-----Original Message----- From: Philippe Vogel [mailto:filiaap@freenet.de] Sent: Wednesday, March 23, 2005 1:05 PM
What about port-acls?
#Recommended minimum configuration: #acl all src 0.0.0.0/0.0.0.0 #acl manager proto cache_object #acl localhost src 127.0.0.1/255.255.255.255 #acl SSL_ports port 443 563 #acl Safe_ports port 80 # http #acl Safe_ports port 21 # ftp #acl Safe_ports port 443 563 # https, snews #acl Safe_ports port 70 # gopher #acl Safe_ports port 210 # wais #acl Safe_ports port 1025-65535 # unregistered ports #acl Safe_ports port 280 # http-mgmt #acl Safe_ports port 488 # gss-http #acl Safe_ports port 591 # filemaker #acl Safe_ports port 777 # multiling http #acl CONNECT method CONNECT
sure my fool, added now to conf
Point #1: Before getting access to any port it is useful to get correct acls for all used ports.
Point #2: Is there a listen-port configured to let your squid run on https-port?
sure: https_port 443 cert=/etc/squid/server.crt key=/etc/squid/server.key
Point #3: Is there a reason in caching https-content as this is insecure as https should not be cached!?
now my english have an break ...
Point #4: I would do this with safe ports:
http_access deny !Safe_ports http_access deny CONNECT !SSL_ports
right ... added to squid.conf: extension_methods SEARCH PROPFIND PROPATCH MKCOL MOVE BMOVE DELETE BDELETE BPROPFIND BPROPATCH REPORT the connect now works but i dont recieve the formular login on 443 from outlook web access. clients moves to https://host.domain.tld/exchange request tp accept certificate (from squid), long load following and after a while it breaks with: While trying to retrieve the URL: http://srv066:443/exchange The following error was encountered: * Connection Failed The system returned: (111) Connection refused The remote host or network may be down. Please try the request again. problem i see there: its http and not https, and https is needed anyone knows if there if there changes on the owa to do ? actual config looks like this: visible_hostname host.domain.tld https_port 443 cert=/etc/squid/server.crt key=/etc/squid/server.key hosts_file /etc/squid/hosts http_port 127.0.0.1:8080 httpd_accel_host srv066 httpd_accel_port 443 httpd_accel_uses_host_header off httpd_accel_single_host on httpd_accel_with_proxy off acl acl_testmail dstdomain srv066 http_access allow acl_testmail acl to_index urlpath_regex /$ acl to_favicon urlpath_regex /favicon.ico$ acl to_exchange urlpath_regex /exchange http_access allow to_index http_access allow to_favicon http_access allow to_exchange acl all src 0.0.0.0/0.0.0.0 acl manager proto cache_object acl localhost src 127.0.0.1/255.255.255.255 acl SSL_ports port 443 563 acl Safe_ports port 80 8080 # http acl Safe_ports port 21 # ftp acl Safe_ports port 443 563 # https, snews acl Safe_ports port 70 # gopher acl Safe_ports port 210 # wais acl Safe_ports port 1025-65535 # unregistered ports acl Safe_ports port 280 # http-mgmt acl Safe_ports port 488 # gss-http acl Safe_ports port 591 # filemaker acl Safe_ports port 777 # multiling http acl Safe_ports port 3401 # snmp acl CONNECT method CONNECT http_access allow all http_access allow SSL_ports http_access deny !Safe_ports extension_methods SEARCH PROPFIND PROPATCH MKCOL MOVE BMOVE DELETE BDELETE BPROPFIND BPROPATCH REPORT