<font size=2 face="sans-serif">Thanks Amos for update. I tried the same
as explain by you in earlier reply.</font>
<br><font size=2 face="sans-serif">but after this, Proxy response degraded
like anything. also HTTPS site are not opening. So reverted back to the
solution given by </font><tt><font size=2>Eliezer</font></tt><font size=2 face="sans-serif">.</font>
<br><font size=2 face="sans-serif"> </font>
<br><font size=2 face="sans-serif">Next, I want to restrict the URL access
based on AD OU membership for users, can you quickly help me with some
starting points.</font>
<br>
<br><font size=2 face="sans-serif">regards;</font>
<br><font size=2 face="sans-serif">Nilesh Gavali</font>
<br>
<br>
<br>
<br>
<br>
<br><font size=1 color=#5f5f5f face="sans-serif">From:
</font><font size=1 face="sans-serif">squid-users-request@lists.squid-cache.org</font>
<br><font size=1 color=#5f5f5f face="sans-serif">To:
</font><font size=1 face="sans-serif">squid-users@lists.squid-cache.org</font>
<br><font size=1 color=#5f5f5f face="sans-serif">Date:
</font><font size=1 face="sans-serif">14/06/2016 18:37</font>
<br><font size=1 color=#5f5f5f face="sans-serif">Subject:
</font><font size=1 face="sans-serif">squid-users
Digest, Vol 22, Issue 66</font>
<br><font size=1 color=#5f5f5f face="sans-serif">Sent by:
</font><font size=1 face="sans-serif">"squid-users"
<squid-users-bounces@lists.squid-cache.org></font>
<br>
<hr noshade>
<br>
<br>
<br><tt><font size=2>Send squid-users mailing list submissions to<br>
squid-users@lists.squid-cache.org<br>
<br>
To subscribe or unsubscribe via the World Wide Web, visit<br>
</font></tt><a href="http://lists.squid-cache.org/listinfo/squid-users"><tt><font size=2>http://lists.squid-cache.org/listinfo/squid-users</font></tt></a><tt><font size=2><br>
or, via email, send a message with subject or body 'help' to<br>
squid-users-request@lists.squid-cache.org<br>
<br>
You can reach the person managing the list at<br>
squid-users-owner@lists.squid-cache.org<br>
<br>
When replying, please edit your Subject line so it is more specific<br>
than "Re: Contents of squid-users digest..."<br>
<br>
<br>
Today's Topics:<br>
<br>
1. Re: Squid not allowing HTTPS access (Amos Jeffries)<br>
2. Squid not allowing HTTPS access (Nilesh Gavali)<br>
<br>
<br>
----------------------------------------------------------------------<br>
<br>
Message: 1<br>
Date: Wed, 15 Jun 2016 05:13:41 +1200<br>
From: Amos Jeffries <squid3@treenet.co.nz><br>
To: squid-users@lists.squid-cache.org<br>
Subject: Re: [squid-users] Squid not allowing HTTPS access<br>
Message-ID: <84e6c6e1-2a1a-6502-2f34-f1a2aa29f89d@treenet.co.nz><br>
Content-Type: text/plain; charset=utf-8<br>
<br>
On 15/06/2016 4:59 a.m., Eliezer Croitoru wrote:<br>
> Hey,<br>
> <br>
> <br>
> <br>
> The issue is that CONNECT request can be passed only directly to the
origin<br>
> server on 3.1.<br>
> Try to add:<br>
> never_direct allow all<br>
> <br>
<br>
Not quite. CONNECT is a type of message that makes no sense sending<br>
through another proxy if its able to go direct.<br>
<br>
<br>
So while the never_direct rule above will make it go through the peer.<br>
It will also make everything go through the peer, always. If the peer<br>
goes down traffic stops going anywhere.<br>
If you want that, then fine above is fine.<br>
<br>
<br>
An alternative which leaves DIRECT, but only as a backup when the peer<br>
is down is to configure:<br>
<br>
nonhierarchical_direct off<br>
prefer_direct on<br>
<br>
<br>
Amos<br>
<br>
<br>
<br>
------------------------------<br>
<br>
Message: 2<br>
Date: Tue, 14 Jun 2016 18:36:46 +0100<br>
From: Nilesh Gavali <nilesh.gavali@tcs.com><br>
To: squid-users@lists.squid-cache.org<br>
Subject: [squid-users] Squid not allowing HTTPS access<br>
Message-ID:<br>
<OF1029EE48.A3374641-ON80257FD2.0060A8E1-80257FD2.0060BEB3@tcs.com><br>
Content-Type: text/plain; charset="utf-8"<br>
<br>
Hello Eliezer;<br>
<br>
Many Thanks, It work for me on 3.1.10<br>
<br>
Thanks & Regards<br>
Nilesh Gavali<br>
<br>
<br>
<br>
From: Eliezer Croitoru <eliezer@ngtech.co.il><br>
To: 'Nilesh Gavali' <nilesh.gavali@tcs.com>, <br>
squid-users@lists.squid-cache.org, Antony.Stone@squid.open.source.it<br>
Date: 14/06/2016 18:00<br>
Subject: RE: [squid-users] Squid not allowing
HTTPS access<br>
<br>
<br>
<br>
Hey,<br>
<br>
