[squid-users] cannot access squid with https_port: 403

fansari nabil1385 at gmail.com
Tue Sep 3 08:46:59 UTC 2019


I have to setup a TLS proxy connection between client and squid. My config is
working with http_port (without TLS) but as soon as I try https_port it does
not work (squid 3.5.23 compiled with --enable-ssl' '--enable-ssl-crtd'
'--with-openssl').

What I am trying to achieve is a proxy for https content. When I access the
squid I always get a 403 error code (I am testing with curl).

curl --proxy ${PROXY} --cacert ${CERT} --proxy-insecure --insecure ${URL}

1567498682.392     3 xxx.xxx.0.239 TCP_DENIED/200 0 CONNECT xxx.xxx.0.1:3129
- HIER_NONE/- -
1567498682.498     1 xxx.xxx.0.239 TAG_NONE/403 3825 CONNECT mydomain:443 -
HIER_NONE/- text/html

Here my squid.conf. What am I doing wrong?

acl wifi_net src xxx.xxx.0.0/24
acl our_proxy localip xxx.xxx.0.1/32
acl SSL_ports port 443
acl Safe_ports port 80          # http
acl Safe_ports port 21          # ftp
acl Safe_ports port 443         # https
acl Safe_ports port 70          # gopher
acl Safe_ports port 210         # wais
acl Safe_ports port 1025-65535  # unregistered ports
acl Safe_ports port 280         # http-mgmt
acl Safe_ports port 488         # gss-http
acl Safe_ports port 591         # filemaker
acl Safe_ports port 777         # multiling http
acl CONNECT method CONNECT
acl step1 at_step SslBump1
acl bumpedPorts myportname 3129
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
http_access allow localhost manager
http_access deny manager
http_access deny to_localhost
http_access allow localhost
http_access allow wifi_net
http_access allow CONNECT bumpedPorts
http_access allow CONNECT our_proxy
http_access deny all
http_port 3128 ssl-bump \
  cert=/etc/squid/certs/squid-ca-cert-key.pem \
  generate-host-certificates=on dynamic_cert_mem_cache_size=4MB
https_port 3129 intercept ssl-bump \
  cert=/etc/squid/certs/squid-ca-cert-key.pem \
  generate-host-certificates=on dynamic_cert_mem_cache_size=4MB
ssl_bump peek step1
ssl_bump bump all
sslcrtd_program /usr/lib/squid/ssl_crtd -s /var/lib/ssl_db -M 4MB
cache_dir ufs /var/spool/squid 1024 16 256
debug_options ALL,2
coredump_dir /var/spool/squid
refresh_pattern .               30      20%     1440 override-expire




--
Sent from: http://squid-web-proxy-cache.1019090.n4.nabble.com/Squid-Users-f1019091.html


More information about the squid-users mailing list