[squid-users] Configuring squid to work as an HTTPS proxy
Amos Jeffries
squid3 at treenet.co.nz
Mon Jun 20 15:34:02 UTC 2016
On 21/06/2016 2:02 a.m., Jobin George wrote:
> Hi,
>
> I am trying to setup squid3 as an HTTPS proxy using the tutorial given [here][1]. I have properly setup the proxy settings in my browser and when I try to hit **HTTP** web sites, I am able to connect successfully. However, I keep getting a "Connection timed out error" whenever I hit an **HTTPS** protocol web site and the following error in my `/var/log/squid3/cache.log`:
>
> 2016/06/20 19:12:47| NF getsockopt(SO_ORIGINAL_DST) failed on local=<local_ip_address>:3129 remote=<remote_ip_address>:55209 FD 8 flags=33: (92) Protocol not available
>
This error is about misconfigured NAT.
For interception proxy you MUST do the NAT on the same machine Squid is
running. *route* the packets to that machine, do not NAT or "port
forward" them.
<http://wiki.squid-cache.org/ConfigExamples/Intercept/LinuxRedirect>
> Here is my /etc/squid3/squid.conf file (commented lines removed for brevity):
>
> --------------------------------------------------------------------------------------------------------------------------------------------------------------
>
> auth_param basic program /usr/lib/squid3/basic_ncsa_auth /usr/etc/passwd
> auth_param basic casesensitive off
> auth_param basic credentialsttl 2 hours
>
> acl user_auth proxy_auth REQUIRED
>
> http_access allow user_auth
>
Authentication and interception are mutually exclusive features.
>
> http_access allow localhost
> http_access allow all
What is the point of authenticating if clients that passed garbage
credentials and failed authentication are allowed to use the proxy anyway?
> http_port 3127
If your browser is configured to use Squid as its HTTP proxy then the
traffic will be going in through this port. Which has no ssl-bump
options telling Squid to bump the HTTPS CONNECT messages.
>
> https_port 3129 intercept ssl-bump generate-host-certificates=on dynamic_cert_mem_cache_size=4MB key=/etc/squid3/example.com.private cert=/etc/squid3/example.com.cert
>
> ssl_bump server-first all
> sslproxy_flags DONT_VERIFY_PEER
Remove the "DONT_VERIFY_PEER".
> sslproxy_cert_error deny all
That is the default setting for cert error handling. Remove the above line.
>
> always_direct allow all
>
That has not been needed with bumping since Squid-3.1. Remove the above.
Amos
More information about the squid-users
mailing list