Re: unbound and squid not resolving SSL sites

[Eliezer Croitoru <eliezer@xxxxxxxxxxxx>]

I wasn't sure but I am now.
You are doing something wrong and I cannot tell what exactly.
Try to share this script output:
http://www1.ngtech.co.il/squid/basic_data.sh

There are missing parts in the whole setup such as clients IP and server 
IP, what GW are you using etc..

Eliezer

On 08/19/2014 02:37 PM, squid@xxxxxxxxxxxxxxxxx wrote:
> > Take a look at:
> > http://wiki.squid-cache.org/EliezerCroitoru/Drafts/SSLBUMP
> >
> > Your squid.conf seems to be too incomplete to allow SSL-Bump to work.
> >
> > Eliezer
>
> I recompiled to 3.4.6 and ran everything in your page there.
> squid started correctly.
> However, it is the same problem. Any https page that I had configured
> does not resolve. It is being redirected by unbound but as soon as it
> hits the proxy, it just gets dropped somehow:
>
> # Generated by iptables-save v1.4.7 on Tue Aug 19 03:14:13 2014
> *filter
> :INPUT ACCEPT [0:0]
> :FORWARD ACCEPT [0:0]
> :OUTPUT ACCEPT [5454:2633080]
> -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
> -A INPUT -i lo -j ACCEPT
> -A INPUT -p tcp -m tcp --dport 22 -m state --state NEW -j ACCEPT
> -A INPUT -s 213.171.217.173/32 -p udp -m udp --dport 161 -m state
> --state NEW -j ACCEPT
> -A INPUT -p udp -m udp --dport 161 -m state --state NEW -j ACCEPT
> -A INPUT -p tcp -m tcp --dport 161 -m state --state NEW -j ACCEPT
> -A INPUT -p tcp -m tcp --dport 80 -m state --state NEW -j ACCEPT
> -A INPUT -p tcp -m tcp --dport 443 -m state --state NEW -j ACCEPT
> -A INPUT -p udp -m udp --dport 53 -m state --state NEW -j ACCEPT
> -A INPUT -p tcp -m tcp --dport 53 -m state --state NEW -j ACCEPT
> -A INPUT -p tcp -m tcp --dport 25 -m state --state NEW -j ACCEPT
> -A INPUT -p tcp -m tcp --dport 110 -m state --state NEW -j ACCEPT
> -A INPUT -p tcp -m tcp --dport 143 -m state --state NEW -j ACCEPT
> -A INPUT -p tcp -m tcp --dport 20 -m state --state NEW -j ACCEPT
> -A INPUT -p tcp -m tcp --dport 21 -m state --state NEW -j ACCEPT
> -A INPUT -p tcp -m tcp --dport 3306 -m state --state NEW -j ACCEPT
> -A INPUT -p udp -m udp --dport 3306 -m state --state NEW -j ACCEPT
> -A INPUT -j REJECT --reject-with icmp-port-unreachable
> -A OUTPUT -o lo -j ACCEPT
> -A OUTPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
> -A OUTPUT -m state --state NEW -j ACCEPT
> COMMIT
> # Completed on Tue Aug 19 03:14:13 2014
> # Generated by iptables-save v1.4.7 on Tue Aug 19 03:14:13 2014
> *nat
> :PREROUTING ACCEPT [23834173:1866373947]
> :POSTROUTING ACCEPT [22194:1519446]
> :OUTPUT ACCEPT [22194:1519446]
> -A PREROUTING -i eth0 -p tcp -m tcp --dport 443 -j REDIRECT --to-ports 3130
> -A POSTROUTING -s 0.0.0.0/32 -o eth0 -j MASQUERADE
> COMMIT
> # Completed on Tue Aug 19 03:14:13 2014