<font size=2 face="sans-serif">Hello Eliezer;</font>
<br>
<br><font size=2 face="sans-serif">Many Thanks, It work for me on 3.1.10</font>
<br>
<br><font size=2 face="sans-serif">Thanks & Regards<br>
Nilesh Gavali</font>
<br>
<br>
<br>
<br><font size=1 color=#5f5f5f face="sans-serif">From:
</font><font size=1 face="sans-serif">Eliezer Croitoru <eliezer@ngtech.co.il></font>
<br><font size=1 color=#5f5f5f face="sans-serif">To:
</font><font size=1 face="sans-serif">'Nilesh Gavali' <nilesh.gavali@tcs.com>,
squid-users@lists.squid-cache.org, Antony.Stone@squid.open.source.it</font>
<br><font size=1 color=#5f5f5f face="sans-serif">Date:
</font><font size=1 face="sans-serif">14/06/2016 18:00</font>
<br><font size=1 color=#5f5f5f face="sans-serif">Subject:
</font><font size=1 face="sans-serif">RE: [squid-users]
Squid not allowing HTTPS access</font>
<br>
<hr noshade>
<br>
<br>
<br><font size=2 color=#004080 face="Calibri">Hey,</font>
<br><font size=2 color=#004080 face="Calibri"> </font>
<br><font size=2 color=#004080 face="Calibri">The issue is that CONNECT
request can be passed only directly to the origin server on 3.1.<br>
Try to add:</font><font size=2 face="Courier New"><br>
never_direct allow all</font>
<br><font size=2 face="Courier New"> </font>
<br><font size=2 color=#004080 face="Calibri">To your squid.conf and see
if it works.</font>
<br><font size=2 color=#004080 face="Calibri">I do not remember if it works
for all versions.</font>
<br><font size=2 color=#004080 face="Calibri"> </font>
<br><font size=2 color=#004080 face="Calibri">Eliezer</font>
<br><font size=2 color=#004080 face="Calibri"> </font>
<br><font size=2 color=#004080 face="Arial Rounded MT Bold">----</font>
<br><a href=http://ngtech.co.il/lmgtfy/><font size=2 color=#0082bf face="Arial Rounded MT Bold"><u>Eliezer
Croitoru</u></font></a><font size=2 color=#004080 face="Arial Rounded MT Bold"><br>
Linux System Administrator<br>
Mobile: +972-5-28704261<br>
Email: eliezer@ngtech.co.il</font>
<br><img src=cid:_4_0D4F39F80D4F378C0060BE8980257FD2 style="border:0px solid;">
<br><font size=2 color=#004080 face="Calibri"> </font>
<br><font size=2 face="Calibri"><b>From:</b> squid-users [</font><a href="mailto:squid-users-bounces@lists.squid-cache.org"><font size=2 face="Calibri">mailto:squid-users-bounces@lists.squid-cache.org</font></a><font size=2 face="Calibri">]
<b>On Behalf Of </b>Nilesh Gavali<b><br>
Sent:</b> Tuesday, June 14, 2016 4:43 PM<b><br>
To:</b> squid-users@lists.squid-cache.org; Antony.Stone@squid.open.source.it<b><br>
Subject:</b> [squid-users] Squid not allowing HTTPS access</font>
<br><font size=3 face="Times New Roman"> </font>
<br><font size=2 face="Arial">Hello Antony;</font><font size=3 face="Times New Roman">
</font><font size=2 face="Arial"><br>
I have setup like below :-</font><font size=3 face="Times New Roman"> <br>
</font><font size=2 face="Arial"><br>
end user >> LinuxProxy(3.1.10) >> External Proxy(3.4)>>
Internet</font><font size=3 face="Times New Roman"> </font>
<ul>
<li><font size=2 face="Arial">when we configure external proxy ip in end
user's IE, all HTTP & HTTPS site work properly.</font><font size=3 face="Times New Roman">
</font>
<li><font size=2 face="Arial">when we configure Linux proxy ip in end user's
IE, HTTP works fine but none of the HTTPS site open.</font><font size=3 face="Times New Roman">
</font>
<li><font size=2 face="Arial">when we access https site from LinuxProxy,
below logs are appearing in access.log </font></ul><font size=2 face="Arial">
TCP_DENIED/407 CONNECT sitename:443 - NONE/
text/html <br>
