[squid-users] Cannot access https site

Vieri rentorbuy at yahoo.com
Mon May 15 15:53:50 UTC 2017


Hi,



My goal is to set up Squid so it can act as a transparent proxy for local clients browsing the web. It should "deny all" except traffic to the destination domains included in an ACL file.

This is my squid config:

http_port 3129 tproxy
https_port 3130 tproxy ssl-bump generate-host-certificates=on dynamic_cert_mem_cache_size=16MB cert=/etc/ssl/squid/proxyserver.pem

acl localnet src 10.0.0.0/8	# RFC1918 possible internal network
acl localnet src 192.168.0.0/16	# RFC1918 possible internal network
acl localnet src fc00::/7       # RFC 4193 local private network range

acl intercepted myportname 3129
acl interceptedssl myportname 3130

acl allowed_domains dstdomain "/usr/local/share/proxy-settings/allowed.domains"

http_access deny intercepted !localnet
http_access deny interceptedssl !localnet
http_access deny !allowed_domains
http_access allow localnet

sslcrtd_program /usr/libexec/squid/ssl_crtd -s /var/lib/squid/ssl_db -M 16MB
sslcrtd_children 10
ssl_bump stare all
ssl_bump bump all
sslproxy_cert_error allow all
always_direct allow all

The ACL file allowed.domains contains:
.squid-cache.org
.stackexchange.com

When a client in localnet tries to access http://www.squid-cache.org, everything works fine, as expected.

However, when the same client tries to access https://stackexchange.com, the first SQUID error page says that access is denied to https://151.101.1.69/* (that's one of stackexchange's IP addresses).
How can I avoid this?

If I add 151.101.1.69 to allowed.domains I get a SQUID SSL handshake error page with https://*.stackexchange.com/* (bad write retry).

What am I doing wrong?

Also, would I have performance issues if the "allowed.domains" ACL file becomes very big over time?

Thanks,

Vieri


More information about the squid-users mailing list