[squid-users] SSL/SSH/SFTP/FTPS to alternate ports

Ron Wheeler rwheeler at artifact-software.com
Sun Oct 12 16:18:12 UTC 2014 

On 12/10/2014 11:33 AM, Timothy Spear wrote:
> B,
>
> I was going to attach the logs, but I now feel like an idiot. :D
> The jump box I am running Squid on, currently only allows 80 and 443 
> outbound. I recalled this when I went to scp the log files and the 
> connection was refused....
> I detest overlooking things like this. Sometimes, you really need 
> question any assumptions.

You are not alone! "Sometimes"->"Always"

>
> Tim
>
> On Oct 12, 2014, at 11:11 AM, crazy world <crazyworld at outlook.com 
> <mailto:crazyworld at outlook.com>> wrote:
>
>> Do you have the log for the connection when you can't access? Other 
>> than 22 and 443 as you said.
>>
>> Thanks,
>>
>> -B
>>
>> ------------------------------------------------------------------------
>> Subject: Re: [squid-users] SSL/SSH/SFTP/FTPS to alternate ports
>> From: n614cd at gmail.com <mailto:n614cd at gmail.com>
>> Date: Sun, 12 Oct 2014 10:49:05 -0400
>> CC: n614cd at gmail.com <mailto:n614cd at gmail.com>; 
>> squid-users at lists.squid-cache.org 
>> <mailto:squid-users at lists.squid-cache.org>
>> To: crazyworld at outlook.com <mailto:crazyworld at outlook.com>
>>
>> Here is the access log. I should have included it in the original 
>> post. This is accessing a test machine I setup to hit SSH on 22 and 
>> 443. I can also hit HTTPS on multiple other ports.
>>
>> 1413125068.706     87 10.110.98.21 TCP_MISS/503 0 CONNECTXXX.XXXX.com 
>> <http://xxx.xxxx.com/>:22 - HIER_NONE/- -
>> 1413125086.496   8061 10.110.98.21 TCP_MISS/200 3657 
>> CONNECTXXX.XXXX.com <http://xxx.xxxx.com/>:443 - 
>> HIER_DIRECT/54.68.15.208 -
>>
>> Yes, my intent in the rule set is to provide a list of allowed ports 
>> and sites.
>>
>> Tim
>>
>> On Oct 11, 2014, at 11:37 PM, B <crazyworld at outlook.com 
>> <mailto:crazyworld at outlook.com>> wrote:
>>
>>     check out your access log seeing what it says. Sounds like you
>>     are looking for an AFW from squid. The ports themselves are
>>     defined. You need to make sure the other ports are opened.
>>
>>     Your rule tells squid to block the non-allowed sites to the
>>     non-allowed ports. Still sounds like FW function, but with the
>>     domain feature only.
>>
>>     -B
>>     On 10/12/2014 7:48 AM, Timothy Spear wrote:
>>
>>         Hello,
>>
>>         Here is the issue:
>>         I can proxy through Squid just fine to HTTP and HTTPS. I can
>>         also run SSH via Corkscrew to a SSH server running on port
>>         443 and it works fine.
>>         What I cannot do, is access HTTPS or SSH on any other port
>>         except 443. I have lost track of the number of things I have
>>         tried so any help will be appreciated and I feel like I am
>>         missing something simple.
>>         OS: Ubuntu 14.04.1 LTS
>>         Squid: 3.3.8-1ubuntu6.1
>>
>>         Here is my current Squid 3 configuration:
>>
>>
>>         debug_optionsall,3
>>
>>         # local network we proxy for
>>         acllocalnetsrc10.110.98.0/24
>>
>>         # what ports can be the desitnation
>>         aclallowedPortsport21
>>         aclallowedPortsport22
>>         acl allowedPorts port 2222
>>         aclallowedPortsport80
>>         acl allowedPorts port 443
>>         acl allowedPorts port 8443
>>
>>         aclCONNECTmethodCONNECT
>>
>>         # determine the available sites
>>         aclallowedSitesdstdomain"/etc/squid3/allowed-sites.squid"
>>
>>         # now block anything not on the localnet or ports
>>         http_accessdeny!localnet
>>
>>         # allow connect only for approved ports
>>         http_access deny CONNECT !allowedPorts
>>
>>         # now only allow to the specific sites
>>         http_accessallowlocalnet allowedSites allowedPorts
>>
>>         http_port3128
>>         access_log/var/log/squid3/access.logsquid
>>         hosts_file /etc/hosts
>>
>>
>>         Background (just FYI):
>>         I am trying to setup Squid to control network access from a
>>         local subnet to a select number of domains. I do not need to
>>         bump the encrypted traffic and play man in the middle, I just
>>         need to prevent the servers on the local network from
>>         accessing unauthorized networks. Yes, I know I can do this in
>>         the Firewall, but that is IP based and I am dealing with
>>         enough other companies that maintaining the IP list has
>>         become a major pain. Instead I want to use domains, which I
>>         can do in Squid.
>>
>>         Thanks,
>>
>>         Tim
>>
>>
>>         _______________________________________________
>>         squid-users mailing list
>>         squid-users at lists.squid-cache.org  <mailto:squid-users at lists.squid-cache.org>
>>         http://lists.squid-cache.org/listinfo/squid-users
>>
>
>
>
> _______________________________________________
> squid-users mailing list
> squid-users at lists.squid-cache.org
> http://lists.squid-cache.org/listinfo/squid-users


-- 
Ron Wheeler
President
Artifact Software Inc
email: rwheeler at artifact-software.com
skype: ronaldmwheeler
phone: 866-970-2435, ext 102

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.squid-cache.org/pipermail/squid-users/attachments/20141012/4d72b5f2/attachment-0001.html>

More information about the squid-users mailing list