Hey Amos, I made headway with the the problem :).. I think the looping is happening because squid is proxying the https port traffic onto http port on the way out. clientt----https=443---------->squid---------http=80----->origin server I can see the external connection being setup-ed on port 80 whereas it should have been on port 443. That is why the server keeps sending me back the same url to re-direct to.. This is my theory...What do you think about it? Also how i can make squid to output the original port 443 traffic on port 443 when connecting to the external servers...i could see something you mentioned to another guy here http://squid-web-proxy-cache.1019090.n4.nabble.com/squid-3-1-endless-loop-IIS-webserver-td4465329.html This example was a reverse proxy example and might not work for me...Any suggestions? I think we are about to crack it !!:) -talha On Fri, Apr 13, 2012 at 12:17 PM, Ahmed Talha Khan <auny87@xxxxxxxxx> wrote: > What about the looping in the browser? Y getting re-directed to the > same URL again? I have posted this as a seperate question on the > forum? How is it possible, in what configuration to access https pages > while running squid? You may want to answer on the 2nd > question..Thanks > > -talha > > On Fri, Apr 13, 2012 at 12:03 PM, Amos Jeffries <squid3@xxxxxxxxxxxxx> wrote: >> On 12/04/2012 10:08 p.m., Ahmed Talha Khan wrote: >>> >>> Also >>> Will "tranparent" work on https_port? The bowser makes a connection of >>> 443 which i redirect to squid. So will it let the webpages open? They >>> are not opening for me >> >> >> On Squid 3.0 and 2.x yes (3.1+ use "intercept" now) . All it does is tell >> Squid to lookup the local kernel NAT tables for client IP information >> instead of trusting the TCP packet, and that the request should have some >> other special origin server specific processing applied. >> >> The problem with https_port intercept has always been, and remains in the >> current Squid, that the SSL certificate sent to the client does not match >> the domain the client is contacting. They get a TLS security alert message >> on every new connection attempt. The dynamic cert generation feature in 3.2 >> helps, but intercepted HTTPS still mostly lacks the domain name details the >> generator needs to produce a valid cert (requires SSL SNI feature, which is >> *legally* risky for most of us dev to implement no techincal problem). >> >> Amos >> > > > > -- > Regards, > -Ahmed Talha Khan -- Regards, -Ahmed Talha Khan