TCP_MISS/503 0 CONNECT sitename:443 </font><a href=mailto:username@MYDOMAIN.COM><font size=2 color=blue face="Arial"><u>username@MYDOMAIN.COM</u></font></a><font size=2 face="Arial">
DIRECT / - -</font><font size=3 face="Times New Roman">
</font><font size=2 face="Arial"><br>
TCP_MISS/200 23456 GET </font><a href=http://www.anysite.com/><font size=2 color=blue face="Arial"><u>http://www.anysite.com</u></font></a><font size=2 face="Arial">
</font><a href=mailto:username@MYDOMAIN.COM><font size=2 color=blue face="Arial"><u>username@MYDOMAIN.COM</u></font></a><font size=2 face="Arial">
DEFAULT_PARENT/10.10.x.x text/html</font><font size=3 face="Times New Roman">
<br>
<br>
</font><font size=2 face="Arial"><br>
what I making out from log is ( I might be wrong) - HTTPS request are going
directly instead .</font><font size=3 face="Times New Roman"> <br>
</font><font size=2 face="Arial"><br>
attached is my Linux Proxy config-</font><font size=3 face="Times New Roman">
<br>
</font><font size=2 face="Arial"><br>
=================</font><font size=3 face="Times New Roman"> </font><font size=2 face="Courier New"><br>
#</font><font size=3 face="Times New Roman"> </font><font size=2 face="Courier New"><br>
# Recommended minimum configuration:</font><font size=3 face="Times New Roman">
</font><font size=2 face="Courier New"><br>
#</font><font size=3 face="Times New Roman"> <br>
</font><font size=2 face="Courier New"><br>
#auth_param negotiate program /usr/lib64/squid/squid_kerb_auth -d -s GSS_C_NO_NAME</font><font size=3 face="Times New Roman">
</font><font size=2 face="Courier New"><br>
auth_param negotiate program /usr/lib64/squid/squid_kerb_auth -s </font><a href=mailto:HTTP/proxy02.abcd.com@ABCD.COM><font size=2 color=blue face="Courier New"><u>HTTP/proxy02.abcd.com@ABCD.COM</u></font></a><font size=2 face="Courier New">
-d</font><font size=3 face="Times New Roman"> </font><font size=2 face="Courier New"><br>
auth_param negotiate children 10</font><font size=3 face="Times New Roman">
</font><font size=2 face="Courier New"><br>
auth_param negotiate keep_alive on</font><font size=3 face="Times New Roman">
</font><font size=2 face="Courier New"><br>
auth_param basic credentialsttl 2 hours</font><font size=3 face="Times New Roman">
</font><font size=2 face="Courier New"><br>
acl ad_auth proxy_auth REQUIRED</font><font size=3 face="Times New Roman">
<br>
</font><font size=2 face="Courier New"><br>
acl manager proto cache_object</font><font size=3 face="Times New Roman">
</font><font size=2 face="Courier New"><br>
acl localhost src 127.0.0.1/32 ::1</font><font size=3 face="Times New Roman">
</font><font size=2 face="Courier New"><br>
acl to_localhost dst 127.0.0.0/8 0.0.0.0/32 ::1</font><font size=3 face="Times New Roman">
<br>
</font><font size=2 face="Courier New"><br>
# Example rule allowing access from your local networks.</font><font size=3 face="Times New Roman">
</font><font size=2 face="Courier New"><br>
# Adapt to list your (internal) IP networks from where browsing</font><font size=3 face="Times New Roman">
</font><font size=2 face="Courier New"><br>
# should be allowed</font><font size=3 face="Times New Roman"> </font><font size=2 face="Courier New"><br>
acl localnet src 10.0.0.0/8 # RFC1918 possible
internal network</font><font size=3 face="Times New Roman"> </font><font size=2 face="Courier New"><br>
acl localnet src 172.16.0.0/12 # RFC1918 possible
internal network</font><font size=3 face="Times New Roman"> </font><font size=2 face="Courier New"><br>
acl localnet src 192.168.0.0/16 # RFC1918 possible
