sites https nao abre

driovitor
(usa Kurumin)

Enviado em 01/04/2011 - 09:34h

Nao consigo entrar emnenhum site de email quando vou logar ou ate mesmo banco. a porta 443 esta libera no squid mesmo assim nao consigo acessar, o que pode ser

segue meu squid e firewall

#!/bin/bash

iptables -F
iptables -X
iptables -t nat -F
iptables -t nat -X
iptables -t mangle -F
iptables -t mangle -X
iptables -P INPUT DROP
iptables -P FORWARD DROP
iptables -P OUTPUT ACCEPT
iptables -A INPUT -i lo -j ACCEPT
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT

iptables -A INPUT -i eth1 -j ACCEPT

iptables -t nat -A POSTROUTING -s 192.168.0.0/255.255.255.0 -o eth0 -j MASQUERADE

iptables -t nat -A PREROUTING -s 192.168.0.0/255.255.255.0 -p tcp --dport 80 -j REDIRECT --to-port 3128



meu squid.conf

acl manager proto cache_object
acl localhost src 127.0.0.1/32
acl to_localhost dst 127.0.0.0/8
acl localnet src 192.168.0.0/24 # RFC1918 possible internal network

acl SSL_ports port 443 563 #https
acl Safe_ports port 80 # http
acl Safe_ports port 21 # ftp
acl Safe_ports port 443 563 2083 2707 2087 # https
acl Safe_ports port 70 # gopher
acl Safe_ports port 210 # wais
acl Safe_ports port 1025-65535 # unregistered ports
acl Safe_ports port 280 # http-mgmt
acl Safe_ports port 488 # gss-http
acl Safe_ports port 591 # filemaker
acl Safe_ports port 777 # multiling http
acl Safe_ports port 5228 # Android Market
acl Safe_ports port 8889 # Android
acl Safe_ports port 4410 # Android
acl CONNECT method CONNECT


http_access allow manager localhost
633 http_access deny manager
634 # Deny requests to unknown ports
635 http_access deny !Safe_ports
636 # Deny CONNECT to other than SSL ports
637 http_access allow CONNECT !SSL_ports
http_access allow localnet
http_access allow localhost


# And finally deny all other access to this proxy
http_access deny all

valeu galera

ivo.becker
(usa Debian)

Enviado em 03/04/2011 - 13:13h

é proxy transparent ?
se for ta faltando regra no teu squid!
Qual a versão do Squid ? 2.7 ? 3.0 ?
para abrir sites 443, use:
iptables -A FORWARD -i eth1 -p tcp --dport 443 -j ACCEPT
lembrando que eth1 é a placa onde as maquinas conectam no servidor...
transforme seu squid em transparent ....
assim:
http_port 3128 transparent

outra pergunta!
porque esta usando o squid se não habilitou cache, controle de acesso, autenticação... enfim, sem isso o squid não serve de nada, somente enfeite...

driovitor
(usa Kurumin)

Enviado em 04/04/2011 - 08:35h

segue o meu squid completo

#Recommended minimum configuration:
599 acl all src all
600 acl manager proto cache_object
601 acl localhost src 127.0.0.1/32
602 acl to_localhost dst 127.0.0.0/8
603 #
604 # Example rule allowing access from your local networks.
605 # Adapt to list your (internal) IP networks from where browsing
606 # should be allowed
607 #acl localnet src 10.0.0.0/8 # RFC1918 possible internal network
608 acl localnet src 172.16.0.0/12 # RFC1918 possible internal network
609 acl localnet src 192.168.100.0/24 # RFC1918 possible internal network
610 #
611 acl SSL_ports port 443 # https
612 acl SSL_ports port 563 # snews
613 acl SSL_ports port 873 # rsync
614 acl Safe_ports port 80 # http
615 acl Safe_ports port 21 # ftp
616 acl Safe_ports port 443 # https
617 acl Safe_ports port 70 # gopher
618 acl Safe_ports port 210 # wais
619 acl Safe_ports port 1025-65535 # unregistered ports
620 acl Safe_ports port 280 # http-mgmt
621 acl Safe_ports port 488 # gss-http
622 acl Safe_ports port 591 # filemaker
623 acl Safe_ports port 777 # multiling http
624 acl Safe_ports port 631 # cups
625 acl Safe_ports port 873 # rsync
626 acl Safe_ports port 901 # SWAT
627 acl purge method PURGE
628 acl CONNECT method CONNECT

# from where browsing should be allowed
678 http_access allow localnet
679 http_access allow localhost
680 http_access allow permitidos
681 # And finally deny all other access to this proxy
682 #http_access deny all
683

http_port 3128 transparent


access_log /var/log/squid/access.log squid

refresh_pattern ^ftp: 1440 20% 10080
2741 refresh_pattern ^gopher: 1440 0% 1440
2742 refresh_pattern -i (/cgi-bin/|\?) 0 0% 0
2743 refresh_pattern (Release|Package(.gz)*)$ 0 20% 2880
2744 refresh_pattern . 0 20% 4320

driovitor
(usa Kurumin)

Enviado em 04/04/2011 - 08:37h

esqueci de colocar a versão do squid é 2.7 stable3

gregorio_rr
(usa openSUSE)

Enviado em 04/04/2011 - 09:02h

O erro pode estar aqui

#http_access allow CONNECT !SSL_ports

o "!" diz para excluir o que vem após ele. Tipo "Conecte-se a 'fulado' menos a SSL_ports". Troque o "allow" por "deny" ou tire o "!", aí vc estará negando a conexão e tudo que não estiver incluido na regra SSL_ports e permitindo apenas o que estiver em SSL_ports. Entendeu?
E tente também colocar as portas da regra Safe_ports na mesma linha, eu tive problemas em criar multiplas regras com o mesmo nome.

Eu tb liberei a porta 443 no firewall da seguinte forma:

#iptables -A FORWARD -s 192.168.0.0/24 -p tcp --destination-port 443 -j ACCEPT
#iptables -A OUTPUT -s 192.168.0.0/24 -p tcp --destination-port 443 -j ACCEPT

Troque o IP e mascara pelo de sua rede local.