On 30/06/18 16:54, CZ Huang wrote: > I used the following command to send requests (see details below) but got > "HTTP/1.1 403 Forbidden". > > curl https://www.online.citi.com -x https://10.192.197.200:3130 --verbose > --proxy-insecure > > I understand the error was caused by "CONNECT 10.192.197.200:3130 HTTP/1.1". > But curl did not send it so where did it come from? It came from your machines NAT system, in combination with SSL-Bump. > > If I change "https_port 10.192.197.200:3130 ssl-bump intercept" to > "https_port 10.192.197.200:3130" in the config file, then there is no error > (proxy does not take part in the 2nd SSL handshake anymore). > > Please help me fix the errors. Thanks! > The error is that you told Squid to contact the system NAT tables to find out where the client connection was going (the "intercept" option on http_port) without having configured any NAT rules, AND when testing explicit-proxy message syntax with curl. <http://www.squid-cache.org/Doc/config/http_port/> " Modes: intercept Support for IP-Layer NAT interception delivering traffic to this Squid port. " You do not use NAT, so "intercept" is absolutely the wrong thing to be configuring. That is why removing it "fixed" the problem. If you intend the proxy to be an explicit/forward proxy, then removal of the "intercept" option is your full solution. If you intend the proxy to be intercepting traffic, then you need to start there and get the NAT intercept part working _first_. Things that work for explicit/forward proxy don't work with intercept, and the reverse. So its just a waste of effort testing irrelevant traffic "modes". Amos _______________________________________________ squid-users mailing list squid-users@xxxxxxxxxxxxxxxxxxxxx http://lists.squid-cache.org/listinfo/squid-users
