On ons, 2008-10-15 at 10:23 -0400, viveksnv@xxxxxx wrote: > My configuration is... > > http_port 0.0.0.0:3128 transparent > > https_port 0.0.0.0:3129 transparent > cert=/usr/local/squid-test/CA/servercert.pem > key=/usr/local/squid-test/CA/serverkey.pem > > Iptable rules are: > > iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 80 -j REDIRECT > --to-port 3128 > iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 443 -j REDIRECT > --to-port 3129 > > In cache.log > > Accepting transparently proxied HTTP connections at 0.0.0.0, port 3128, > FD 12. > Accepting HTTPS connections at 0.0.0.0, port 3129, FD 13 > > In access.log while accessing https://gmail.com > > TCP_MISS/200 2213 CONNECT gmail.com:443 This is not a transparently intercepted https request. This browser is configured to use the proxy. The https_port method will only work for transparently intercepted requests, not when the browser is configured to use the proxy. For this to work when the browser is configured to use the proxy you need the sslbump feature available in the upcoming 3.1 release. > But problem is now gmail not blocked... > > In http://gmail.com requests...it's blocked.. CONNECT requests is subject to the same http_access rules as http access. If GET http://gmail.com is blocked but CONNECT gmail.com:443 is not then check your access rules. A guess without seeing your ruleset is that you are using url_regex instead of dstdomain type acls.. Regards Henrik
Attachment:
signature.asc
Description: This is a digitally signed message part
