[plain text version; sorry for the inconvenience] I've searched through the internets and tried various things... to no avail. Hopefully someone here can point me in the right direction. I am sitting behind a proxy, which accepts http/https. Everything else is blocked. If I instruct my browser to use this proxy, everything works dandy. Both http and https. The problem is, I have a few apps that don't have an option to set proxy. So, my idea was to set up squid on the local machine that would transparently redirect http/https to the proxy. Eg something like this: [ local_box: app (http or https) ---> squid ] -----> [ the_proxy ] -----> ... -----> [ internets ] I have no control of the proxy, nor do I know what goes on after it. I have the following iptables rules: *nat :PREROUTING ACCEPT [1:89] :INPUT ACCEPT [1:89] :OUTPUT ACCEPT [549:34321] :POSTROUTING ACCEPT [624:38821] -A OUTPUT -p tcp -m tcp --dport 80 -j REDIRECT --to-ports 3129 -A OUTPUT -p tcp -m tcp --dport 443 -j REDIRECT --to-ports 3130 COMMIT And my squid.conf is mostly garden variety: acl localnet src 10.0.0.0/8 # RFC1918 possible internal network acl localnet src 172.16.0.0/12 # RFC1918 possible internal network acl localnet src 192.168.0.0/16 # RFC1918 possible internal network acl SSL_ports port 443 acl Safe_ports port 80 # http acl Safe_ports port 21 # ftp acl Safe_ports port 443 # https acl Safe_ports port 70 # gopher acl Safe_ports port 210 # wais acl Safe_ports port 1025-65535 # unregistered ports acl Safe_ports port 280 # http-mgmt acl Safe_ports port 488 # gss-http acl Safe_ports port 591 # filemaker acl Safe_ports port 777 # multiling http acl Safe_ports port 901 # SWAT acl CONNECT method CONNECT http_access deny !Safe_ports http_access deny CONNECT !SSL_ports http_access allow localhost manager http_access deny manager http_access allow localnet http_access allow localhost http_access deny all coredump_dir /var/cache/squid refresh_pattern ^ftp: 1440 20% 10080 refresh_pattern ^gopher: 1440 0% 1440 refresh_pattern -i (/cgi-bin/|\?) 0 0% 0 refresh_pattern . 0 20% 4320 cache deny all cache_peer proxy parent 3128 0 no-query no-digest default never_direct allow all http_port 3128 http_port 3129 intercept https_port 3130 intercept ssl-bump generate-host-certificates=on cert=/etc/ssl/squid/cert.pem key=/etc/ssl/squid/key.pem I've generated the certs and ran ssl_crtd to init ssl db dirs. To verify squid is working, I've changed my browser proxy settings to 127.0.0.1:3128 for http and https. Everything works like a charm. This is where the "fun" begins: ========== Without the proxy settings http also works just fine -- in both the browser and wget command. Https on the other hand is fubar. In the browser I get "Unsupported Request Method and Protocol" error (after accepting the "invalid" certificate). With wget I get: local_box [~] wget https://google.com --no-check-certificate --2014-11-05 20:21:12-- https://google.com/[https://google.com/] Resolving google.com... 74.125.196.138, 74.125.196.139, 74.125.196.101, ... Connecting to google.com|74.125.196.138|:443... connected. WARNING: cannot verify google.com's certificate, issued by ‘/C=AU/ST=Some-State/O=Internet Widgits Pty Ltd’: Self-signed certificate encountered. WARNING: certificate common name ‘’ doesn't match requested host name ‘google.com’. HTTP request sent, awaiting response... 501 Not Implemented 2014-11-05 20:21:12 ERROR 501: Not Implemented. access.log says: 1415236731.852 19 10.0.0.13 TCP_MISS/501 4255 GET https://www.google.com/[https://www.google.com/] - FIRSTUP_PARENT/10.64.252.14 text/html ========== If I add 'ssl_bump server-first all' to squid.conf. Whenever I try to pull up an https page, it barfs with: 2014/11/05 20:22:28| assertion failed: forward.cc:785: "peer->use_ssl" Aborted ========== If I change it to 'ssl_bump client-first all', I get "Unable to forward this request at this time" in the browser. And wget says: local_box [~] wget https://google.com[https://google.com] --no-check-certificate --2014-11-05 20:26:53-- https://google.com/[https://google.com/] Resolving google.com... 74.125.196.101, 74.125.196.100, 74.125.196.139, ... Connecting to google.com|74.125.196.101|:443... connected. WARNING: cannot verify google.com's certificate, issued by ‘/C=AU/ST=Some-State/O=Internet Widgits Pty Ltd’: Self-signed certificate encountered. WARNING: certificate common name ‘74.125.196.101’ doesn't match requested host name ‘google.com’. HTTP request sent, awaiting response... 503 Service Unavailable 2014-11-05 20:26:53 ERROR 503: Service Unavailable. access.log says: 1415237271.133 0 10.0.0.13 TCP_MISS/503 3840 GET https://google.com/[https://google.com/] - FIRSTUP_PARENT/10.64.252.14 text/html ========== And so after endless searching and searching and trying various things I came here. Could please help me figure out why it is not working? Thank you. -D _______________________________________________ squid-users mailing list squid-users@xxxxxxxxxxxxxxxxxxxxx http://lists.squid-cache.org/listinfo/squid-users