The issue is that CONNECT request can be passed only directly to the <br>
origin server on 3.1.<br>
Try to add:<br>
never_direct allow all<br>
<br>
To your squid.conf and see if it works.<br>
I do not remember if it works for all versions.<br>
<br>
Eliezer<br>
<br>
----<br>
Eliezer Croitoru<br>
Linux System Administrator<br>
Mobile: +972-5-28704261<br>
Email: eliezer@ngtech.co.il<br>
<br>
<br>
From: squid-users [</font></tt><a href="mailto:squid-users-bounces@lists.squid-cache.org"><tt><font size=2>mailto:squid-users-bounces@lists.squid-cache.org</font></tt></a><tt><font size=2>]
On <br>
Behalf Of Nilesh Gavali<br>
Sent: Tuesday, June 14, 2016 4:43 PM<br>
To: squid-users@lists.squid-cache.org; Antony.Stone@squid.open.source.it<br>
Subject: [squid-users] Squid not allowing HTTPS access<br>
<br>
Hello Antony; <br>
I have setup like below :- <br>
<br>
end user >> LinuxProxy(3.1.10) >> External Proxy(3.4)>>
Internet <br>
when we configure external proxy ip in end user's IE, all HTTP & HTTPS
<br>
site work properly. <br>
when we configure Linux proxy ip in end user's IE, HTTP works fine but
<br>
none of the HTTPS site open. <br>
when we access https site from LinuxProxy, below logs are appearing in
<br>
access.log <br>
TCP_DENIED/407 CONNECT sitename:443 - NONE/
text/html <br>
TCP_MISS/503 0 CONNECT sitename:443 username@MYDOMAIN.COM
DIRECT / <br>
- - <br>
TCP_MISS/200 23456 GET </font></tt><a href=http://www.anysite.com/><tt><font size=2>http://www.anysite.com</font></tt></a><tt><font size=2>
<br>
username@MYDOMAIN.COM DEFAULT_PARENT/10.10.x.x
text/html <br>
<br>
<br>
what I making out from log is ( I might be wrong) - HTTPS request are <br>
going directly instead . <br>
<br>
attached is my Linux Proxy config- <br>
<br>
================= <br>
# <br>
# Recommended minimum configuration: <br>
# <br>
<br>
#auth_param negotiate program /usr/lib64/squid/squid_kerb_auth -d -s <br>
GSS_C_NO_NAME <br>
auth_param negotiate program /usr/lib64/squid/squid_kerb_auth -s <br>
HTTP/proxy02.abcd.com@ABCD.COM -d <br>
auth_param negotiate children 10 <br>
auth_param negotiate keep_alive on <br>
auth_param basic credentialsttl 2 hours <br>
acl ad_auth proxy_auth REQUIRED <br>
<br>
acl manager proto cache_object <br>
acl localhost src 127.0.0.1/32 ::1 <br>
acl to_localhost dst 127.0.0.0/8 0.0.0.0/32 ::1 <br>
<br>
# Example rule allowing access from your local networks. <br>
# Adapt to list your (internal) IP networks from where browsing <br>
# should be allowed <br>
acl localnet src 10.0.0.0/8 # RFC1918 possible
internal network <br>
acl localnet src 172.16.0.0/12 # RFC1918 possible
internal network <br>
acl localnet src 192.168.0.0/16 # RFC1918 possible
internal network <br>
<br>
acl localnet src fc00::/7 # RFC 4193 local private
network range <br>
acl localnet src fe80::/10 # RFC 4291 link-local (directly
plugged) <br>
machines <br>
<br>
acl SSL_ports port 443 <br>
acl Safe_ports port 80
# http <br>
acl Safe_ports port 21
# ftp <br>
acl Safe_ports port 443
# https <br>
acl Safe_ports port 70
# gopher <br>
acl Safe_ports port 210
# wais <br>
acl Safe_ports port 1025-65535 # unregistered
ports <br>
acl Safe_ports port 280
# http-mgmt <br>
acl Safe_ports port 488
# gss-http <br>
acl Safe_ports port 591
# filemaker <br>
acl Safe_ports port 777
# multiling http <br>
acl CONNECT method CONNECT <br>
<br>
# <br>
# Recommended minimum Access Permission configuration: <br>
# <br>
# Only allow cachemgr access from localhost <br>
http_access allow manager localhost <br>
http_access deny manager <br>
<br>
# Deny requests to certain unsafe ports <br>
http_access deny !Safe_ports <br>
<br>
# Deny CONNECT to other than secure SSL ports <br>
http_access deny CONNECT !SSL_ports <br>
<br>
# We strongly recommend the following be uncommented to protect innocent
<br>
# web applications running on the proxy server who think the only <br>
# one who can access services on "localhost" is a local user
<br>
#http_access deny to_localhost <br>
<br>
# <br>
# INSERT YOUR OWN RULE(S) HERE TO ALLOW ACCESS FROM YOUR CLIENTS <br>
# <br>
# <br>
# Example rule allowing access from your local networks. <br>
# Adapt localnet in the ACL section to list your (internal) IP networks
<br>
# from where browsing should be allowed <br>
#http_access allow localnet <br>
#http_access allow localhost <br>
