You probably meant 4.5... http://www1.ngtech.co.il/repo/centos/7/x86_64/squid-4.5-1.el7.x86_64.rpm Eliezer ---- Eliezer Croitoru Linux System Administrator Mobile: +972-5-28704261 Email: eliezer@xxxxxxxxxxxx -----Original Message----- From: squid-users [mailto:squid-users-bounces@xxxxxxxxxxxxxxxxxxxxx] On Behalf Of Amos Jeffries Sent: Wednesday, January 2, 2019 12:01 To: squid-users@xxxxxxxxxxxxxxxxxxxxx Subject: Re: https debug On 2/01/19 10:30 pm, Sampei wrote: > About way to use https protocol I think I use connect tunnel, here When a CONNECT tunnel is being used and not SSL-Bump'ed then all TLS related issues are problems with one of the endpoint software. Not related to the proxy at all. Squid is just blindly relaying the TLS bytes as-is between the endpoints. That said, some specific configs may encounter issues due to explicitly telling Squid to do certain things which cannot be done to CONNECT tunnels (eg. URL-rewrite, ACL checks of path strings), or to deny the CONNECT which obviously would make the TLS not "work" at all. I suspect that in your case some other port is involved which you do not know about and are thus not letting through Squid. The access.log should show what Squid is dealing with there. > parttial of my squid.conf > > > acl SSL_ports port 443 # https > acl SSL_ports port 563 # snews > ... > acl Safe_ports port 80 # http > acl Safe_ports port 21 # ftp > acl Safe_ports port 443 # https > ... > http_access deny CONNECT !SSL_ports Okay, but should be following the Safe_ports check. The default config orders these checks by how common it is to encounter the attack types they exist to prevent. > http_access deny CONNECT !Safe_ports The default config uses this instead: http_access deny !Safe_ports The purpose of this Safe_ports ACL is to prevent the proxy handling *any* traffic for protocols whose traffic syntax directly conflicts with HTTP traffic syntax. By limiting this check to only CONNECT messages, you are opening your proxy to most of the attacks the Safe_port ACL was designed to prevent. > acl test dstdomain example.com > http_access allow test > http_access allow CONNECT test This latter is pointless. "test" was already allowed, so this line is never reached by any traffic which it can match. > I think to upgrade 4.x Squid but I'm looking for valid repository for > Centos 7 which contains this pkg. The official repositories for CentOS are detailed at <https://wiki.squid-cache.org/KnowledgeBase/CentOS> (I see that page needs an update Eliezer now has 4.4 in his main CentOS repository <http://www1.ngtech.co.il/repo/centos/7/x86_64/>) Amos _______________________________________________ squid-users mailing list squid-users@xxxxxxxxxxxxxxxxxxxxx http://lists.squid-cache.org/listinfo/squid-users _______________________________________________ squid-users mailing list squid-users@xxxxxxxxxxxxxxxxxxxxx http://lists.squid-cache.org/listinfo/squid-users
