[squid-users] Re: Too many lpops with https

From: Ali Jawad <alijawad1_at_gmail.com>
Date: Tue, 18 Dec 2012 17:58:43 +0200

OK I finally know what the problem is, I did use tcpdump and when I do
make an ssl request squid intercepts it and sends it as http to the
destination website, this causes the website to redirect to https and
then squid in turn makes another http request, I did make a few tests
with different sites an I am sure about this.

Any clues about what I did wrong to cause this ? I did try with
https_port intercept and with ssl-bump + both.

Thanks !

On Tue, Dec 18, 2012 at 12:41 PM, Ali Jawad <alijawad1_at_gmail.com> wrote:
> Hi
> I am trying to setup a squid proxy with transparent https, but I am
> getting "Error 310 (net::ERR_TOO_MANY_REDIRECTS): There were too many
> redirects." I am using the default CentOS installation with
> --enable-ssl "3.1". http is working fine, for https I get the ssl
> certificate error page and then the loop error. My config is pretty
> simple and I did try to change from intercept to sslbump and a
> combination of both, but nothing of that seems to make any
> difference.The problem is the same for all https sites.
>
> See below, the config please :
>
> acl manager proto cache_object
> acl localhost src 127.0.0.1/32 ::1
> acl to_localhost dst 127.0.0.0/8 0.0.0.0/32 ::1
> acl trusted src all # internal IP from venet0:1 and ISP IP (Cable/DSL)
> acl SSL_ports port 443
> acl Safe_ports port 80 # http
> acl Safe_ports port 21 # ftp
> acl Safe_ports port 443 # https
> acl Safe_ports port 70 # gopher
> acl Safe_ports port 210 # wais
> acl Safe_ports port 1025-65535 # unregistered ports
> acl Safe_ports port 280 # http-mgmt
> acl Safe_ports port 488 # gss-http
> acl Safe_ports port 591 # filemaker
> acl Safe_ports port 777 # multiling http
> acl CONNECT method CONNECT
> http_access allow manager localhost
> http_access deny manager
> http_access deny !Safe_ports
> http_access deny CONNECT !SSL_ports
> http_access allow trusted
> http_access allow localhost
> http_access deny all
> http_port 0.0.0.0:3128
> http_port 0.0.0.0:8128 transparent
> https_port 0.0.0.0:8129 transparent ssl-bump intercept
> cert=/usr/local/squid/CA/servercert.pem
> key=/usr/local/squid/CA/serverkey.pem
> debug_options ALL,3
> coredump_dir /var/spool/squid3
> cache deny all
> refresh_pattern ^ftp: 1440 20% 10080
> refresh_pattern ^gopher: 1440 0% 1440
> refresh_pattern -i (/cgi-bin/|\?) 0 0% 0
> refresh_pattern . 0 20% 4320
> request_header_access Proxy-Connection deny all
> request_header_access X-Forwarded-For deny all
> request_header_access Connection deny all
> request_header_access Via deny all
> forwarded_for off
Received on Tue Dec 18 2012 - 15:59:10 MST

This archive was generated by hypermail 2.2.0 : Wed Dec 19 2012 - 12:00:15 MST