[squid-users] cannot access squid with https_port: 403

fansari nabil1385 at gmail.com
Tue Sep 3 16:44:25 UTC 2019

Seems that intercept is easier than tproxy.

I have now this config:

acl wifi_net src  xxx.xxx.0.0/24
acl our_proxy localip  xxx.xxx.0.1/32
acl SSL_ports port 443
acl Safe_ports port 80          # http
acl Safe_ports port 21          # ftp
acl Safe_ports port 443         # https
acl Safe_ports port 70          # gopher
acl Safe_ports port 210         # wais
acl Safe_ports port 1025-65535  # unregistered ports
acl Safe_ports port 280         # http-mgmt
acl Safe_ports port 488         # gss-http
acl Safe_ports port 591         # filemaker
acl Safe_ports port 777         # multiling http
acl step1 at_step SslBump1
acl bumpedPorts myportname 3129
http_access deny !Safe_ports
http_access allow localhost manager
http_access deny manager
http_access deny to_localhost
http_access allow localhost
http_access allow wifi_net
http_access allow CONNECT bumpedPorts
http_access allow CONNECT our_proxy
http_access allow CONNECT wifi_net
http_access deny all
http_port 3130
http_port 3128 intercept
https_port 3129 intercept ssl-bump \
  cert=/etc/squid/certs/squid-ca-cert-key.pem \
  generate-host-certificates=on dynamic_cert_mem_cache_size=4MB
ssl_bump peek step1 
ssl_bump bump all
ssl_bump server-first
sslcrtd_program /usr/lib/squid/ssl_crtd -s /var/lib/ssl_db -M 4MB
cache_dir ufs /var/spool/squid 1024 16 256
debug_options ALL,2
coredump_dir /var/spool/squid
refresh_pattern .               30      20%     1440 override-expire

When I add these rules on the server in /etc/firewalld/direct.xml

<rule ipv="ipv4" table="nat" chain="PREROUTING" priority="0">-i wlan1 -p tcp
-s xxx.xxx.0.0/24 --dport 80 -j DNAT --to xxx.xxx.0.1:3128</rule>
<rule ipv="ipv4" table="nat" chain="PREROUTING" priority="0">-i wlan1 -p tcp
-s xxx.xxx.0.0/24 --dport 443 -j DNAT --to xxx.xxx.0.1:3129</rule>

then I receive the content and also see a TCP_MEM_MISS or TCP_MEM_HIT in the

So maybe this could be a scenario to use in case http_port does not work.

>From this server itself the squid seems not to be used - but this is
probably more routing than squid stuff.

Sent from: http://squid-web-proxy-cache.1019090.n4.nabble.com/Squid-Users-f1019091.html

More information about the squid-users mailing list