<html xmlns:v="urn:schemas-microsoft-com:vml" xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" xmlns="http://www.w3.org/TR/REC-html40"><head><META HTTP-EQUIV="Content-Type" CONTENT="text/html; charset=us-ascii"><meta name=Generator content="Microsoft Word 15 (filtered medium)"><!--[if !mso]><style>v\:* {behavior:url(#default#VML);}
o\:* {behavior:url(#default#VML);}
w\:* {behavior:url(#default#VML);}
.shape {behavior:url(#default#VML);}
</style><![endif]--><style><!--
/* Font Definitions */
@font-face
{font-family:Wingdings;
panose-1:5 0 0 0 0 0 0 0 0 0;}
@font-face
{font-family:"Cambria Math";
panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
@font-face
{font-family:"Arial Rounded MT Bold";
panose-1:2 15 7 4 3 5 4 3 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0cm;
margin-bottom:.0001pt;
font-size:12.0pt;
font-family:"Times New Roman","serif";}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:blue;
text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
{mso-style-priority:99;
color:purple;
text-decoration:underline;}
p
{mso-style-priority:99;
mso-margin-top-alt:auto;
margin-right:0cm;
mso-margin-bottom-alt:auto;
margin-left:0cm;
font-size:12.0pt;
font-family:"Times New Roman","serif";}
code
{mso-style-priority:99;
font-family:"Courier New";}
tt
{mso-style-priority:99;
font-family:"Courier New";}
span.EmailStyle19
{mso-style-type:personal-reply;
font-family:"Calibri","sans-serif";
color:#1F497D;}
.MsoChpDefault
{mso-style-type:export-only;}
@page WordSection1
{size:612.0pt 792.0pt;
margin:72.0pt 90.0pt 72.0pt 90.0pt;}
div.WordSection1
{page:WordSection1;}
/* List Definitions */
@list l0
{mso-list-id:1440299775;
mso-list-template-ids:290727196;}
@list l0:level1
{mso-level-number-format:bullet;
mso-level-text:\F0B7;
mso-level-tab-stop:36.0pt;
mso-level-number-position:left;
text-indent:-18.0pt;
mso-ansi-font-size:10.0pt;
font-family:Symbol;}
@list l0:level2
{mso-level-number-format:bullet;
mso-level-text:o;
mso-level-tab-stop:72.0pt;
mso-level-number-position:left;
text-indent:-18.0pt;
mso-ansi-font-size:10.0pt;
font-family:"Courier New";
mso-bidi-font-family:"Times New Roman";}
@list l0:level3
{mso-level-number-format:bullet;
mso-level-text:\F0A7;
mso-level-tab-stop:108.0pt;
mso-level-number-position:left;
text-indent:-18.0pt;
mso-ansi-font-size:10.0pt;
font-family:Wingdings;}
@list l0:level4
{mso-level-number-format:bullet;
mso-level-text:\F0A7;
mso-level-tab-stop:144.0pt;
mso-level-number-position:left;
text-indent:-18.0pt;
mso-ansi-font-size:10.0pt;
font-family:Wingdings;}
@list l0:level5
{mso-level-number-format:bullet;
mso-level-text:\F0A7;
mso-level-tab-stop:180.0pt;
mso-level-number-position:left;
text-indent:-18.0pt;
mso-ansi-font-size:10.0pt;
font-family:Wingdings;}
@list l0:level6
{mso-level-number-format:bullet;
mso-level-text:\F0A7;
mso-level-tab-stop:216.0pt;
mso-level-number-position:left;
text-indent:-18.0pt;
mso-ansi-font-size:10.0pt;
font-family:Wingdings;}
@list l0:level7
{mso-level-number-format:bullet;
mso-level-text:\F0A7;
mso-level-tab-stop:252.0pt;
mso-level-number-position:left;
text-indent:-18.0pt;
mso-ansi-font-size:10.0pt;
font-family:Wingdings;}
@list l0:level8
{mso-level-number-format:bullet;
mso-level-text:\F0A7;
mso-level-tab-stop:288.0pt;
mso-level-number-position:left;
text-indent:-18.0pt;
mso-ansi-font-size:10.0pt;
font-family:Wingdings;}
@list l0:level9
{mso-level-number-format:bullet;
mso-level-text:\F0A7;
mso-level-tab-stop:324.0pt;
mso-level-number-position:left;
text-indent:-18.0pt;
mso-ansi-font-size:10.0pt;
font-family:Wingdings;}
ol
{margin-bottom:0cm;}
ul
{margin-bottom:0cm;}
