FAQ Search Today's Posts Mark Forums Read
» Video Reviews

» Linux Archive

Linux-archive is a website aiming to archive linux email lists and to make them easily accessible for linux users/developers.


» Sponsor

» Partners

» Sponsor

Go Back   Linux Archive > Redhat > Fedora User

 
 
LinkBack Thread Tools
 
Old 01-31-2008, 04:59 PM
"Yogesh Patil"
 
Default cannot browse https sites

hi,
*** I am using SQUID 2.6.STABLE17 with*fedora core 8,*& BIND
DNS SERVER configured on the same box, i have configured squid as
transparent proxy with all default settings , and applied iptables
rule by using the following

command

iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 80 -j REDIRECT
--to-port 3128
*
****i am able to browse http websites, but when i try to open https sites, such as, gmail.com, hotmail.com etc.. i am not able to get any response from the proxy.

i have also tryied with forwarding 443 (https) port to the 3128 (squid) port but still no success., so i think it doesnt seems to be netfilter (iptables) problem, it may be problem with the squid config, anybody can please help me out with this.g
--
fedora-list mailing list
fedora-list@redhat.com
To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list
 
Old 01-31-2008, 10:54 PM
Tim
 
Default cannot browse https sites

On Thu, 2008-01-31 at 23:29 +0530, Yogesh Patil wrote:
> hi,
> I am using SQUID 2.6.STABLE17 with fedora core 8, & BIND
> DNS SERVER configured on the same box, i have configured squid as
> transparent proxy with all default settings , and applied iptables
> rule by using the following
> command
>
> iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 80 -j REDIRECT
> --to-port 3128
>
> i am able to browse http websites, but when i try to open https
> sites, such as, gmail.com, hotmail.com etc.. i am not able to get any
> response from the proxy.
> i have also tryied with forwarding 443 (https) port to the 3128
> (squid) port but still no success., so i think it doesnt seems to be
> netfilter (iptables) problem, it may be problem with the squid
> config,

Port forwarding isn't the answer.

What have you done to enable the SSL proxying in the Squid
configuration?

Why are you trying to proxy HTTPS? If you're trying to cache it, you're
violating security, and I don't think it's going to let you do that.
Secure web browsing really needs *NO* man in the middle.

But if you're tunnelling SSL through Squid (uncached proxying), that's a
different matter (still a security risk to those wanting to use secure
websites through your proxy, not always done, but technically feasible).

The last time I set up Squid, was with FC4, so it's an older version,
and options may have changed since then. But you have to go through the
ACL rules, list the ports used for SSL, and add them to the safe ports
rule. And allow the safe and SSL ports through the access rules.

Snippets from my configuration:
acl SSL_ports port 443 563
acl Safe_ports port 443 563 # https, snews

http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports

Don't confuse yourself with the SSL accelerator configuration, that's
for using Squid to aid your own secure webserver, if you have one.

Have you looked at:
http://www.squid-cache.org/

--
(This computer runs FC7, my others run FC4, FC5 & FC6, in case that's
important to the thread.)

Don't send private replies to my address, the mailbox is ignored.
I read messages from the public lists.

--
fedora-list mailing list
fedora-list@redhat.com
To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list
 

Thread Tools




All times are GMT. The time now is 09:44 AM.

VBulletin, Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO ©2007, Crawlability, Inc.
Copyright 2007 - 2008, www.linux-archive.org