Re: [squid-users] unbound and squid not resolving SSL sites

From: Amos Jeffries <squid3_at_treenet.co.nz>
Date: Fri, 08 Aug 2014 21:46:37 +1200

On 8/08/2014 8:55 a.m., squid_at_proxyplayer.co.uk wrote:
> Current config below:
>
>>> In my network I have unbound redirecting some sites through the proxy
>>> server and checking authentication, If I redirect www.thisite.com it
>>> works corectly. However, as soon as SSL is used https://www.thissite.com
>>> it doesn't resolve at all. Any ideas what I have to do to enable ssl
>>> redirects in unbound or squid?
>>
>> Handle port 443 traffic and the encrypted traffic there.
>> You are only receiving port 80 traffic in this config file.
>
> I am already redirecting 443 traffic but the proxy won't pick it up.
> There is a SSL ports directive in the squid.conf so it should accept them?

You mean SSL_Ports ACL? that only restricts HTTP "CONNECT" method
tunnel requests to the port(s) usually used by SSL.

It does nothing to receive and decrypt HTTPS in its native port 443
format. Which is what you need to do, since your unbound server is
claiming that your Squid is the origin web server for those https://
traffic.

You are at least missing https_port and all the sslproxy_* directives
for outgoing HTTPS. Then also you are probably missing the TLS/SSL
certificate security keys, including any DNS entries for IPSEC, DNSSEC,
DANE, HSTS etc.

> For example, this line redirect all HTTP traffic but as soon as the
> browser wants a SSL connection, it is dropped:
> local-data: "anywhere.mysite.com. 600 IN A 109.xxx.xx.xxx"
> local-zone: "identity.mysite.com." redirect

Of course. Your Squid box is not listening on port 443 (HTTPS). By using
DNS in this way you are claiming that your 109.xxx.xx.xxx machine is
providing *all* services of that domain. Things naturally break when you
overlook one or more services your clients are using from it.

Amos
Received on Fri Aug 08 2014 - 09:46:54 MDT

This archive was generated by hypermail 2.2.0 : Mon Aug 18 2014 - 12:00:07 MDT