--></style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]--></head><body lang=EN-US link=blue vlink=purple><div class=WordSection1><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'>Hey,<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'><o:p> </o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'>The issue is that CONNECT request can be passed only directly to the origin server on 3.1.<br>Try to add:<br></span><code><span style='font-size:10.0pt'>never_direct allow all<o:p></o:p></span></code></p><p class=MsoNormal><code><span style='font-size:10.0pt'><o:p> </o:p></span></code></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'>To your squid.conf and see if it works.<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'>I do not remember if it works for all versions.<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'><o:p> </o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'>Eliezer<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'><o:p> </o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Arial Rounded MT Bold","sans-serif";color:#1F497D'>----<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Arial Rounded MT Bold","sans-serif";color:#1F497D'><a href="http://ngtech.co.il/lmgtfy/"><span style='color:#0563C1'>Eliezer Croitoru</span></a><br>Linux System Administrator<br>Mobile: +972-5-28704261<br>Email: eliezer@ngtech.co.il<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'><img border=0 width=183 height=69 id="Picture_x0020_1" src="cid:image001.png@01D1C669.5224BC60"><o:p></o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'><o:p> </o:p></span></p><p class=MsoNormal><b><span style='font-size:11.0pt;font-family:"Calibri","sans-serif"'>From:</span></b><span style='font-size:11.0pt;font-family:"Calibri","sans-serif"'> squid-users [mailto:squid-users-bounces@lists.squid-cache.org] <b>On Behalf Of </b>Nilesh Gavali<br><b>Sent:</b> Tuesday, June 14, 2016 4:43 PM<br><b>To:</b> squid-users@lists.squid-cache.org; Antony.Stone@squid.open.source.it<br><b>Subject:</b> [squid-users] Squid not allowing HTTPS access<o:p></o:p></span></p><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal><span style='font-size:10.0pt;font-family:"Arial","sans-serif"'>Hello Antony;</span> <br><span style='font-size:10.0pt;font-family:"Arial","sans-serif"'>I have setup like below :-</span> <br><br><span style='font-size:10.0pt;font-family:"Arial","sans-serif"'>end user >> LinuxProxy(3.1.10) >> External Proxy(3.4)>> Internet</span> <o:p></o:p></p><ul type=disc><li class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;mso-list:l0 level1 lfo1'><span style='font-size:10.0pt;font-family:"Arial","sans-serif"'>when we configure external proxy ip in end user's IE, all HTTP & HTTPS site work properly.</span> <o:p></o:p></li><li class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;mso-list:l0 level1 lfo1'><span style='font-size:10.0pt;font-family:"Arial","sans-serif"'>when we configure Linux proxy ip in end user's IE, HTTP works fine but none of the HTTPS site open.</span> <o:p></o:p></li><li class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;mso-list:l0 level1 lfo1'><span style='font-size:10.0pt;font-family:"Arial","sans-serif"'>when we access https site from LinuxProxy, below logs are appearing in access.log </span><o:p></o:p></li></ul><p class=MsoNormal><span style='font-size:10.0pt;font-family:"Arial","sans-serif"'> TCP_DENIED/407 CONNECT sitename:443 - NONE/ text/html </span><br><span style='font-size:10.0pt;font-family:"Arial","sans-serif"'> TCP_MISS/503 0 CONNECT sitename:443 <a href="mailto:username@MYDOMAIN.COM">username@MYDOMAIN.COM</a> DIRECT / - -</span> <br><span style='font-size:10.0pt;font-family:"Arial","sans-serif"'> TCP_MISS/200 23456 GET </span><a href="http://www.anysite.com/"><span style='font-size:10.0pt;font-family:"Arial","sans-serif"'>http://www.anysite.com</span></a><span style='font-size:10.0pt;font-family:"Arial","sans-serif"'> <a href="mailto:username@MYDOMAIN.COM">username@MYDOMAIN.COM</a> DEFAULT_PARENT/10.10.x.x text/html</span> <br><br><br><span style='font-size:10.0pt;font-family:"Arial","sans-serif"'>what I making out from log is ( I might be wrong) - HTTPS request are going directly instead .