[squid-users] SSL/SSH/SFTP/FTPS to alternate ports

crazy world crazyworld at outlook.com
Sun Oct 12 15:11:43 UTC 2014


Do you have the log for the connection when you can't access? Other than 22 and 443 as you said.

Thanks,

-B

Subject: Re: [squid-users] SSL/SSH/SFTP/FTPS to alternate ports
From: n614cd at gmail.com
Date: Sun, 12 Oct 2014 10:49:05 -0400
CC: n614cd at gmail.com; squid-users at lists.squid-cache.org
To: crazyworld at outlook.com

Here is the access log. I should have included it in the original post. This is accessing a test machine I setup to hit SSH on 22 and 443. I can also hit HTTPS on multiple other ports.
1413125068.706     87 10.110.98.21 TCP_MISS/503 0 CONNECT XXX.XXXX.com:22 - HIER_NONE/- -1413125086.496   8061 10.110.98.21 TCP_MISS/200 3657 CONNECT XXX.XXXX.com:443 - HIER_DIRECT/54.68.15.208 -
Yes, my intent in the rule set is to provide a list of allowed ports and sites. 
Tim
On Oct 11, 2014, at 11:37 PM, B <crazyworld at outlook.com> wrote:
  
    
  
  
    check out your access log seeing what
      it says. Sounds like you are looking for an AFW from squid. The
      ports themselves are defined. You need to make sure the other
      ports are opened.

      

      Your rule tells squid to block the non-allowed sites to the
      non-allowed ports. Still sounds like FW function, but with the
      domain feature only.

      

      -B
      On 10/12/2014 7:48 AM, Timothy Spear wrote:

    
    
      
      Hello,
      

      
      Here is the issue:
      I can proxy through Squid just fine to HTTP and HTTPS. I can
        also run SSH via Corkscrew to a SSH server running on port 443
        and it works fine.
      What I cannot do, is access HTTPS or SSH on any other port
        except 443. I have lost track of the number of things I have
        tried so any help will be appreciated and I feel like I am
        missing something simple. 
      OS: Ubuntu 14.04.1 LTS
      Squid: 3.3.8-1ubuntu6.1
      

      
      Here is my current Squid 3 configuration:
      

      
      

      
      
        debug_options all,3
        

        
        # local network we proxy for
        acl localnet src 10.110.98.0/24
        

        
        # what ports can be the desitnation
        acl allowedPorts port 21
        acl allowedPorts port 22
        acl allowedPorts port 2222
        acl allowedPorts port 80
        acl allowedPorts port 443
        acl allowedPorts port 8443
        

        
        acl CONNECT method CONNECT
        

        
        # determine the available sites
        acl allowedSites dstdomain
          "/etc/squid3/allowed-sites.squid"
        

        
        # now block anything not on the
          localnet or ports
        http_access deny !localnet
        

        
        
          # allow
            connect only for approved ports
          http_access deny CONNECT !allowedPorts
          

          
        
        # now only allow to the specific
          sites
        http_access allow localnet
          allowedSites allowedPorts
        

        
        http_port 3128
        access_log /var/log/squid3/access.log squid
        hosts_file
          /etc/hosts
      
      

      
      

      
      Background (just FYI):
      I am trying to setup Squid to control network access from a
        local subnet to a select number of domains. I do not need to
        bump the encrypted traffic and play man in the middle, I just
        need to prevent the servers on the local network from accessing
        unauthorized networks. Yes, I know I can do this in the
        Firewall, but that is IP based and I am dealing with enough
        other companies that maintaining the IP list has become a major
        pain. Instead I want to use domains, which I can do in Squid.
      

      
      Thanks,
      

      
      Tim
      

      
      

      _______________________________________________
squid-users mailing list
squid-users at lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

    
    

  


 		 	   		  
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.squid-cache.org/pipermail/squid-users/attachments/20141012/9fea35f4/attachment-0001.html>


More information about the squid-users mailing list