Re: [squid-users] proxy.pac vs manual proxy + LiveLink

From: Deb <deb@dont-contact.us>
Date: Fri, 9 Aug 2002 09:25:34 -0700

Up front I'd like to ask if someone could tell me what the
relevant portions of squid.conf would be to post to the list
to aide in figuring out this problem.

Donovan Baarda <abo@minkirri.apana.org.au> had this to say,
> Most clients have the ability to set http, ssl, ftp, and socks proxies. The
> ssl proxy setting is what is used for https urls.
>
> Try manualy setting a client to uses your proxy as it's ssl proxy. I bet you
> get the same result you are currently getting for using the proxy.pac.
>
> I think your proxy.pac above specifys your proxy for all requests, including
> https requests. It looks like the livelink site does not like its https
> connections going through a proxy,

The ACL in squid.conf should be taking care of this. Any other
site using https:// works perfectly with this proxy.pac, just the
livelink site isn't working.

> > >or perhaps you have some firewall problem
> > > preventing the proxy from using ssl properly.

No, there's no problem there.

> However, I'm not sure that you want or need to make _all_ https traffic go
> direct. It sounds like only that particular https url is causing you grief,
> and other https urls work fine. Perhaps you should check some other https
> urls to see if they are also broken.
> If they are all broken, then I would be suspecting something about the proxy
> is busted for https. Perhaps the host it is running on has port 443
> firewalled?

See above - all other https traffic works fine, using the
ACL in squid.conf, I believe. This traffic is logged as might
be expected. Livelink uses port 443, as output of netstat verified,
so it's not a wierd port specification.

> If it is just that particular https url, then I suspect that the particular
> url is doing something strange, like attempting to make another connection
> back to the originating host on a different port. Strangeness's like this
> are a total PITA, and I would be tempted to tell the clients that the site
> they are attempting to access is busted, please complain to them.

I'll give this a closer look...

> If you absolutely must allow access to that https url, then you have two
> options; make all https requests go direct, or make a special case out of
> them. The manual way to make a special case it to include the site in the
> "No Proxy for". I have no idea what the proxy.pac way to do this, but you
> can probably figure it out.

I'd not like to go DIRECT. I need https traffic to be directed from
the proxy out to the Internet - we have a viruswall filter between
squid and the outside server. The https transfers are just not cached,
but they need to be directed via the proxy.

Any other ideas?

Thanks,

deb

-- 
=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
          There are 10 types of people in the world:
      those that understand binary, and those that don't.
τΏτ
 ~ 
Received on Fri Aug 09 2002 - 10:25:38 MDT

This archive was generated by hypermail pre-2.1.9 : Tue Dec 09 2003 - 17:09:34 MST