http_access deny !ad_auth <br>
http_access allow ad_auth <br>
<br>
<br>
# And finally deny all other access to this proxy <br>
http_access deny all <br>
<br>
# Squid normally listens to port 3128 <br>
http_port 8080 <br>
<br>
cache_peer xx.xx.2.108 parent 8080 0 default <br>
#dns_nameservers ABCDNS.ABCD.COM <br>
dns_nameservers xx.xx.2.108 <br>
<br>
# We recommend you to use at least the following line. <br>
#hierarchy_stoplist cgi-bin ? <br>
<br>
# Uncomment and adjust the following to add a disk cache directory. <br>
cache_dir ufs /var/spool/squid 2048 16 256 <br>
<br>
# Leave coredumps in the first cache dir <br>
coredump_dir /var/spool/squid <br>
# Log forwarding to SysLog <br>
access_log syslog:local1.info <br>
<br>
# Add any of your own refresh_pattern entries above these. <br>
refresh_pattern ^ftp:
1440 20% 10080
<br>
refresh_pattern ^gopher: 1440
0% 1440 <br>
refresh_pattern -i (/cgi-bin/|\?) 0 0%
0 <br>
refresh_pattern . 0
20% 4320 <br>
-====================================== <br>
<br>
<br>
Thanks & Regards<br>
Nilesh Suresh Gavali<br>
Tata Consultancy Services<br>
3rd Floor, Tithebarn House<br>
Tithebarn Street<br>
Liverpool - L2 2NZ<br>
United Kingdom<br>
Mailto: nilesh.gavali@tcs.com<br>
Website: </font></tt><a href=http://www.tcs.com/><tt><font size=2>http://www.tcs.com</font></tt></a><tt><font size=2><br>
____________________________________________<br>
Experience certainty. IT Services<br>
Business Solutions<br>
Consulting<br>
____________________________________________<br>
<br>
Tata Consultancy Services Limited , incorporated with limited liability
<br>
and registered with Registrar of Companies, Mumbai, India - No: 11-84781<br>
HQ : Nirmal Building , 9th Floor, Nariman Point, Mumbai - 400 021, India
- <br>
Registered in UK : 18 Grosvenor Place, London SW1X 7HS - BR :007627<br>
<br>
----- Forwarded by Nilesh Gavali/MUM/TCS on 14/06/2016 14:41 ----- <br>
<br>
From: Nilesh Gavali/MUM/TCS <br>
To: squid-users@lists.squid-cache.org <br>
Date: 13/06/2016 14:00 <br>
Subject: Squid not allowing HTTPS access <br>
<br>
<br>
<br>
<br>
Hello All; <br>
Facing issue while accessing HTTPS via squid, normal http traffic working
<br>
fine. I have squid 3.1.10 on RHEL.6.0 <br>
<br>
attached is my squid .conf for your reference,..help will be much <br>
appreciated. <br>
<br>
<br>
<br>
Thanks & Regards<br>
Nilesh Suresh Gavali<br>
=====-----=====-----=====<br>
Notice: The information contained in this e-mail<br>
message and/or attachments to it may contain <br>
confidential or privileged information. If you are <br>
not the intended recipient, any dissemination, use, <br>
review, distribution, printing or copying of the <br>
information contained in this e-mail message <br>
and/or attachments to it are strictly prohibited. If <br>
you have received this communication in error, <br>
please notify us by reply e-mail or telephone and <br>
immediately and permanently delete the message <br>
and any attachments. Thank you<br>
-------------- next part --------------<br>
An HTML attachment was scrubbed...<br>
URL: <</font></tt><a href="http://lists.squid-cache.org/pipermail/squid-users/attachments/20160614/f175dc50/attachment.html"><tt><font size=2>http://lists.squid-cache.org/pipermail/squid-users/attachments/20160614/f175dc50/attachment.html</font></tt></a><tt><font size=2>><br>
-------------- next part --------------<br>
A non-text attachment was scrubbed...<br>
Name: not available<br>
Type: image/png<br>
Size: 11307 bytes<br>
Desc: not available<br>
URL: <</font></tt><a href="http://lists.squid-cache.org/pipermail/squid-users/attachments/20160614/f175dc50/attachment.png"><tt><font size=2>http://lists.squid-cache.org/pipermail/squid-users/attachments/20160614/f175dc50/attachment.png</font></tt></a><tt><font size=2>><br>
<br>
------------------------------<br>
<br>
Subject: Digest Footer<br>
<br>
_______________________________________________<br>
squid-users mailing list<br>
squid-users@lists.squid-cache.org<br>
</font></tt><a href="http://lists.squid-cache.org/listinfo/squid-users"><tt><font size=2>http://lists.squid-cache.org/listinfo/squid-users</font></tt></a><tt><font size=2><br>
<br>
<br>
------------------------------<br>
<br>
End of squid-users Digest, Vol 22, Issue 66<br>
*******************************************<br>
</font></tt>
<br>