</span> <br><br><span style='font-size:10.0pt;font-family:"Arial","sans-serif"'>attached is my Linux Proxy config-</span> <br><br><span style='font-size:10.0pt;font-family:"Arial","sans-serif"'>=================</span> <br><span style='font-size:10.0pt;font-family:"Courier New"'>#</span> <br><span style='font-size:10.0pt;font-family:"Courier New"'># Recommended minimum configuration:</span> <br><span style='font-size:10.0pt;font-family:"Courier New"'>#</span> <br><br><span style='font-size:10.0pt;font-family:"Courier New"'>#auth_param negotiate program /usr/lib64/squid/squid_kerb_auth -d -s GSS_C_NO_NAME</span> <br><span style='font-size:10.0pt;font-family:"Courier New"'>auth_param negotiate program /usr/lib64/squid/squid_kerb_auth -s <a href="mailto:HTTP/proxy02.abcd.com@ABCD.COM">HTTP/proxy02.abcd.com@ABCD.COM</a> -d</span> <br><span style='font-size:10.0pt;font-family:"Courier New"'>auth_param negotiate children 10</span> <br><span style='font-size:10.0pt;font-family:"Courier New"'>auth_param negotiate keep_alive on</span> <br><span style='font-size:10.0pt;font-family:"Courier New"'>auth_param basic credentialsttl 2 hours</span> <br><span style='font-size:10.0pt;font-family:"Courier New"'>acl ad_auth proxy_auth REQUIRED</span> <br><br><span style='font-size:10.0pt;font-family:"Courier New"'>acl manager proto cache_object</span> <br><span style='font-size:10.0pt;font-family:"Courier New"'>acl localhost src 127.0.0.1/32 ::1</span> <br><span style='font-size:10.0pt;font-family:"Courier New"'>acl to_localhost dst 127.0.0.0/8 0.0.0.0/32 ::1</span> <br><br><span style='font-size:10.0pt;font-family:"Courier New"'># Example rule allowing access from your local networks.</span> <br><span style='font-size:10.0pt;font-family:"Courier New"'># Adapt to list your (internal) IP networks from where browsing</span> <br><span style='font-size:10.0pt;font-family:"Courier New"'># should be allowed</span> <br><span style='font-size:10.0pt;font-family:"Courier New"'>acl localnet src 10.0.0.0/8 # RFC1918 possible internal network</span> <br><span style='font-size:10.0pt;font-family:"Courier New"'>acl localnet src 172.16.0.0/12 # RFC1918 possible internal network</span> <br><span style='font-size:10.0pt;font-family:"Courier New"'>acl localnet src 192.168.0.0/16 # RFC1918 possible internal network</span> <br><span style='font-size:10.0pt;font-family:"Courier New"'>acl localnet src fc00::/7 # RFC 4193 local private network range</span> <br><span style='font-size:10.0pt;font-family:"Courier New"'>acl localnet src fe80::/10 # RFC 4291 link-local (directly plugged) machines</span> <br><br><span style='font-size:10.0pt;font-family:"Courier New"'>acl SSL_ports port 443</span> <br><span style='font-size:10.0pt;font-family:"Courier New"'>acl Safe_ports port 80 # http</span> <br><span style='font-size:10.0pt;font-family:"Courier New"'>acl Safe_ports port 21 # ftp</span> <br><span style='font-size:10.0pt;font-family:"Courier New"'>acl Safe_ports port 443 # https</span> <br><span style='font-size:10.0pt;font-family:"Courier New"'>acl Safe_ports port 70 # gopher</span> <br><span style='font-size:10.0pt;font-family:"Courier New"'>acl Safe_ports port 210 # wais</span> <br><span style='font-size:10.0pt;font-family:"Courier New"'>acl Safe_ports port 1025-65535 # unregistered ports</span> <br><span style='font-size:10.0pt;font-family:"Courier New"'>acl Safe_ports port 280 # http-mgmt</span> <br><span style='font-size:10.0pt;font-family:"Courier New"'>acl Safe_ports port 488 # gss-http</span> <br><span style='font-size:10.0pt;font-family:"Courier New"'>acl Safe_ports port 591 # filemaker</span> <br><span style='font-size:10.0pt;font-family:"Courier New"'>acl Safe_ports port 777 # multiling http</span> <br><span style='font-size:10.0pt;font-family:"Courier New"'>acl CONNECT method CONNECT</span> <br><br><span style='font-size:10.0pt;font-family:"Courier New"'>#</span> <br><span style='font-size:10.0pt;font-family:"Courier New"'># Recommended minimum Access Permission configuration:</span> <br><span style='font-size:10.0pt;font-family:"Courier