SSL behind a firewall

From: Thomas, Larry <[email protected]>
Date: Thu, 25 May 2000 10:01:46 -0500

I seem to be having trouble with getting ssl to work behind my firewall.
The proxy server is only used for outgoing web traffic.
Regular http works great feels fine but when I try a https site by browser
returns the message:
Error 400
Proxy supports only full 'http' URLS

If I do a tcpdump on my firewall the only traffic I see hitting it is for
port 80.

Internet<-------Firewall <----- Squid<------Internal users

My squid.conf
cache_peer pigpen.sbec.com parent 80 0 no-query default
cache_peer pigpen.sbec.com parent 443 0 no-query default
cache_peer pigpen.sbec.com parent 21 0 no-query default
cache_mem 150 MB
cache_dir ufs /usr/local/squid/cache 300 16 256
cachemgr_passwd speed config shutdown
debug_options ALL,1 28,9 26,5 17,5
#debug_options ALL,1
refresh_pattern ^ftp: 1440 20% 10080
refresh_pattern ^gopher: 1440 0% 1440
refresh_pattern . 0 20% 4320
acl manager proto cache_object
acl PURGE method purge
acl localhost src 127.0.0.1/255.255.255.255
acl all src 0.0.0.0/0.0.0.0
acl sb879 src 128.1.1.41/255.255.255.255
acl whodo proxy_auth REQUIRED
acl SAFE_ports port 80 21 443 563 465 70 210 1025-65535
acl SSL_ports port 443 563
acl CONNECT method CONNECT
authenticate_ttl 600
authenticate_program /usr/local/squid/bin/ncsa_auth
/usr/local/squid/etc/passwd
http_access allow manager localhost
http_access deny manager
http_access allow purge localhost
http_access deny purge
http_access allow whodo
http_access allow CONNECT SSL_ports
never_direct allow SAFE_ports
icp_access allow all
cache_mgr lot@sbec.com
cache_effective_user nobody
cache_effective_group nogroup
visible_hostname proxy1.sbec.com

