[squid-users] https_port Connection reset by peer; http_port works
Amos Jeffries
squid3 at treenet.co.nz
Sun Apr 23 16:03:25 UTC 2017
On 23/04/17 04:32, chiasa.men wrote:
> Hello folks
>
> I tried to encrypt the connection between client and squid. Therefore I
> generated certificates which are accepted by the clients and configured squid
> as followed:
>
> Squid.conf
> https_port 10.0.13.10:8443 cert=/cert.pem key=/cert.key
> http_port 10.0.13.10:8080
> http_access allow all
>
> My following tests show that I can use the http port for internet access but
> the https port wont work.
> openssl s_client -connect proxy:8443
> # Verify return code: 0 (ok)
>
> export https_proxy="proxy:8443"
> export http_proxy="proxy:8080"
> curl https://www.google.de
> # curl: (56) Recv failure: Connection reset by peer
> curl http://www.google.de
> # works
>
> export https_proxy="proxy:8443"
> export http_proxy="$https_proxy"
> curl https://www.google.de
> # curl: (56) Recv failure: Connection reset by peer
> curl http://www.google.de
> # curl: (56) Recv failure: Connection reset by peer
>
> export http_proxy="proxy:8080"
> export https_proxy="$http_proxy"
> curl https://www.google.de
> # works
> curl http://www.google.de
> # works
>
> What did I wrong? Do I misunderstand something regarding the configuration
> options?
You appear not to be using curl correctly.
Test #1 and #3 show that curl is probably sending the https:// requests
through port 8080 on your proxy as a CONNECT request. Check that in your
Squid log to confirm.
Test #2 is misconfigured. port 8443 on your proxy is not able to accept
plain-text traffic.
AFAIK the "https_proxy" environment variable is a custom things invented
by Google in part of their insistence not to allow users to configure
TLS to a proxy via the Chrome GUI. It is not part of the normal POSIX
environment like http_proxy is. So you cannot rely on non-Browser tools
like curl supporting it.
Amos
More information about the squid-users
mailing list