On 8/05/2013 3:13 a.m., China wrote:
The default config restrict methods, not protocol.
The problem can be translated as: what I've to put in 'acl
allowed_protocols proto ...' to permit https traffic with CONNECT
method?
Try "NONE". CONNECT URLs have no protocol scheme, just a TCP IP:port (or
FQDN:port).
I highly recommend you go back to the settings we distribute with Squid:
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
These two rules prohibit traffic going to ports known to be unsafe for
HTTP traffic delivery, and prohibit CONNECT tunnels to ports where HTTPS
is not normally found.
You adjust them further by altering the contents of Safe_ports and
SSL_ports ACLs.
You seem to have renamed Safe_ports to allowed_ports for some reason,
and removed the controls on CONNECT.
Amos
If I start Squid in debugging mode this is the trace with problems:
kid1| Eui48.cc(262) lookup: Looking up ARP address for X.X.X.X on eth0
kid1| Eui48.cc(262) lookup: Looking up ARP address for X.X.X.X on eth1
kid1| Eui48.cc(303) lookup: Got address MAC on eth1
kid1| FilledChecklist.cc(77) ~ACLFilledChecklist: ACLFilledChecklist
destroyed 0x7fff13776720
kid1| Checklist.cc(334) ~ACLChecklist: ACLChecklist::~ACLChecklist:
destroyed 0x7fff13776720
kid1| Checklist.cc(153) preCheck: 0x1476118 checking slow rules
kid1| Checklist.cc(160) checkAccessList: 0x1476118 checking
'http_access deny Gopher'
kid1| Acl.cc(336) matches: ACLList::matches: checking Gopher
kid1| Acl.cc(319) checklistMatches: ACL::checklistMatches: checking 'Gopher'
kid1| Acl.cc(321) checklistMatches: ACL::ChecklistMatches: result for
'Gopher' is 0
kid1| Acl.cc(339) matches: ACLList::matches: result is false
kid1| Checklist.cc(275) matchNode: 0x1476118 matched=0 async=0 finished=0
kid1| Checklist.cc(299) matchNode: 0x1476118 simple mismatch
kid1| Checklist.cc(160) checkAccessList: 0x1476118 checking
'http_access deny !allowed_ports'
kid1| Acl.cc(336) matches: ACLList::matches: checking !allowed_ports
kid1| Acl.cc(319) checklistMatches: ACL::checklistMatches: checking
'allowed_ports'
kid1| Acl.cc(321) checklistMatches: ACL::ChecklistMatches: result for
'allowed_ports' is 1
kid1| Acl.cc(339) matches: ACLList::matches: result is false
kid1| Checklist.cc(275) matchNode: 0x1476118 matched=0 async=0 finished=0
kid1| Checklist.cc(299) matchNode: 0x1476118 simple mismatch
kid1| Checklist.cc(160) checkAccessList: 0x1476118 checking
'http_access deny !allowed_protocols'
kid1| Acl.cc(336) matches: ACLList::matches: checking !allowed_protocols
kid1| Acl.cc(319) checklistMatches: ACL::checklistMatches: checking
'allowed_protocols'
kid1| Acl.cc(321) checklistMatches: ACL::ChecklistMatches: result for
'allowed_protocols' is 0
kid1| Acl.cc(343) matches: ACLList::matches: result is true
kid1| Checklist.cc(275) matchNode: 0x1476118 matched=1 async=0 finished=0
kid1| Checklist.cc(260) matchNodes: 0x1476118 success: all ACLs matched
kid1| Checklist.cc(146) markFinished: 0x1476118 answer DENIED for
first matching rule won
kid1| Checklist.cc(88) matchNonBlocking: ACLChecklist::check:
0x1476118 match found, calling back with DENIED
kid1| Checklist.cc(182) checkCallback: ACLChecklist::checkCallback:
0x1476118 answer=DENIED
kid1| Gadgets.cc(85) aclIsProxyAuth: aclIsProxyAuth: called for
allowed_protocols
kid1| Acl.cc(61) FindByName: ACL::FindByName 'allowed_protocols'
kid1| Gadgets.cc(93) aclIsProxyAuth: aclIsProxyAuth: returning 0
kid1| Gadgets.cc(58) aclGetDenyInfoPage: got called for allowed_protocols
kid1| Gadgets.cc(77) aclGetDenyInfoPage: aclGetDenyInfoPage: no match
kid1| FilledChecklist.cc(77) ~ACLFilledChecklist: ACLFilledChecklist
destroyed 0x7fff13775b80
kid1| Checklist.cc(334) ~ACLChecklist: ACLChecklist::~ACLChecklist:
destroyed 0x7fff13775b80
kid1| FilledChecklist.cc(77) ~ACLFilledChecklist: ACLFilledChecklist
destroyed 0x7fff13775a60
kid1| Checklist.cc(334) ~ACLChecklist: ACLChecklist::~ACLChecklist:
destroyed 0x7fff13775a60
kid1| FilledChecklist.cc(77) ~ACLFilledChecklist: ACLFilledChecklist
destroyed 0x1476118
kid1| Checklist.cc(334) ~ACLChecklist: ACLChecklist::~ACLChecklist:
destroyed 0x1476118
kid1| FilledChecklist.cc(77) ~ACLFilledChecklist: ACLFilledChecklist
destroyed 0x1476118
kid1| Checklist.cc(334) ~ACLChecklist: ACLChecklist::~ACLChecklist:
destroyed 0x1476118
kid1| client_side.cc(784) swanSong: local=Y.Y.Y.Y:Y remote=X.X.X.X:X flags=1
Thank you
On Tue, May 7, 2013 at 4:54 PM, Amos Jeffries <squid3@xxxxxxxxxxxxx> wrote:
On 8/05/2013 1:31 a.m., China wrote:
Hi,
I've some squid servers (until 3.1.20 version) which has the following
configuration and works great:
acl allowed_protocols proto HTTP HTTPS CONNECT FTP
http_access deny !allowed_protocols
After the upgrade to 3.3.3 version, sqiud print the following warning
in the configuration check:
WARNING: Ignoring unknown protocol 'CONNECT' in the ACL named
'allowed_protocols'
Squid does not at this time support URL starting with "connect://". That is all this means. The older versions accepted it, but did nothing with it. So it would seem to be unrelated to the actual problem you are now having.
and squid clients can't no more connect to HTTPS sites.
There is a CONNECT *method* in HTTP protocol, which is used to pass HTTPS traffic through HTTP proxies.
Please check your http_access lines to see what they do when an HTTP request with method CONNECT happens. The default config provided with Squid restricts CONNECT requests to opening tunnels to a specific set of SSL_Ports where HTTPS is normally seen - if you have altered that set or changed the http_access lines those changes may be the cause of your problem.
How can I check the protocols like configuration in old versions?--
Please run "squid -k parse" on your squid.conf file. It should highlight any other problems you have in the config.
Amos
--
Davide Belloni
