On 8/08/2014 8:55 a.m., squid@xxxxxxxxxxxxxxxxx wrote: > Current config below: > >>> In my network I have unbound redirecting some sites through the proxy >>> server and checking authentication, If I redirect www.thisite.com it >>> works corectly. However, as soon as SSL is used https://www.thissite.com >>> it doesn't resolve at all. Any ideas what I have to do to enable ssl >>> redirects in unbound or squid? >> >> Handle port 443 traffic and the encrypted traffic there. >> You are only receiving port 80 traffic in this config file. > > I am already redirecting 443 traffic but the proxy won't pick it up. > There is a SSL ports directive in the squid.conf so it should accept them? You mean SSL_Ports ACL? that only restricts HTTP "CONNECT" method tunnel requests to the port(s) usually used by SSL. It does nothing to receive and decrypt HTTPS in its native port 443 format. Which is what you need to do, since your unbound server is claiming that your Squid is the origin web server for those https:// traffic. You are at least missing https_port and all the sslproxy_* directives for outgoing HTTPS. Then also you are probably missing the TLS/SSL certificate security keys, including any DNS entries for IPSEC, DNSSEC, DANE, HSTS etc. > For example, this line redirect all HTTP traffic but as soon as the > browser wants a SSL connection, it is dropped: > local-data: "anywhere.mysite.com. 600 IN A 109.xxx.xx.xxx" > local-zone: "identity.mysite.com." redirect Of course. Your Squid box is not listening on port 443 (HTTPS). By using DNS in this way you are claiming that your 109.xxx.xx.xxx machine is providing *all* services of that domain. Things naturally break when you overlook one or more services your clients are using from it. Amos
