[squid-users] Problems with HTTPS on Squid

Marcio B. marciobacci at gmail.com
Mon Jul 12 18:12:03 UTC 2021


I have the following problem on my Squid 4.6 on Debian 10.

Squid does not redirect the user to the error page when blocking an HTTPS
url. On HTTP it works correctly.

I don't use transparent proxy. The proxy is manually configured in the web
browser.

Here is my squid.conf configuration file:

http_port 3128
cache_mem 256 MB
cache_swap_low 90
cache_swap_high 95

maximum_object_size 512 MB
minimum_object_size 0 KB
maximum_object_size_in_memory 128 KB

access_log /var/log/squid/access.log
cache_log /var/log/squid/cache.log

error_directory /usr/share/squid/errors/pt-br
cache_mgr rede at empresa.com.br

cache_replacement_policy heap LFUDA
memory_replacement_policy heap LFUDA

fqdncache_size 1024

refresh_pattern ^ftp:           1440    20%     10080
refresh_pattern ^gopher:        1440    0%      1440
refresh_pattern -i (/cgi-bin/|\?) 0     0%      0
refresh_pattern .                 0     20%     4320

#Prioriza resolucao DNS IPv4
dns_v4_first on

cache_dir aufs /var/spool/squid 600 16 256

visible_hostname "Monitoramento-de-Acesso-a-Internet"

### acls
acl SSL_ports  port 443
acl Safe_ports port 21           # ftp
acl Safe_ports port 70           # gopher
acl Safe_ports port 80           # http
acl Safe_ports port 88           # kerberos
acl Safe_ports port 123          # ntp
acl Safe_ports port 210          # wais
acl Safe_ports port 280          # http-mgmt
acl Safe_ports port 3456         # Siafi
acl Safe_ports port 389          # ldap
acl Safe_ports port 443          # https
acl Safe_ports port 488          # gss-http
acl Safe_ports port 563          # snews
acl Safe_ports port 591          # filemaker
acl Safe_ports port 777          # multiling http
acl Safe_ports port 3001         # imprenssa nacional
acl Safe_ports port 8080         # http
acl Safe_ports port 8443         # http
acl Safe_ports port 1025-65535   # unregistered ports
acl CONNECT method CONNECT

acl sistemas-bloqueados dstdomain "/etc/squid/acls/sistemas-bloqueados"
http_access deny sistemas-bloqueados

## Negotiate kerberos/NTLM module
auth_param negotiate program /usr/lib/squid/negotiate_wrapper_auth --ntlm
/usr/bin/ntlm_auth --helper-protocol=squid-2.5-ntlmssp --use-cached-creds
--kerberos /usr/lib/squid/negotiate_kerberos_auth -s GSS_C_NO_NAME
auth_param negotiate children 200 startup=15 idle=5
auth_param negotiate keep_alive on

## NTLM Auth
auth_param ntlm program /usr/bin/ntlm_auth --use-cached-creds
--helper-protocol=squid-2.5-ntlmssp
auth_param ntlm children 110 startup=5 idle=5
auth_param ntlm keep_alive on
auth_param basic realm "Squid Proxy"

# Incorpora as regras do SquidGuard
#redirect_program /usr/bin/squidGuard
#redirect_children 20
#redirector_bypass on

acl ntlm_users proxy_auth REQUIRED
http_access allow ntlm_users
http_access deny all

### LAN #####
acl rede_usuarios src 192.168.0.0/16

### Regras Padrao do Squid
#http_access deny manager
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports

http_access allow localhost
#libera a resposta a partir do proxy
http_reply_access allow all
#acl manager proto cache_object

### Allow LAN
http_access allow rede_usuarios

#cache_effective_user proxy
coredump_dir /var/spool/squid

# SquidGuard
url_rewrite_program /usr/bin/squidGuard
redirector_bypass on


As I don't use proxy transparence, is it necessary to create SSL
certificate for my Proxy server?

Can anybody help me?

Regards,

Márcio Bacci
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.squid-cache.org/pipermail/squid-users/attachments/20210712/e85f90cc/attachment.htm>


More information about the squid-users mailing list