Re: cannot browse https sites

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Thu, 2008-01-31 at 23:29 +0530, Yogesh Patil wrote:
> hi, 
>     I am using SQUID 2.6.STABLE17 with fedora core 8, & BIND
> DNS SERVER configured on the same box, i have configured squid as
> transparent proxy with all default settings , and applied iptables
> rule by using the following
> command
> 
> iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 80 -j REDIRECT
> --to-port 3128
>  
>     i am able to browse http websites, but when i try to open https
> sites, such as, gmail.com, hotmail.com etc.. i am not able to get any
> response from the proxy.
> i have also tryied with forwarding 443 (https) port to the 3128
> (squid) port but still no success., so i think it doesnt seems to be
> netfilter (iptables) problem, it may be problem with the squid
> config, 

Port forwarding isn't the answer.

What have you done to enable the SSL proxying in the Squid
configuration?

Why are you trying to proxy HTTPS?  If you're trying to cache it, you're
violating security, and I don't think it's going to let you do that.
Secure web browsing really needs *NO* man in the middle.

But if you're tunnelling SSL through Squid (uncached proxying), that's a
different matter (still a security risk to those wanting to use secure
websites through your proxy, not always done, but technically feasible).

The last time I set up Squid, was with FC4, so it's an older version,
and options may have changed since then.  But you have to go through the
ACL rules, list the ports used for SSL, and add them to the safe ports
rule.  And allow the safe and SSL ports through the access rules.

Snippets from my configuration:
acl SSL_ports port 443 563
acl Safe_ports port 443 563 # https, snews

http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports

Don't confuse yourself with the SSL accelerator configuration, that's
for using Squid to aid your own secure webserver, if you have one.

Have you looked at:
http://www.squid-cache.org/

-- 
(This computer runs FC7, my others run FC4, FC5 & FC6, in case that's
 important to the thread.)

Don't send private replies to my address, the mailbox is ignored.
I read messages from the public lists.

-- 
fedora-list mailing list
fedora-list@xxxxxxxxxx
To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list
[Index of Archives]     [Older Fedora Users]     [Fedora Announce]     [Fedora Package Announce]     [EPEL Announce]     [Fedora Magazine]     [Fedora News]     [Fedora Summer Coding]     [Fedora Laptop]     [Fedora Cloud]     [Fedora Advisory Board]     [Fedora Education]     [Fedora Security]     [Fedora Scitech]     [Fedora Robotics]     [Fedora Maintainers]     [Fedora Infrastructure]     [Fedora Websites]     [Anaconda Devel]     [Fedora Devel Java]     [Fedora Legacy]     [Fedora Desktop]     [Fedora Fonts]     [ATA RAID]     [Fedora Marketing]     [Fedora Management Tools]     [Fedora Mentors]     [SSH]     [Fedora Package Review]     [Fedora R Devel]     [Fedora PHP Devel]     [Kickstart]     [Fedora Music]     [Fedora Packaging]     [Centos]     [Fedora SELinux]     [Fedora Legal]     [Fedora Kernel]     [Fedora OCaml]     [Coolkey]     [Virtualization Tools]     [ET Management Tools]     [Yum Users]     [Tux]     [Yosemite News]     [Gnome Users]     [KDE Users]     [Fedora Art]     [Fedora Docs]     [Asterisk PBX]     [Fedora Sparc]     [Fedora Universal Network Connector]     [Libvirt Users]     [Fedora ARM]

  Powered by Linux