New"'>#</span> <br><span style='font-size:10.0pt;font-family:"Courier New"'># Only allow cachemgr access from localhost</span> <br><span style='font-size:10.0pt;font-family:"Courier New"'>http_access allow manager localhost</span> <br><span style='font-size:10.0pt;font-family:"Courier New"'>http_access deny manager</span> <br><br><span style='font-size:10.0pt;font-family:"Courier New"'># Deny requests to certain unsafe ports</span> <br><span style='font-size:10.0pt;font-family:"Courier New"'>http_access deny !Safe_ports</span> <br><br><span style='font-size:10.0pt;font-family:"Courier New"'># Deny CONNECT to other than secure SSL ports</span> <br><span style='font-size:10.0pt;font-family:"Courier New"'>http_access deny CONNECT !SSL_ports</span> <br><br><span style='font-size:10.0pt;font-family:"Courier New"'># We strongly recommend the following be uncommented to protect innocent</span> <br><span style='font-size:10.0pt;font-family:"Courier New"'># web applications running on the proxy server who think the only</span> <br><span style='font-size:10.0pt;font-family:"Courier New"'># one who can access services on "localhost" is a local user</span> <br><span style='font-size:10.0pt;font-family:"Courier New"'>#http_access deny to_localhost</span> <br><br><span style='font-size:10.0pt;font-family:"Courier New"'>#</span> <br><span style='font-size:10.0pt;font-family:"Courier New"'># INSERT YOUR OWN RULE(S) HERE TO ALLOW ACCESS FROM YOUR CLIENTS</span> <br><span style='font-size:10.0pt;font-family:"Courier New"'>#</span> <br><span style='font-size:10.0pt;font-family:"Courier New"'>#</span> <br><span style='font-size:10.0pt;font-family:"Courier New"'># Example rule allowing access from your local networks.</span> <br><span style='font-size:10.0pt;font-family:"Courier New"'># Adapt localnet in the ACL section to list your (internal) IP networks</span> <br><span style='font-size:10.0pt;font-family:"Courier New"'># from where browsing should be allowed</span> <br><span style='font-size:10.0pt;font-family:"Courier New"'>#http_access allow localnet</span> <br><span style='font-size:10.0pt;font-family:"Courier New"'>#http_access allow localhost</span> <br><span style='font-size:10.0pt;font-family:"Courier New"'>http_access deny !ad_auth</span> <br><span style='font-size:10.0pt;font-family:"Courier New"'>http_access allow ad_auth</span> <br><br><br><span style='font-size:10.0pt;font-family:"Courier New"'># And finally deny all other access to this proxy</span> <br><span style='font-size:10.0pt;font-family:"Courier New"'>http_access deny all</span> <br><br><span style='font-size:10.0pt;font-family:"Courier New"'># Squid normally listens to port 3128</span> <br><span style='font-size:10.0pt;font-family:"Courier New"'>http_port 8080</span> <br><br><span style='font-size:10.0pt;font-family:"Courier New"'>cache_peer xx.xx.2.108 parent 8080 0 default</span> <br><span style='font-size:10.0pt;font-family:"Courier New"'>#dns_nameservers ABCDNS.ABCD.COM</span> <br><span style='font-size:10.0pt;font-family:"Courier New"'>dns_nameservers xx.xx.2.108</span> <br><br><span style='font-size:10.0pt;font-family:"Courier New"'># We recommend you to use at least the following line.</span> <br><span style='font-size:10.0pt;font-family:"Courier New"'>#hierarchy_stoplist cgi-bin ?</span> <br><br><span style='font-size:10.0pt;font-family:"Courier New"'># Uncomment and adjust the following to add a disk cache directory.</span> <br><span style='font-size:10.0pt;font-family:"Courier New"'>cache_dir ufs /var/spool/squid 2048 16 256</span> <br><br><span style='font-size:10.0pt;font-family:"Courier New"'># Leave coredumps in the first cache dir</span> <br><span style='font-size:10.0pt;font-family:"Courier New"'>coredump_dir /var/spool/squid</span> <br><span style='font-size:10.0pt;font-family:"Courier New"'># Log forwarding to SysLog</span> <br><span style='font-size:10.0pt;font-family:"Courier New"'>access_log syslog:local1.info</span> <br><br><span style='font-size:10.0pt;font-family:"Courier New"'># Add any of your own refresh_pattern entries above these.