Good, that solved the problem! Thank you On Tue, May 7, 2013 at 6:27 PM, China <davide.belloni@xxxxxxxxx> wrote: > Ok, tomorrow morning I'll try and reply! > > Thank again! > > On Tue, May 7, 2013 at 5:46 PM, Amos Jeffries <squid3@xxxxxxxxxxxxx> wrote: >> On 8/05/2013 3:13 a.m., China wrote: >>> >>> The default config restrict methods, not protocol. >>> >>> The problem can be translated as: what I've to put in 'acl >>> allowed_protocols proto ...' to permit https traffic with CONNECT >>> method? >> >> >> Try "NONE". CONNECT URLs have no protocol scheme, just a TCP IP:port (or >> FQDN:port). >> >> >> I highly recommend you go back to the settings we distribute with Squid: >> http_access deny !Safe_ports >> http_access deny CONNECT !SSL_ports >> >> These two rules prohibit traffic going to ports known to be unsafe for HTTP >> traffic delivery, and prohibit CONNECT tunnels to ports where HTTPS is not >> normally found. >> You adjust them further by altering the contents of Safe_ports and SSL_ports >> ACLs. >> >> You seem to have renamed Safe_ports to allowed_ports for some reason, and >> removed the controls on CONNECT. >> >> >> Amos >> >> >>> If I start Squid in debugging mode this is the trace with problems: >>> >>> >>> kid1| Eui48.cc(262) lookup: Looking up ARP address for X.X.X.X on eth0 >>> kid1| Eui48.cc(262) lookup: Looking up ARP address for X.X.X.X on eth1 >>> kid1| Eui48.cc(303) lookup: Got address MAC on eth1 >>> kid1| FilledChecklist.cc(77) ~ACLFilledChecklist: ACLFilledChecklist >>> destroyed 0x7fff13776720 >>> kid1| Checklist.cc(334) ~ACLChecklist: ACLChecklist::~ACLChecklist: >>> destroyed 0x7fff13776720 >>> kid1| Checklist.cc(153) preCheck: 0x1476118 checking slow rules >>> kid1| Checklist.cc(160) checkAccessList: 0x1476118 checking >>> 'http_access deny Gopher' >>> kid1| Acl.cc(336) matches: ACLList::matches: checking Gopher >>> kid1| Acl.cc(319) checklistMatches: ACL::checklistMatches: checking >>> 'Gopher' >>> kid1| Acl.cc(321) checklistMatches: ACL::ChecklistMatches: result for >>> 'Gopher' is 0 >>> kid1| Acl.cc(339) matches: ACLList::matches: result is false >>> kid1| Checklist.cc(275) matchNode: 0x1476118 matched=0 async=0 finished=0 >>> kid1| Checklist.cc(299) matchNode: 0x1476118 simple mismatch >>> kid1| Checklist.cc(160) checkAccessList: 0x1476118 checking >>> 'http_access deny !allowed_ports' >>> kid1| Acl.cc(336) matches: ACLList::matches: checking !allowed_ports >>> kid1| Acl.cc(319) checklistMatches: ACL::checklistMatches: checking >>> 'allowed_ports' >>> kid1| Acl.cc(321) checklistMatches: ACL::ChecklistMatches: result for >>> 'allowed_ports' is 1 >>> kid1| Acl.cc(339) matches: ACLList::matches: result is false >>> kid1| Checklist.cc(275) matchNode: 0x1476118 matched=0 async=0 finished=0 >>> kid1| Checklist.cc(299) matchNode: 0x1476118 simple mismatch >>> kid1| Checklist.cc(160) checkAccessList: 0x1476118 checking >>> 'http_access deny !allowed_protocols' >>> kid1| Acl.cc(336) matches: ACLList::matches: checking !allowed_protocols >>> kid1| Acl.cc(319) checklistMatches: ACL::checklistMatches: checking >>> 'allowed_protocols' >>> kid1| Acl.cc(321) checklistMatches: ACL::ChecklistMatches: result for >>> 'allowed_protocols' is 0 >>> kid1| Acl.cc(343) matches: ACLList::matches: result is true >>> kid1| Checklist.cc(275) matchNode: 0x1476118 matched=1 async=0 finished=0 >>> kid1| Checklist.cc(260) matchNodes: 0x1476118 