Re: [squid-users] Clients cannot access HTTPS sites (ISA as parent Peer)

From: Amos Jeffries <squid3_at_treenet.co.nz>
Date: Tue, 09 Mar 2010 01:59:49 +1300

GIGO . wrote:
> In our setup ISA is being used as parent peer. The problem is that clients cannot browse https Sites.(All http/ftp sites works fine)
>
> OS =Ubuntu 8.04
> Squid3 is installed
>

I am extremey surprised your clients have access to HTTP and FTP at all.

Your configuration is seriously screwed and permits HTTPS but blocks
HTTP and FTP.

I think you need to read over the FAQ about access controls and how they
work. http://wiki.squid-cache.org/SquidFaq/SquidAcl

Take note in particular to the sections about ordering along with the
AND/OR logics and common mistakes.

> My Squid.conf File:
>
> visible_hostname 10.1.82.53

That is supposed to be a host domain name. It's publicly visible and IPs
in the 10.0.0.0/8 network are not unique.

> cache_peer ISASERVER parent 8080 0 default no-digest no-query
> http_port 10.1.82.53:3128
> never_direct allow all
> #Recommended minimum configuration:
> acl localhost src 127.0.0.1/32
> acl to_localhost dst 127.0.0.0/8
> acl localnet src 10.1.82.0/255.255.255.0, 10.1.245.0/255.255.255.0

"," is not valid.

That line should be:
   acl localnet src 10.1.82.0/24 10.1.245.0/24

> acl SSL_ports port 443 #https
> acl Safe_ports port 80 # http
> acl Safe_ports port 21 # ftp
> acl Safe_ports port 443 # https
> acl Safe_ports port 70 # gopher
> acl Safe_ports port 210 # wais
> acl Safe_ports port 1025-65535 # unregistered ports
> acl Safe_ports port 280 # http-mgmt
> acl Safe_ports port 488 # gss-http
> acl Safe_ports port 591 # filemaker
> acl Safe_ports port 777 # multiling http
> acl CONNECT method CONNECT
> http_access allow localhost localnet to_localhost SSL_ports Safe_ports
> http_access allow CONNECT Safe_ports SSL_ports
> http_access deny !Safe_ports !SSL_ports
> http_access deny all

Please erase all those http_access lines and use the ones below.

>
> I am stuck up with it and your assistance would be really valuable.
>
> Thanks in advance
>
> Regards,
>
> Bilal Aslam

The default rules we provide for Squid allow the localnet work and local
machine Squid is running on full access to HTTPS, HTTP, FTP, Gopher, and
WAIS protocols and also to connect to any web server hosted on port
>1024 if it needs to (websites strangely hosted on 8080 etc).

Those defaults are:
   http_access deny !Safe_ports
   http_access deny CONNECT !SSL_ports
   http_access allow localnet
   http_access allow localhost
   http_access deny all

The single line "never_direct allow all" is forcing every single request
to be relayed through your ISA server.
Your ISA may not be configured to accept the CONNECT requests.

You have two choices:
  1) make ISA handle the CONNECT requests Squid passes on from your clients.
  2) add "never_direct deny CONNECT" above the "never_direct allow all"
to permit Squid to make HTTPS connections outward itself.

Amos

-- 
Please be using
   Current Stable Squid 2.7.STABLE7 or 3.0.STABLE24
   Current Beta Squid 3.1.0.17
Received on Mon Mar 08 2010 - 12:59:57 MST

This archive was generated by hypermail 2.2.0 : Mon Mar 08 2010 - 12:00:03 MST