internal network</font><font size=3 face="Times New Roman"> </font><font size=2 face="Courier New"><br>
acl localnet src fc00::/7 # RFC 4193 local private
network range</font><font size=3 face="Times New Roman"> </font><font size=2 face="Courier New"><br>
acl localnet src fe80::/10 # RFC 4291 link-local (directly
plugged) machines</font><font size=3 face="Times New Roman"> <br>
</font><font size=2 face="Courier New"><br>
acl SSL_ports port 443</font><font size=3 face="Times New Roman"> </font><font size=2 face="Courier New"><br>
acl Safe_ports port 80
# http</font><font size=3 face="Times New Roman"> </font><font size=2 face="Courier New"><br>
acl Safe_ports port 21
# ftp</font><font size=3 face="Times New Roman"> </font><font size=2 face="Courier New"><br>
acl Safe_ports port 443
# https</font><font size=3 face="Times New Roman"> </font><font size=2 face="Courier New"><br>
acl Safe_ports port 70
# gopher</font><font size=3 face="Times New Roman"> </font><font size=2 face="Courier New"><br>
acl Safe_ports port 210
# wais</font><font size=3 face="Times New Roman"> </font><font size=2 face="Courier New"><br>
acl Safe_ports port 1025-65535 # unregistered
ports</font><font size=3 face="Times New Roman"> </font><font size=2 face="Courier New"><br>
acl Safe_ports port 280
# http-mgmt</font><font size=3 face="Times New Roman"> </font><font size=2 face="Courier New"><br>
acl Safe_ports port 488
# gss-http</font><font size=3 face="Times New Roman"> </font><font size=2 face="Courier New"><br>
acl Safe_ports port 591
# filemaker</font><font size=3 face="Times New Roman"> </font><font size=2 face="Courier New"><br>
acl Safe_ports port 777
# multiling http</font><font size=3 face="Times New Roman"> </font><font size=2 face="Courier New"><br>
acl CONNECT method CONNECT</font><font size=3 face="Times New Roman"> <br>
</font><font size=2 face="Courier New"><br>
#</font><font size=3 face="Times New Roman"> </font><font size=2 face="Courier New"><br>
# Recommended minimum Access Permission configuration:</font><font size=3 face="Times New Roman">
</font><font size=2 face="Courier New"><br>
#</font><font size=3 face="Times New Roman"> </font><font size=2 face="Courier New"><br>
# Only allow cachemgr access from localhost</font><font size=3 face="Times New Roman">
</font><font size=2 face="Courier New"><br>
http_access allow manager localhost</font><font size=3 face="Times New Roman">
</font><font size=2 face="Courier New"><br>
http_access deny manager</font><font size=3 face="Times New Roman"> <br>
</font><font size=2 face="Courier New"><br>
# Deny requests to certain unsafe ports</font><font size=3 face="Times New Roman">
</font><font size=2 face="Courier New"><br>
http_access deny !Safe_ports</font><font size=3 face="Times New Roman">
<br>
</font><font size=2 face="Courier New"><br>
# Deny CONNECT to other than secure SSL ports</font><font size=3 face="Times New Roman">
</font><font size=2 face="Courier New"><br>
http_access deny CONNECT !SSL_ports</font><font size=3 face="Times New Roman">
<br>
</font><font size=2 face="Courier New"><br>
# We strongly recommend the following be uncommented to protect innocent</font><font size=3 face="Times New Roman">
</font><font size=2 face="Courier New"><br>
# web applications running on the proxy server who think the only</font><font size=3 face="Times New Roman">
</font><font size=2 face="Courier New"><br>
# one who can access services on "localhost" is a local user</font><font size=3 face="Times New Roman">
</font><font size=2 face="Courier New"><br>
#http_access deny to_localhost</font><font size=3 face="Times New Roman">
<br>