success: all ACLs matched >>> kid1| Checklist.cc(146) markFinished: 0x1476118 answer DENIED for >>> first matching rule won >>> kid1| Checklist.cc(88) matchNonBlocking: ACLChecklist::check: >>> 0x1476118 match found, calling back with DENIED >>> kid1| Checklist.cc(182) checkCallback: ACLChecklist::checkCallback: >>> 0x1476118 answer=DENIED >>> kid1| Gadgets.cc(85) aclIsProxyAuth: aclIsProxyAuth: called for >>> allowed_protocols >>> kid1| Acl.cc(61) FindByName: ACL::FindByName 'allowed_protocols' >>> kid1| Gadgets.cc(93) aclIsProxyAuth: aclIsProxyAuth: returning 0 >>> kid1| Gadgets.cc(58) aclGetDenyInfoPage: got called for allowed_protocols >>> kid1| Gadgets.cc(77) aclGetDenyInfoPage: aclGetDenyInfoPage: no match >>> kid1| FilledChecklist.cc(77) ~ACLFilledChecklist: ACLFilledChecklist >>> destroyed 0x7fff13775b80 >>> kid1| Checklist.cc(334) ~ACLChecklist: ACLChecklist::~ACLChecklist: >>> destroyed 0x7fff13775b80 >>> kid1| FilledChecklist.cc(77) ~ACLFilledChecklist: ACLFilledChecklist >>> destroyed 0x7fff13775a60 >>> kid1| Checklist.cc(334) ~ACLChecklist: ACLChecklist::~ACLChecklist: >>> destroyed 0x7fff13775a60 >>> kid1| FilledChecklist.cc(77) ~ACLFilledChecklist: ACLFilledChecklist >>> destroyed 0x1476118 >>> kid1| Checklist.cc(334) ~ACLChecklist: ACLChecklist::~ACLChecklist: >>> destroyed 0x1476118 >>> kid1| FilledChecklist.cc(77) ~ACLFilledChecklist: ACLFilledChecklist >>> destroyed 0x1476118 >>> kid1| Checklist.cc(334) ~ACLChecklist: ACLChecklist::~ACLChecklist: >>> destroyed 0x1476118 >>> kid1| client_side.cc(784) swanSong: local=Y.Y.Y.Y:Y remote=X.X.X.X:X >>> flags=1 >>> >>> >>> Thank you >>> >>> >>> On Tue, May 7, 2013 at 4:54 PM, Amos Jeffries <squid3@xxxxxxxxxxxxx> >>> wrote: >>>> >>>> On 8/05/2013 1:31 a.m., China wrote: >>>>> >>>>> Hi, >>>>> I've some squid servers (until 3.1.20 version) which has the following >>>>> configuration and works great: >>>>> >>>>> acl allowed_protocols proto HTTP HTTPS CONNECT FTP >>>>> http_access deny !allowed_protocols >>>>> >>>>> After the upgrade to 3.3.3 version, sqiud print the following warning >>>>> in the configuration check: >>>>> >>>>> WARNING: Ignoring unknown protocol 'CONNECT' in the ACL named >>>>> 'allowed_protocols' >>>> >>>> >>>> Squid does not at this time support URL starting with "connect://". That >>>> is all this means. The older versions accepted it, but did nothing with it. >>>> So it would seem to be unrelated to the actual problem you are now having. >>>> >>>> >>>> >>>>> and squid clients can't no more connect to HTTPS sites. >>>> >>>> >>>> There is a CONNECT *method* in HTTP protocol, which is used to pass HTTPS >>>> traffic through HTTP proxies. >>>> >>>> Please check your http_access lines to see what they do when an HTTP >>>> request with method CONNECT happens. The default config provided with Squid >>>> restricts CONNECT requests to opening tunnels to a specific set of SSL_Ports >>>> where HTTPS is normally seen - if you have altered that set or changed the >>>> http_access lines those changes may be the cause of your problem. >>>> >>>> >>>>> How can I check the protocols like configuration in old versions?-- >>>> >>>> >>>> Please run "squid -k parse" on your squid.conf file. It should highlight >>>> any other problems you have in the config. >>>> >>>> >>>> >>>> Amos >>>> >>> >>> >>> -- >>> >>> Davide Belloni >> >> > > > > -- > > Davide Belloni -- Davide Belloni
