On 21/06/2016 2:02 a.m., Jobin George wrote: > Hi, > > I am trying to setup squid3 as an HTTPS proxy using the tutorial given [here][1]. I have properly setup the proxy settings in my browser and when I try to hit **HTTP** web sites, I am able to connect successfully. However, I keep getting a "Connection timed out error" whenever I hit an **HTTPS** protocol web site and the following error in my `/var/log/squid3/cache.log`: > > 2016/06/20 19:12:47| NF getsockopt(SO_ORIGINAL_DST) failed on local=<local_ip_address>:3129 remote=<remote_ip_address>:55209 FD 8 flags=33: (92) Protocol not available > This error is about misconfigured NAT. For interception proxy you MUST do the NAT on the same machine Squid is running. *route* the packets to that machine, do not NAT or "port forward" them. <http://wiki.squid-cache.org/ConfigExamples/Intercept/LinuxRedirect> > Here is my /etc/squid3/squid.conf file (commented lines removed for brevity): > > -------------------------------------------------------------------------------------------------------------------------------------------------------------- > > auth_param basic program /usr/lib/squid3/basic_ncsa_auth /usr/etc/passwd > auth_param basic casesensitive off > auth_param basic credentialsttl 2 hours > > acl user_auth proxy_auth REQUIRED > > http_access allow user_auth > Authentication and interception are mutually exclusive features. > > http_access allow localhost > http_access allow all What is the point of authenticating if clients that passed garbage credentials and failed authentication are allowed to use the proxy anyway? > http_port 3127 If your browser is configured to use Squid as its HTTP proxy then the traffic will be going in through this port. Which has no ssl-bump options telling Squid to bump the HTTPS CONNECT messages. > > https_port 3129 intercept ssl-bump generate-host-certificates=on dynamic_cert_mem_cache_size=4MB key=/etc/squid3/example.com.private cert=/etc/squid3/example.com.cert > > ssl_bump server-first all > sslproxy_flags DONT_VERIFY_PEER Remove the "DONT_VERIFY_PEER". > sslproxy_cert_error deny all That is the default setting for cert error handling. Remove the above line. > > always_direct allow all > That has not been needed with bumping since Squid-3.1. Remove the above. Amos _______________________________________________ squid-users mailing list squid-users@xxxxxxxxxxxxxxxxxxxxx http://lists.squid-cache.org/listinfo/squid-users