</font><font size=2 face="Courier New"><br>
#</font><font size=3 face="Times New Roman"> </font><font size=2 face="Courier New"><br>
# INSERT YOUR OWN RULE(S) HERE TO ALLOW ACCESS FROM YOUR CLIENTS</font><font size=3 face="Times New Roman">
</font><font size=2 face="Courier New"><br>
#</font><font size=3 face="Times New Roman"> </font><font size=2 face="Courier New"><br>
#</font><font size=3 face="Times New Roman"> </font><font size=2 face="Courier New"><br>
# Example rule allowing access from your local networks.</font><font size=3 face="Times New Roman">
</font><font size=2 face="Courier New"><br>
# Adapt localnet in the ACL section to list your (internal) IP networks</font><font size=3 face="Times New Roman">
</font><font size=2 face="Courier New"><br>
# from where browsing should be allowed</font><font size=3 face="Times New Roman">
</font><font size=2 face="Courier New"><br>
#http_access allow localnet</font><font size=3 face="Times New Roman">
</font><font size=2 face="Courier New"><br>
#http_access allow localhost</font><font size=3 face="Times New Roman">
</font><font size=2 face="Courier New"><br>
http_access deny !ad_auth</font><font size=3 face="Times New Roman"> </font><font size=2 face="Courier New"><br>
http_access allow ad_auth</font><font size=3 face="Times New Roman"> <br>
<br>
</font><font size=2 face="Courier New"><br>
# And finally deny all other access to this proxy</font><font size=3 face="Times New Roman">
</font><font size=2 face="Courier New"><br>
http_access deny all</font><font size=3 face="Times New Roman"> <br>
</font><font size=2 face="Courier New"><br>
# Squid normally listens to port 3128</font><font size=3 face="Times New Roman">
</font><font size=2 face="Courier New"><br>
http_port 8080</font><font size=3 face="Times New Roman"> <br>
</font><font size=2 face="Courier New"><br>
cache_peer xx.xx.2.108 parent 8080 0 default</font><font size=3 face="Times New Roman">
</font><font size=2 face="Courier New"><br>
#dns_nameservers ABCDNS.ABCD.COM</font><font size=3 face="Times New Roman">
</font><font size=2 face="Courier New"><br>
dns_nameservers xx.xx.2.108</font><font size=3 face="Times New Roman">
<br>
</font><font size=2 face="Courier New"><br>
# We recommend you to use at least the following line.</font><font size=3 face="Times New Roman">
</font><font size=2 face="Courier New"><br>
#hierarchy_stoplist cgi-bin ?</font><font size=3 face="Times New Roman">
<br>
</font><font size=2 face="Courier New"><br>
# Uncomment and adjust the following to add a disk cache directory.</font><font size=3 face="Times New Roman">
</font><font size=2 face="Courier New"><br>
cache_dir ufs /var/spool/squid 2048 16 256</font><font size=3 face="Times New Roman">
<br>
</font><font size=2 face="Courier New"><br>
# Leave coredumps in the first cache dir</font><font size=3 face="Times New Roman">
</font><font size=2 face="Courier New"><br>
coredump_dir /var/spool/squid</font><font size=3 face="Times New Roman">
</font><font size=2 face="Courier New"><br>
# Log forwarding to SysLog</font><font size=3 face="Times New Roman"> </font><font size=2 face="Courier New"><br>
access_log syslog:local1.info</font><font size=3 face="Times New Roman">
<br>
</font><font size=2 face="Courier New"><br>
# Add any of your own refresh_pattern entries above these.</font><font size=3 face="Times New Roman">
</font><font size=2 face="Courier New"><br>
refresh_pattern ^ftp:
1440 20% 10080</font><font size=3 face="Times New Roman">
</font><font size=2 face="Courier New"><br>
refresh_pattern ^gopher: 1440
0% 1440</font><font size=3 face="Times New Roman">
