<html><head></head><body><div style="font-family: Verdana;font-size: 12.0px;"><div>I've searched through the internets and tried various things... to no avail. Hopefully someone here can point me in the right direction.</div>
<div> </div>
<div>I am sitting behind a proxy, which accepts http/https. Everything else is blocked. If I instruct my browser to use this proxy,</div>
<div>everything works dandy. Both http and https.</div>
<div> </div>
<div>The problem is, I have a few apps that don't have an option to set proxy. So, my idea was to set up squid on the local machine</div>
<div>that would transparently redirect http/https to the proxy. Eg something like this:</div>
<div> </div>
<div>[ local_box: app (http or https) ---> squid ] -----> [ the_proxy ] -----> ... -----> [ internets ]</div>
<div> </div>
<div>I have no control of the proxy, nor do I know what goes on after it.</div>
<div> </div>
<div>I have the following iptables rules:</div>
<div>
<div>*nat<br/>
:PREROUTING ACCEPT [1:89]<br/>
:INPUT ACCEPT [1:89]<br/>
:OUTPUT ACCEPT [549:34321]<br/>
:POSTROUTING ACCEPT [624:38821]<br/>
-A OUTPUT -p tcp -m tcp --dport 80 -j REDIRECT --to-ports 3129<br/>
-A OUTPUT -p tcp -m tcp --dport 443 -j REDIRECT --to-ports 3130<br/>
COMMIT</div>
<div> </div>
<div>And my squid.conf is mostly garden variety:</div>
<div>
<div>acl localnet src 10.0.0.0/8 # RFC1918 possible internal network<br/>
acl localnet src 172.16.0.0/12 # RFC1918 possible internal network<br/>
acl localnet src 192.168.0.0/16 # RFC1918 possible internal network</div>
<div>acl SSL_ports port 443<br/>
acl Safe_ports port 80 # http<br/>
acl Safe_ports port 21 # ftp<br/>
acl Safe_ports port 443 # https<br/>
acl Safe_ports port 70 # gopher<br/>
acl Safe_ports port 210 # wais<br/>
acl Safe_ports port 1025-65535 # unregistered ports<br/>
acl Safe_ports port 280 # http-mgmt<br/>
acl Safe_ports port 488 # gss-http<br/>
acl Safe_ports port 591 # filemaker<br/>
acl Safe_ports port 777 # multiling http<br/>
acl Safe_ports port 901 # SWAT<br/>
acl CONNECT method CONNECT</div>
<div>http_access deny !Safe_ports<br/>
http_access deny CONNECT !SSL_ports</div>
<div>http_access allow localhost manager<br/>
http_access deny manager</div>
<div>http_access allow localnet<br/>
http_access allow localhost</div>
<div>http_access deny all</div>
<div>coredump_dir /var/cache/squid
<div>refresh_pattern ^ftp: 1440 20% 10080</div>
<div>refresh_pattern ^gopher: 1440 0% 1440<br/>
refresh_pattern -i (/cgi-bin/|\?) 0 0% 0<br/>
refresh_pattern . 0 20% 4320</div>
<div> </div>
<div>cache deny all</div>
</div>
<div> </div>
<div>cache_peer proxy parent 3128 0 no-query no-digest default<br/>
never_direct allow all</div>
<div> </div>
<div>http_port 3128<br/>
http_port 3129 intercept<br/>
https_port 3130 intercept ssl-bump generate-host-certificates=on cert=/etc/ssl/squid/cert.pem key=/etc/ssl/squid/key.pem</div>
<div> </div>
<div>I've generated the certs and ran ssl_crtd to init ssl db dirs.</div>
<div> </div>
<div>To verify squid is working, I've changed my browser proxy settings to 127.0.0.1:3128 for http and https.</div>
<div>Everything works like a charm.</div>
<div> </div>
<div>This is where the "fun" begins:</div>
<div> </div>
<div>==========</div>
<div>Without the proxy settings http also works just fine -- in both the browser and wget command. Https on the other hand is fubar.</div>
<div>In the browser I get "Unsupported Request Method and Protocol" error (after accepting the "invalid" certificate).</div>
<div>With wget I get:</div>
<div>
<div>local_box [~] wget https://google.com --no-check-certificate<br/>
--2014-11-05 20:21:12-- https://google.com/<br/>
Resolving google.com... 74.125.196.138, 74.125.196.139, 74.125.196.101, ...<br/>
Connecting to google.com|74.125.196.138|:443... connected.<br/>
WARNING: cannot verify google.com's certificate, issued by ‘/C=AU/ST=Some-State/O=Internet Widgits Pty Ltd’:<br/>
Self-signed certificate encountered.<br/>
WARNING: certificate common name ‘’ doesn't match requested host name ‘google.com’.<br/>
HTTP request sent, awaiting response... 501 Not Implemented<br/>
2014-11-05 20:21:12 ERROR 501: Not Implemented.</div>
<div> </div>
<div>
<div>access.log says:</div>
<div>1415236731.852 19 10.0.0.13 TCP_MISS/501 4255 GET https://www.google.com/ - FIRSTUP_PARENT/10.64.252.14 text/html</div>
<div> </div>
<div>==========</div>
</div>
<div>If I add 'ssl_bump server-first all' to squid.conf. Whenever I try to pull up an https page, it barfs with:</div>
<div>
<div>2014/11/05 20:22:28| assertion failed: forward.cc:785: "peer->use_ssl"<br/>
Aborted</div>
<div> </div>
<div>==========</div>
<div>If I change it to 'ssl_bump client-first all', I get "Unable to forward this request at this time" in the browser.</div>
<div>And wget says:</div>
<div>
<div>local_box [~] wget https://google.com --no-check-certificate<br/>
--2014-11-05 20:26:53-- https://google.com/<br/>
Resolving google.com... 74.125.196.101, 74.125.196.100, 74.125.196.139, ...<br/>
Connecting to google.com|74.125.196.101|:443... connected.<br/>
WARNING: cannot verify google.com's certificate, issued by ‘/C=AU/ST=Some-State/O=Internet Widgits Pty Ltd’:<br/>
Self-signed certificate encountered.<br/>
WARNING: certificate common name ‘74.125.196.101’ doesn't match requested host name ‘google.com’.<br/>
HTTP request sent, awaiting response... 503 Service Unavailable<br/>
2014-11-05 20:26:53 ERROR 503: Service Unavailable.</div>
<div> </div>
<div>access.log says:</div>
<div>1415237271.133 0 10.0.0.13 TCP_MISS/503 3840 GET https://google.com/ - FIRSTUP_PARENT/10.64.252.14 text/html</div>
<div> </div>
<div>==========</div>
<div>And so after endless searching and searching and trying various things I came here. Could please help me figure out why it is not working?</div>
<div> </div>
<div>Thank you.</div>
<div> </div>
<div>-D</div>
</div>
</div>
</div>
</div>
</div></div></body></html>