Here is what is put in my cache.log
2000/05/25 09:17:39| aclCheckFast: list: 1b3e70
2000/05/25 09:17:39| aclMatchAclList: checking all
2000/05/25 09:17:39| aclMatchAcl: checking 'acl all src 0.0.0.0/0.0.0.0'
2000/05/25 09:17:39| aclMatchIp: '128.1.1.172' found
2000/05/25 09:17:39| aclMatchAclList: returning 1
2000/05/25 09:17:39| aclCheck: checking 'http_access allow manager
localhost'
2000/05/25 09:17:39| aclMatchAclList: checking manager
2000/05/25 09:17:39| aclMatchAcl: checking 'acl manager proto cache_object'
2000/05/25 09:17:39| aclMatchAclList: returning 0
2000/05/25 09:17:39| aclCheck: checking 'http_access deny manager'
2000/05/25 09:17:39| aclMatchAclList: checking manager
2000/05/25 09:17:39| aclMatchAcl: checking 'acl manager proto cache_object'
2000/05/25 09:17:39| aclMatchAclList: returning 0
2000/05/25 09:17:39| aclCheck: checking 'http_access allow purge localhost'
2000/05/25 09:17:39| aclMatchAclList: checking PURGE
2000/05/25 09:17:39| aclMatchAcl: checking 'acl PURGE method purge'
2000/05/25 09:17:39| aclMatchAclList: returning 0
2000/05/25 09:17:39| aclCheck: checking 'http_access deny purge'
2000/05/25 09:17:39| aclMatchAclList: checking PURGE
2000/05/25 09:17:39| aclMatchAcl: checking 'acl PURGE method purge'
2000/05/25 09:17:39| aclMatchAclList: returning 0
2000/05/25 09:17:39| aclCheck: checking 'http_access deny purge'
2000/05/25 09:17:39| aclMatchAclList: checking PURGE
2000/05/25 09:17:39| aclMatchAcl: checking 'acl PURGE method purge'
2000/05/25 09:17:39| aclMatchAclList: returning 0
2000/05/25 09:17:39| aclCheck: checking 'http_access allow whodo'
2000/05/25 09:17:39| aclMatchAclList: checking whodo
2000/05/25 09:17:39| aclMatchAcl: checking 'acl whodo proxy_auth REQUIRED'
2000/05/25 09:17:39| aclDecodeProxyAuth: header = 'Basic bG90OmIwMGdpZQ=='
2000/05/25 09:17:39| aclDecodeProxyAuth: cleartext = 'popeye:wimpy'
2000/05/25 09:17:39| aclMatchProxyAuth: checking user 'popeye'
2000/05/25 09:17:39| aclMatchProxyAuth: user 'popeye' not yet known
2000/05/25 09:17:39| aclMatchAclList: returning 0
2000/05/25 09:17:39| aclCheck: checking password via authenticator
2000/05/25 09:17:39| aclDecodeProxyAuth: header = 'Basic bG90OmIwMGdpZQ=='
2000/05/25 09:17:39| aclDecodeProxyAuth: cleartext = 'popeye:wimpy'
2000/05/25 09:17:39| aclLookupProxyAuthStart: going to ask authenticator on
pope
ye
2000/05/25 09:17:39| aclLookupProxyAuthDone: result = OK
2000/05/25 09:17:39| aclCheck: checking 'http_access allow whodo'
2000/05/25 09:17:39| aclMatchAclList: checking whodo
2000/05/25 09:17:39| aclMatchAcl: checking 'acl whodo proxy_auth REQUIRED'
2000/05/25 09:17:39| aclDecodeProxyAuth: header = 'Basic bG90OmIwMGdpZQ=='
2000/05/25 09:17:39| aclDecodeProxyAuth: cleartext = 'popeye:wimpy'
2000/05/25 09:17:39| aclMatchProxyAuth: checking user 'popeye'
2000/05/25 09:17:39| aclMatchProxyAuth: user 'popeye' validated OK
2000/05/25 09:17:39| aclMatchProxyAuth: user 'popeye' previously validated
2000/05/25 09:17:39| aclMatchUser: checking 'popeye'
2000/05/25 09:17:39| aclMatchUser: looking for 'REQUIRED'
2000/05/25 09:17:39| aclMatchAclList: returning 1
2000/05/25 09:17:39| aclCheck: match found, returning 1
2000/05/25 09:17:39| aclCheckCallback: answer=1
2000/05/25 09:17:39| sslStart: 'CONNECT netbenefits.401k.com:443'
2000/05/25 09:17:39| aclCheck: checking 'never_direct allow SAFE_ports'
2000/05/25 09:17:39| aclMatchAclList: checking SAFE_ports
2000/05/25 09:17:39| aclMatchAcl: checking 'acl SAFE_ports port 80 21 443
563 46
5 70 210 1025-65535'
2000/05/25 09:17:39| aclMatchAclList: returning 1
2000/05/25 09:17:39| aclCheck: match found, returning 1
2000/05/25 09:17:39| aclCheckCallback: answer=1
2000/05/25 09:17:39| sslProxyConnected: FD 16 sslState=40d8d8
2000/05/25 09:17:39| sslProxyConnected: Sending {CONNECT
netbenefits.401k.com:44
3 HTTP/1.0^M
User-Agent: Mozilla/4.7 [en] (Win95; I)^M
Via: 1.0 proxy1.sbec.com:3128 (Squid/2.3.STABLE2)^M
X-Forwarded-For: 128.1.1.172^M
Host: netbenefits.401k.com:443^M
Cache-Control: max-age=259200^M
^M
}
2000/05/25 09:17:39| sslWriteServer: FD 16, 230 bytes to write
2000/05/25 09:17:39| sslWriteServer: FD 16, 230 bytes written
2000/05/25 09:17:39| sslReadServer: FD 16, reading 8192 bytes at offset 0
2000/05/25 09:17:39| sslReadServer: FD 16, read 180 bytes
2000/05/25 09:17:40| sslWriteClient: FD 13, 180 bytes to write
2000/05/25 09:17:40| sslWriteClient: FD 13, 180 bytes written
2000/05/25 09:17:40| sslReadServer: FD 16, reading 8192 bytes at offset 0
2000/05/25 09:17:40| sslReadServer: FD 16, read 0 bytes
2000/05/25 09:17:40| sslServerClosed: FD 16
2000/05/25 09:17:40| sslClientClosed: FD 13
2000/05/25 09:17:40| sslStateFree: sslState=40d8d8

Here is my access.log
959264260.159 233 128.1.1.172 TCP_MISS/000 180 CONNECT
netbenefits.401k.com:443 popeye DEFAULT_PARENT/pigpen.sbec.com -
Received on Thu May 25 2000 - 09:02:16 MDT

This archive was generated by hypermail pre-2.1.9 : Tue Dec 09 2003 - 16:53:34 MST