Thanks for the answers guys, Really should have looked in the cache.log first before posting here. cache.log told me that there were errors while initialising SSL. After a bit of googling around, I changed https_port to http_port and squid binds everything correctly, as it seems that https_port is needed for reverse proxying only, and ssl_bump works fine with http_port? To use the ssl features, I upgraded my squid 3.0 (ubuntu package) to 3.2.11. using the package here - http://www.mydlp.com/squid-3-2-ssl-packages/ Using the same config as before, I am now ending up in "forwarding loops" when trying to access a page through the transparent non-ssl-bump port (client is getting 403). The same (non-ssl) access worked fine in the previous versions though. Did something change during the ~3.2 version jump that affects this? Cheers, David On Fri, Jun 21, 2013 at 6:20 PM, Eliezer Croitoru <eliezer@xxxxxxxxxxxx> wrote: > What Version of squid?? > 'squid -v' output > also please tell us what is the purpose of the service? > is this service for ssl-bumping or just ssl reverse proxy? > there should be something in the cache.log if there is a problem in binding > a port. > > This is for squid 3.1 > http://wiki.squid-cache.org/Features/SslBump > > and it states that you don't need https_port in order to do ssl-bump. > "http_port 3128 ssl-bump cert=/usr/local/squid3/etc/site_priv+pub.pem" > but in squid 3.3 it's more complicated. > > Do we have docs for that?? > > Eliezer > > > > On 06/21/2013 09:46 AM, David Mohl wrote: >> >> Okay guys, >> >> it looks like squid is not listening on port 443, even though the >> https_port directive is set to it. >> I tried playing around with it and changed the port to a higher range, >> but same result. >> >> According to netstat, squid3 listens only to port 80 and 8000, which >> are set via the http_port directive, but somehow ignoring all the >> https_ports? >> >> Syslog / squid shows no binding / listening errors. >> >> Any ideas? >> >> >> Cheers, >> David >> >> On Fri, Jun 21, 2013 at 3:46 PM, David Mohl <dave@xxxxxxx> wrote: >>> >>> Okay guys, >>> >>> it looks like squid is not listening on port 443, even though the >>> https_port >>> directive is set to it. >>> I tried playing around with it and changed the port to a higher range, >>> but >>> same result. >>> >>> According to netstat, squid3 listens only to port 80 and 8000, which are >>> set >>> via the http_port directive, but somehow ignoring all the https_ports? >>> >>> Syslog / squid shows no binding / listening errors. >>> >>> Any ideas? >>> >>> >>> Cheers, >>> David >>> >>> >>> On Fri, Jun 21, 2013 at 2:17 PM, David Mohl <dave@xxxxxxx> wrote: >>>> >>>> >>>> Hey Squid users, >>>> >>>> For the last weeks, I've been fighting with Squid3 to get SSL running in >>>> a >>>> transparent environment. I followed multiple config guides but still >>>> seem to >>>> have problems getting the configuration running. My config file: >>>> >>>> acl SSL_ports port 443 >>>> acl Safe_ports port 80 # http >>>> acl Safe_ports port 21 # ftp >>>> acl Safe_ports port 443 # https >>>> acl Safe_ports port 70 # gopher >>>> acl Safe_ports port 210 # wais >>>> acl Safe_ports port 1025-65535 (tel://port 1025-65535) # unregistered >>>> ports >>>> acl Safe_ports port 280 # http-mgmt >>>> acl Safe_ports port 488 # gss-http >>>> acl Safe_ports port 591 # filemaker >>>> acl Safe_ports port 777 # multiling http >>>> acl SSL method CONNECT >>>> acl CONNECT method CONNECT >>>> http_access deny !Safe_ports >>>> acl whitelist dstdomain "/etc/squid3/whitelist" >>>> http_access allow all whitelist >>>> http_access deny all >>>> >>>> # SSL Bump >>>> always_direct allow all >>>> ssl_bump allow all >>>> sslproxy_cert_error allow all >>>> sslproxy_flags DONT_VERIFY_PEER >>>> >>>> http_port 80 transparent >>>> http_port 8000 >>>> https_port 443 ssl-bump cert=/etc/squid3/ssl_cert/server.crt >>>> key=/etc/squid3/ssl_cert/server.key transparent >>>> coredump_dir /var/spool/squid3 >>>> >>>> >>>> Last week, using this configuration, I ended up getting "unknown >>>> protocol" >>>> errors, but I guess that was caused by something cached. When trying to >>>> use >>>> wget now, all I get is "connection refused". >>>> >>>> As far as I can tell, squid3 is correctly set up to listen to my https >>>> port, means it should at least give something else then "connection >>>> refused"? Maybe a certificate error on the client side? Or at least >>>> something. Ports (8080, 443, 80) are open and reachable . >>>> >>>> Any ideas on what I did wrong? >>>> >>>> >>>> Cheers, >>>> David >>>> >>> >
