[squid-users] squid reverse proxy with ssl: access denied

From: nick humphrey <nick.c.humphrey@dont-contact.us>
Date: Wed, 1 Nov 2006 16:24:09 +0100

hi everybody, there really isn't any good tutorial out there for this
subject (i'm trying to make one:
http://norgesinternettforum.no/showpost.php?p=2652&postcount=2)

so i'm asking here as a last resort.
here's my setup:
internet (where my users will come from)
intranet (our local network)

i have a weblogic server 8.1 (wl81machine) in our intranet running a
ssl/https site (we're testing out verisign ssl).

i also have installed squid 2.6 STABLE4 (with --enable-ssl) on debian
3 (deb3machine)

squid is acting as a reverse proxy to wl81machine, basically just
sending requests back and forth, no caching or anything, on port 8080.

when i try to access wl81machine from the internet i get an access
denied error and it shows the ip address to wl81machine without the
port:
"
while trying to retrieve the url: https://192.168.0.150
the following error was encountered:
access denied
...
"

i know this is got to be something wrong with my squid.conf:
#-----START---------
https_port 8080 cert=/usr/local/squid/etc/key.crt
key=/usr/local/squid/etc/key.key defaultsite=192.168.0.150
sslproxy_flags DONT_VERIFY_PEER
hierarchy_stoplist cgi-bin ?
acl QUERY urlpath_regex cgi-bin \?
cache deny QUERY
acl apache rep_header Server ^Apache
broken_vary_encoding allow apache
access_log /usr/local/squid/var/logs/access.log squid
refresh_pattern ^ftp: 1440 20% 10080
refresh_pattern ^gopher: 1440 0% 1440
refresh_pattern . 0 20% 4320
acl all src 0.0.0.0/0.0.0.0
acl manager proto cache_object
acl localhost src 127.0.0.1/255.255.255.255
acl to_localhost dst 127.0.0.0/8
acl SSL_ports port 443 563
acl Safe_ports port 80 # http
acl Safe_ports port 21 # ftp
acl Safe_ports port 443 563 # https, snews
acl Safe_ports port 70 # gopher
acl Safe_ports port 210 # wais
acl Safe_ports port 1025-65535 # unregistered ports
acl Safe_ports port 280 # http-mgmt
acl Safe_ports port 488 # gss-http
acl Safe_ports port 591 # filemaker
acl Safe_ports port 777 # multiling http
acl CONNECT method CONNECT
http_access allow manager localhost
http_access deny manager
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
http_access deny all
http_reply_access allow all
icp_access allow all
cache_effective_user squid
cache_effective_group squid
#-----END---------

i don't need any http access only https, so do i need those lines.
there are a couple of pages in google referring to https_access, but
they've got to be wrong because i can't find anything about
https_access anywhere in the documentation.

any ideas as to what i'm missing, doing wrong?
thanks in advance,
Nick
Received on Wed Nov 01 2006 - 08:24:21 MST

This archive was generated by hypermail pre-2.1.9 : Fri Dec 01 2006 - 12:00:02 MST