The default config restrict methods, not protocol. The problem can be translated as: what I've to put in 'acl allowed_protocols proto ...' to permit https traffic with CONNECT method? If I start Squid in debugging mode this is the trace with problems: kid1| Eui48.cc(262) lookup: Looking up ARP address for X.X.X.X on eth0 kid1| Eui48.cc(262) lookup: Looking up ARP address for X.X.X.X on eth1 kid1| Eui48.cc(303) lookup: Got address MAC on eth1 kid1| FilledChecklist.cc(77) ~ACLFilledChecklist: ACLFilledChecklist destroyed 0x7fff13776720 kid1| Checklist.cc(334) ~ACLChecklist: ACLChecklist::~ACLChecklist: destroyed 0x7fff13776720 kid1| Checklist.cc(153) preCheck: 0x1476118 checking slow rules kid1| Checklist.cc(160) checkAccessList: 0x1476118 checking 'http_access deny Gopher' kid1| Acl.cc(336) matches: ACLList::matches: checking Gopher kid1| Acl.cc(319) checklistMatches: ACL::checklistMatches: checking 'Gopher' kid1| Acl.cc(321) checklistMatches: ACL::ChecklistMatches: result for 'Gopher' is 0 kid1| Acl.cc(339) matches: ACLList::matches: result is false kid1| Checklist.cc(275) matchNode: 0x1476118 matched=0 async=0 finished=0 kid1| Checklist.cc(299) matchNode: 0x1476118 simple mismatch kid1| Checklist.cc(160) checkAccessList: 0x1476118 checking 'http_access deny !allowed_ports' kid1| Acl.cc(336) matches: ACLList::matches: checking !allowed_ports kid1| Acl.cc(319) checklistMatches: ACL::checklistMatches: checking 'allowed_ports' kid1| Acl.cc(321) checklistMatches: ACL::ChecklistMatches: result for 'allowed_ports' is 1 kid1| Acl.cc(339) matches: ACLList::matches: result is false kid1| Checklist.cc(275) matchNode: 0x1476118 matched=0 async=0 finished=0 kid1| Checklist.cc(299) matchNode: 0x1476118 simple mismatch kid1| Checklist.cc(160) checkAccessList: 0x1476118 checking 'http_access deny !allowed_protocols' kid1| Acl.cc(336) matches: ACLList::matches: checking !allowed_protocols kid1| Acl.cc(319) checklistMatches: ACL::checklistMatches: checking 'allowed_protocols' kid1| Acl.cc(321) checklistMatches: ACL::ChecklistMatches: result for 'allowed_protocols' is 0 kid1| Acl.cc(343) matches: ACLList::matches: result is true kid1| Checklist.cc(275) matchNode: 0x1476118 matched=1 async=0 finished=0 kid1| Checklist.cc(260) matchNodes: 0x1476118 success: all ACLs matched kid1| Checklist.cc(146) markFinished: 0x1476118 answer DENIED for first matching rule won kid1| Checklist.cc(88) matchNonBlocking: ACLChecklist::check: 0x1476118 match found, calling back with DENIED kid1| Checklist.cc(182) checkCallback: ACLChecklist::checkCallback: 0x1476118 answer=DENIED kid1| Gadgets.cc(85) aclIsProxyAuth: aclIsProxyAuth: called for allowed_protocols kid1| Acl.cc(61) FindByName: ACL::FindByName 'allowed_protocols' kid1| Gadgets.cc(93) aclIsProxyAuth: aclIsProxyAuth: returning 0 kid1| Gadgets.cc(58) aclGetDenyInfoPage: got called for allowed_protocols kid1| Gadgets.cc(77) aclGetDenyInfoPage: aclGetDenyInfoPage: no match kid1| FilledChecklist.cc(77) ~ACLFilledChecklist: ACLFilledChecklist destroyed 0x7fff13775b80 kid1| Checklist.cc(334) ~ACLChecklist: ACLChecklist::~ACLChecklist: destroyed 0x7fff13775b80 kid1| FilledChecklist.cc(77) ~ACLFilledChecklist: ACLFilledChecklist destroyed 0x7fff13775a60 kid1| Checklist.cc(334) ~ACLChecklist: ACLChecklist::~ACLChecklist: destroyed 0x7fff13775a60 kid1| FilledChecklist.cc(77) ~ACLFilledChecklist: ACLFilledChecklist destroyed 0x1476118 kid1| Checklist.cc(334) ~ACLChecklist: ACLChecklist::~ACLChecklist: destroyed 0x1476118 kid1| FilledChecklist.cc(77) ~ACLFilledChecklist: ACLFilledChecklist destroyed 0x1476118 kid1| Checklist.cc(334) ~ACLChecklist: ACLChecklist::~ACLChecklist: destroyed 0x1476118 kid1| client_side.cc(784) swanSong: local=Y.Y.Y.Y:Y remote=X.X.X.X:X flags=1 Thank you On Tue, May 7, 2013 at 4:54 PM, Amos Jeffries <squid3@xxxxxxxxxxxxx> wrote: > > On 8/05/2013 1:31 a.m., China wrote: >> >> Hi, >> I've some squid servers (until 3.1.20 version) which has the following >> configuration and works great: >> >> acl allowed_protocols proto HTTP HTTPS CONNECT FTP >> http_access deny !allowed_protocols >> >> After the upgrade to 3.3.3 version, sqiud print the following warning >> in the configuration check: >> >> WARNING: Ignoring unknown protocol 'CONNECT' in the ACL named >> 'allowed_protocols' > > > Squid does not at this time support URL starting with "connect://". That is all this means. The older versions accepted it, but did nothing with it. So it would seem to be unrelated to the actual problem you are now having. > > > >> and squid clients can't no more connect to HTTPS sites. > > > There is a CONNECT *method* in HTTP protocol, which is used to pass HTTPS traffic through HTTP proxies. > > Please check your http_access lines to see what they do when an HTTP request with method CONNECT happens. The default config provided with Squid restricts CONNECT requests to opening tunnels to a specific set of SSL_Ports where HTTPS is normally seen - if you have altered that set or changed the http_access lines those changes may be the cause of your problem. > > >> >> How can I check the protocols like configuration in old versions?-- > > > Please run "squid -k parse" on your squid.conf file. It should highlight any other problems you have in the config. > > > > Amos > -- Davide Belloni
