

The last time I set up Squid, was with FC4, so it's an older version, and options may have changed since then. But you have to go through the ACL rules, list the ports used for SSL, and add them to the safe ports rule. And allow the safe and SSL ports through the access rules.

Snippets from my configuration:
acl SSL_ports port 443 563
acl Safe_ports port 443 563 # https, snews

http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports

Do you need help?

In addition to our free technical library, Pantek provides professional IT services to companies who utilize Open Source software: Learn more about Pantek's Technical Support offerings Place an order for 24/7/365 Technical Support here Learn more about Pantek, who we are, and what we do Chat with a Live Operator Related redhat.com Links fedora-list pump-list redhat-announce-list redhat-devel-list redhat-install-list redhat-list redhat-watch-list Request more information about Pantek

Don't confuse yourself with the SSL accelerator configuration, that's for using Squid to aid your own secure webserver, if you have one.

Have you looked at:
http://www.squid-cache.org/

-- 
(This computer runs FC7, my others run FC4, FC5 & FC6, in case that's
 important to the thread.)

Don't send private replies to my address, the mailbox is ignored.
I read messages from the public lists.

-- 
fedora-list mailing list
fedora-list@redhat.com
To unsubscribe: 
https://www.redhat.com/mailman/listinfo/fedora-list