Either find the error from the log file or run tcpdump to capture the
traffic to start with.
- CW
On 10/7/2014 11:51 AM, glenn.groves@xxxxxxxxxxxxxxx wrote:
Hi All,
We have a weird issue where https sites apparently don't respond (get message "this page can't be displayed"). This mainly affects google websites and to a lesser affect youtube. It has been reported it may have affected some banking sites but this is unconfirmed. We are running centos 6.5 with up to date squid from the centos repositories.
Here is the version of squid:
yum list installed | grep squid
squid.x86_64 7:3.1.10-20.el6_5.3
The https sites work fine if I put a direct hole in the firewall to allow internet traffic directly out - but this is not a solution.
Thanks, Glenn
Below is the conf file:
### /etc/squid/squid.conf Configuration File ####
### cache manager
cache_mgr somone@xxxxxxxxx
### negotiate kerberos and ntlm authentication
auth_param negotiate program /usr/local/bin/negotiate_wrapper -d --ntlm /usr/bin/ntlm_auth --diagnostics --helper-protocol=squid-2.5-ntlmssp --domain=DOMAIN --kerberos /usr/lib64/squid/squid_kerb_auth -i -d -s HTTP/proxycen.email.com
auth_param negotiate children 50
auth_param negotiate keep_alive off
### pure ntlm authentication
auth_param ntlm program /usr/bin/ntlm_auth --diagnostics --helper-protocol=squid-2.5-ntlmssp --domain=DOMAIN
auth_param ntlm children 200
# auth_param ntlm max_challenge_lifetime 5 minutes
auth_param ntlm keep_alive off
### provide basic authentication via ldap for clients not authenticated via kerberos/ntlm
auth_param basic program /usr/lib64/squid/squid_ldap_auth -R -b "dc=DOMAIN,dc=com " -D squid@xxxxxxxxx -W /etc/squid/ldappass.txt -f sAMAccountName=%s -h SERVER.email.com
auth_param basic children 100
auth_param basic realm Internet Proxy
auth_param basic credentialsttl 1 minute
### ldap authorisation
# external_acl_type memberof children=300 %LOGIN /usr/lib64/squid/squid_ldap_group -R -K -b "dc=DOMAIN,dc=com,dc=au" -D squid@xxxxxxxxx -W /etc/squid/ldappass.txt -f "(&(objectclass=person)(sAMAccountName=%v)(memberof=cn=%g, ou=Internet,ou=DOMAIN Groups,ou=DOMAIN,dc=DOMAIN,dc=com,dc=au))" -h SERVER.email.com
### Squid Cache Manager
cachemgr_passwd none info
cache_dir aufs /var/spool/squid 30000 16 256
minimum_object_size 2 KB
maximum_object_size 10 MB
cache_swap_low 95
cache_swap_high 97
### acl for proxy auth and ldap authorizations
acl SSL method CONNECT
acl allowedsites dstdomain "/etc/squid/allowedsites.txt"
acl auth proxy_auth REQUIRED
# aclname acltype typename activedirectorygroup
# acl BlockedAccess external memberof "/etc/squid/blocked_access.txt"
# acl RestrictedAccess external memberof "/etc/squid/restricted_access.txt"
# acl StandardAccess external memberof "/etc/squid/standard_access.txt"
# acl ExceptionAccess external memberof "/etc/squid/exception_access.txt"
# acl FullAccess external memberof "/etc/squid/full_access.txt"
# acl AnonymousAccess external memberof "/etc/squid/anonymous_access.txt"
# acl allowedsites dstdomain "/etc/squid/allowedsites.txt"
# acl blockedsites dstdomain "/etc/squid/blockedsites.txt"
# acl exceptedsites dstdomain "/etc/squid/exceptedsites.txt"
acl prioritysites dstdomain "/etc/squid/prioritysites.txt"
### squid defaults
acl manager proto cache_object
acl localhost src 127.0.0.1/32 ::1
acl allowedsite124 src 192.168.124.0/24
acl to_localhost dst 127.0.0.0/8 0.0.0.0/32 ::1
acl SSL_ports port 443
acl Safe_ports port 80 # http
acl Safe_ports port 21 # ftp
acl Safe_ports port 443 # https
acl Safe_ports port 70 # gopher
acl Safe_ports port 210 # wais
acl Safe_ports port 1025-65535 # unregistered ports
acl Safe_ports port 280 # http-mgmt
acl Safe_ports port 488 # gss-http
acl Safe_ports port 591 # filemaker
acl Safe_ports port 777 # multiling http
acl Safe_ports port 17500 # dropbox
#http_access deny CONNECT !SSL_ports
#http_access allow SSL_ports
http_access allow allowedsites
acl CONNECT method CONNECT
acl cacheadmin src 192.168.11.221 192.168.8.175
http_access allow manager localhost
http_access allow manager cacheadmin
http_access deny manager
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
http_access allow localhost
### http_access rules
# allow unrestricted access to prioritysites
http_access allow prioritysites
# enforce authentication, order of rules is important for authorization levels
http_access allow allowedsite124
http_access deny !auth
# prevent access to basic auth prompt for BlockedAccess users
# http_access deny BlockedAccess all
# http_access allow allowedsites
# http_access deny RestrictedAccess all
# http_access allow AnonymousAccess auth
# http_access allow FullAccess auth
# http_access allow exceptedsites ExceptionAccess auth
# http_access deny blockedsites
# http_access allow StandardAccess auth
http_access allow auth
# http_access deny !auth
# DO NOT REMOVE THE FOLLOWING LINE
http_access deny all
### logging
access_log /var/log/squid/access.log squid
### Set memory manually, to allow it to use more of the system
cache_mem 1024 MB
### squid Debian defaults
http_port 8080
hierarchy_stoplist cgi-bin ?
coredump_dir /var/spool/squid
refresh_pattern ^ftp: 1440 20% 10080
refresh_pattern ^gopher: 1440 0% 1440
refresh_pattern -i (/cgi-bin/|\?) 0 0% 0
refresh_pattern . 0 20% 4320
[root@proxycen squid]#
_______________________________________________
squid-users mailing list
squid-users@xxxxxxxxxxxxxxxxxxxxx
http://lists.squid-cache.org/listinfo/squid-users
_______________________________________________
squid-users mailing list
squid-users@xxxxxxxxxxxxxxxxxxxxx
http://lists.squid-cache.org/listinfo/squid-users