</span> <br><span style='font-size:10.0pt;font-family:"Courier New"'>refresh_pattern ^ftp: 1440 20% 10080</span> <br><span style='font-size:10.0pt;font-family:"Courier New"'>refresh_pattern ^gopher: 1440 0% 1440</span> <br><span style='font-size:10.0pt;font-family:"Courier New"'>refresh_pattern -i (/cgi-bin/|\?) 0 0% 0</span> <br><span style='font-size:10.0pt;font-family:"Courier New"'>refresh_pattern . 0 20% 4320</span> <br><span style='font-size:10.0pt;font-family:"Arial","sans-serif"'>-======================================</span> <br><br><br><span style='font-size:10.0pt;font-family:"Arial","sans-serif"'>Thanks & Regards<br>Nilesh Suresh Gavali<br>Tata Consultancy Services<br>3rd Floor, Tithebarn House<br>Tithebarn Street<br>Liverpool - L2 2NZ<br>United Kingdom<br>Mailto: <a href="mailto:nilesh.gavali@tcs.com">nilesh.gavali@tcs.com</a><br>Website: </span><a href="http://www.tcs.com/"><span style='font-size:10.0pt;font-family:"Arial","sans-serif"'>http://www.tcs.com</span></a><span style='font-size:10.0pt;font-family:"Arial","sans-serif"'><br>____________________________________________<br>Experience certainty. IT Services<br> Business Solutions<br> Consulting<br>____________________________________________<br><br>Tata Consultancy Services Limited , incorporated with limited liability and registered with Registrar of Companies, Mumbai, India - No: 11-84781<br>HQ : Nirmal Building , 9th Floor, Nariman Point, Mumbai - 400 021, India - Registered in UK : 18 Grosvenor Place, London SW1X 7HS - BR :007627<br></span><br><span style='font-size:7.5pt;font-family:"Arial","sans-serif";color:purple'>----- Forwarded by Nilesh Gavali/MUM/TCS on 14/06/2016 14:41 -----</span> <br><br><span style='font-size:7.5pt;font-family:"Arial","sans-serif";color:#5F5F5F'>From: </span><span style='font-size:7.5pt;font-family:"Arial","sans-serif"'>Nilesh Gavali/MUM/TCS</span> <br><span style='font-size:7.5pt;font-family:"Arial","sans-serif";color:#5F5F5F'>To: </span><span style='font-size:7.5pt;font-family:"Arial","sans-serif"'><a href="mailto:squid-users@lists.squid-cache.org">squid-users@lists.squid-cache.org</a></span> <br><span style='font-size:7.5pt;font-family:"Arial","sans-serif";color:#5F5F5F'>Date: </span><span style='font-size:7.5pt;font-family:"Arial","sans-serif"'>13/06/2016 14:00</span> <br><span style='font-size:7.5pt;font-family:"Arial","sans-serif";color:#5F5F5F'>Subject: </span><span style='font-size:7.5pt;font-family:"Arial","sans-serif"'>Squid not allowing HTTPS access</span> <o:p></o:p></p><div class=MsoNormal align=center style='text-align:center'><hr size=2 width="100%" noshade style='color:#A0A0A0' align=center></div><p class=MsoNormal><br><br><br><tt><span style='font-size:10.0pt'>Hello All;</span></tt> <br><span style='font-size:10.0pt;font-family:"Arial","sans-serif"'>Facing issue while accessing HTTPS via squid, normal http traffic working fine. I have squid 3.1.10 on RHEL.6.0</span> <br><br><span style='font-size:10.0pt;font-family:"Arial","sans-serif"'>attached is my squid .conf for your reference,..help will be much appreciated.</span> <br><br><br><br><span style='font-size:10.0pt;font-family:"Arial","sans-serif"'>Thanks & Regards<br>Nilesh Suresh Gavali</span><o:p></o:p></p><p>=====-----=====-----=====<br>Notice: The information contained in this e-mail<br>message and/or attachments to it may contain <br>confidential or privileged information. If you are <br>not the intended recipient, any dissemination, use, <br>review, distribution, printing or copying of the <br>information contained in this e-mail message <br>and/or attachments to it are strictly prohibited. If <br>you have received this communication in error, <br>please notify us by reply e-mail or telephone and <br>immediately and permanently delete the message <br>and any attachments. Thank you<o:p></o:p></p></div></body></html>