[squid-users] Cannot access https site
rentorbuy at yahoo.com
Mon May 15 15:53:50 UTC 2017
My goal is to set up Squid so it can act as a transparent proxy for local clients browsing the web. It should "deny all" except traffic to the destination domains included in an ACL file.
This is my squid config:
http_port 3129 tproxy
https_port 3130 tproxy ssl-bump generate-host-certificates=on dynamic_cert_mem_cache_size=16MB cert=/etc/ssl/squid/proxyserver.pem
acl localnet src 10.0.0.0/8 # RFC1918 possible internal network
acl localnet src 192.168.0.0/16 # RFC1918 possible internal network
acl localnet src fc00::/7 # RFC 4193 local private network range
acl intercepted myportname 3129
acl interceptedssl myportname 3130
acl allowed_domains dstdomain "/usr/local/share/proxy-settings/allowed.domains"
http_access deny intercepted !localnet
http_access deny interceptedssl !localnet
http_access deny !allowed_domains
http_access allow localnet
sslcrtd_program /usr/libexec/squid/ssl_crtd -s /var/lib/squid/ssl_db -M 16MB
ssl_bump stare all
ssl_bump bump all
sslproxy_cert_error allow all
always_direct allow all
The ACL file allowed.domains contains:
When a client in localnet tries to access http://www.squid-cache.org, everything works fine, as expected.
However, when the same client tries to access https://stackexchange.com, the first SQUID error page says that access is denied to https://220.127.116.11/* (that's one of stackexchange's IP addresses).
How can I avoid this?
If I add 18.104.22.168 to allowed.domains I get a SQUID SSL handshake error page with https://*.stackexchange.com/* (bad write retry).
What am I doing wrong?
Also, would I have performance issues if the "allowed.domains" ACL file becomes very big over time?
More information about the squid-users