[squid-users] Configuring squid to work as an HTTPS proxy

Amos Jeffries squid3 at treenet.co.nz
Mon Jun 20 15:34:02 UTC 2016


On 21/06/2016 2:02 a.m., Jobin George wrote:
> Hi,
> 
> I am trying to setup squid3 as an HTTPS proxy using the tutorial given [here][1]. I have properly setup the proxy settings in my browser and when I try to hit **HTTP** web sites, I am able to connect successfully. However, I keep getting a "Connection timed out error" whenever I hit an **HTTPS** protocol web site and the following error in my `/var/log/squid3/cache.log`:
> 
>     2016/06/20 19:12:47|  NF getsockopt(SO_ORIGINAL_DST) failed on local=<local_ip_address>:3129 remote=<remote_ip_address>:55209 FD 8 flags=33: (92) Protocol not available
> 

This error is about misconfigured NAT.

For interception proxy you MUST do the NAT on the same machine Squid is
running. *route* the packets to that machine, do not NAT or "port
forward" them.

<http://wiki.squid-cache.org/ConfigExamples/Intercept/LinuxRedirect>


> Here is my /etc/squid3/squid.conf file (commented lines removed for brevity):
> 
> --------------------------------------------------------------------------------------------------------------------------------------------------------------
> 
>     auth_param basic program /usr/lib/squid3/basic_ncsa_auth /usr/etc/passwd
>     auth_param basic casesensitive off
>     auth_param basic credentialsttl 2 hours
> 
>     acl user_auth proxy_auth REQUIRED
> 
>     http_access allow user_auth
> 

Authentication and interception are mutually exclusive features.


> 
>     http_access allow localhost
>     http_access allow all

What is the point of authenticating if clients that passed garbage
credentials and failed authentication are allowed to use the proxy anyway?


>     http_port 3127

If your browser is configured to use Squid as its HTTP proxy then the
traffic will be going in through this port. Which has no ssl-bump
options telling Squid to bump the HTTPS CONNECT messages.


> 
>     https_port 3129 intercept ssl-bump generate-host-certificates=on dynamic_cert_mem_cache_size=4MB key=/etc/squid3/example.com.private cert=/etc/squid3/example.com.cert
> 
>     ssl_bump server-first all
>     sslproxy_flags DONT_VERIFY_PEER

Remove the "DONT_VERIFY_PEER".


>     sslproxy_cert_error deny all

That is the default setting for cert error handling. Remove the above line.


> 
>     always_direct allow all
> 

That has not been needed with bumping since Squid-3.1. Remove the above.

Amos



More information about the squid-users mailing list