</font><font size=2 face="Courier New"><br>
refresh_pattern -i (/cgi-bin/|\?) 0 0%
0</font><font size=3 face="Times New Roman"> </font><font size=2 face="Courier New"><br>
refresh_pattern . 0
20% 4320</font><font size=3 face="Times New Roman">
</font><font size=2 face="Arial"><br>
-======================================</font><font size=3 face="Times New Roman">
<br>
<br>
</font><font size=2 face="Arial"><br>
Thanks & Regards<br>
Nilesh Suresh Gavali<br>
Tata Consultancy Services<br>
3rd Floor, Tithebarn House<br>
Tithebarn Street<br>
Liverpool - L2 2NZ<br>
United Kingdom<br>
Mailto: </font><a href=mailto:nilesh.gavali@tcs.com><font size=2 color=blue face="Arial"><u>nilesh.gavali@tcs.com</u></font></a><font size=2 face="Arial"><br>
Website: </font><a href=http://www.tcs.com/><font size=2 color=blue face="Arial"><u>http://www.tcs.com</u></font></a><font size=2 face="Arial"><br>
____________________________________________<br>
Experience certainty. IT Services<br>
Business Solutions<br>
Consulting<br>
____________________________________________<br>
<br>
Tata Consultancy Services Limited , incorporated with limited liability
and registered with Registrar of Companies, Mumbai, India - No: 11-84781<br>
HQ : Nirmal Building , 9th Floor, Nariman Point, Mumbai - 400 021, India
- Registered in UK : 18 Grosvenor Place, London SW1X 7HS -
BR :007627</font><font size=3 face="Times New Roman"><br>
</font><font size=1 color=#800080 face="Arial"><br>
----- Forwarded by Nilesh Gavali/MUM/TCS on 14/06/2016 14:41 -----</font><font size=3 face="Times New Roman">
<br>
</font><font size=1 color=#5f5f5f face="Arial"><br>
From: </font><font size=1 face="Arial">Nilesh
Gavali/MUM/TCS</font><font size=3 face="Times New Roman"> </font><font size=1 color=#5f5f5f face="Arial"><br>
To: </font><a href="mailto:squid-users@lists.squid-cache.org"><font size=1 color=blue face="Arial"><u>squid-users@lists.squid-cache.org</u></font></a><font size=3 face="Times New Roman">
</font><font size=1 color=#5f5f5f face="Arial"><br>
Date: </font><font size=1 face="Arial">13/06/2016
14:00</font><font size=3 face="Times New Roman"> </font><font size=1 color=#5f5f5f face="Arial"><br>
Subject: </font><font size=1 face="Arial">Squid
not allowing HTTPS access</font><font size=3 face="Times New Roman"> </font>
<div align=center>
<hr noshade></div>
<br><font size=3 face="Times New Roman"><br>
<br>
</font><font size=2 face="Courier New"><br>
Hello All;</font><font size=3 face="Times New Roman"> </font><font size=2 face="Arial"><br>
Facing issue while accessing HTTPS via squid, normal http traffic working
fine. I have squid 3.1.10 on RHEL.6.0</font><font size=3 face="Times New Roman">
<br>
</font><font size=2 face="Arial"><br>
attached is my squid .conf for your reference,..help will be much appreciated.</font><font size=3 face="Times New Roman">
<br>
<br>
<br>
</font><font size=2 face="Arial"><br>
Thanks & Regards<br>
Nilesh Suresh Gavali</font>
<p><font size=3 face="Times New Roman">=====-----=====-----=====<br>
Notice: The information contained in this e-mail<br>
message and/or attachments to it may contain <br>
confidential or privileged information. If you are <br>
not the intended recipient, any dissemination, use, <br>
review, distribution, printing or copying of the <br>
information contained in this e-mail message <br>
and/or attachments to it are strictly prohibited. If <br>
you have received this communication in error, <br>
please notify us by reply e-mail or telephone and <br>
immediately and permanently delete the message <br>
and any attachments. Thank you</font>
<p>