# [Solved] How to allow https (443) in squid?

## solamour

```
                          Internet

                              |

                              |

+------------+         +------------+

|    BoxA    |         |    BoxB    |

|            |---------|            | 

| ssh client |         | ssh server |

+------------+         |   squid    |

       |               +------------+

       |

+------------+

|    BoxC    |

|            |

|   Firefox  |

+------------+

```

BoxA connects to BoxB via ssh, and BoxA's port 3128 is forwarded to BoxB's 3128 (localhost:3128). BoxB also runs squid web proxy.

BoxC can set its proxy to BoxA:3128 and it can access the web. But it seems like only http (80) is working. Is there any way that I can forward https (443) as well?

If that's not possible, what do I need to do to allow BoxC to initiate PPTP? BoxC would like to start a VPN session. Any suggestions welcome.

__

solLast edited by solamour on Sun Mar 15, 2009 8:22 am; edited 3 times in total

----------

## wah

Hi,

I was just fiddling with this today as well.  I found that there were "SAFE_ports" ACLs that were predefined, one of which included 443.  However, I had not activated that particular ACL (only the Safe_ports 80 acl)...and once I added a rule that did so, I was able to access SSL-enabled pages.

My Squid box is at work, so I cannot quote the code...if you're still stuck, I can do so tomorrow.  However, if you find the ACL section, you should find what I'm speaking of.

Cheers,

W.

----------

## solamour

It would help me greatly if you'd share the relevant parts of your "squid.conf". Thanks.

__

sol

----------

## wah

 *solamour wrote:*   

> It would help me greatly if you'd share the relevant parts of your "squid.conf". Thanks.
> 
> __
> 
> sol

 

Cool - will do when I get in to work tomorrow.

W.

----------

## wah

Here's my squid.conf file, filtered using grep -v ^# /etc/squid/squid.conf.  One note - I don't use this on a "production" system.  This is restricted to my own private subnet of our corporate network, and therefore, some of these options may not be recommended:

```

http_port 8080

hierarchy_stoplist cgi-bin ?

acl QUERY urlpath_regex cgi-bin \?

cache deny QUERY

acl apache rep_header Server ^Apache

broken_vary_encoding allow apache

access_log /var/log/squid/access.log squid

refresh_pattern ^ftp:           1440    20%     10080

refresh_pattern ^gopher:        1440    0%      1440

refresh_pattern .               0       20%     4320

acl all src 0.0.0.0/0.0.0.0

acl manager proto cache_object

acl localhost src 127.0.0.1/255.255.255.255

acl SSL_ports port 443 563

acl Safe_ports port 80          # http

acl Safe_ports port 21          # ftp

acl Safe_ports port 443 563     # https, snews

acl Safe_ports port 70          # gopher

acl Safe_ports port 210         # wais

acl Safe_ports port 1025-65535  # unregistered ports

acl Safe_ports port 280         # http-mgmt

acl Safe_ports port 488         # gss-http

acl Safe_ports port 591         # filemaker

acl Safe_ports port 777         # multiling http

acl Safe_ports port 901         # SWAT

acl purge method PURGE

acl CONNECT method CONNECT

acl manager proto cache_object

acl allowed_hosts src 192.168.0.0/255.255.255.0

http_access allow Safe_ports

acl our_networks src 192.168.0.0/24

http_access allow our_networks

http_access allow localhost

icp_access allow allowed_hosts

icp_access deny all

miss_access allow allowed_hosts

miss_access deny all

http_access allow localhost

http_access deny all

http_reply_access allow all

icp_access allow all

forwarded_for off

coredump_dir /var/cache/squid

url_rewrite_program /usr/sbin/wrapzap

url_rewrite_children 15

url_rewrite_access deny localhost

url_rewrite_access deny SSL_ports

```

The items that I speak of are:

```

acl Safe_ports port 443 563     # https, snews

http_access allow Safe_ports

```

The second option was commented out, so I was not able to access https pages until I uncommented it.

Hope this helps - I've only been playing with squid for two days, so I don't know if I'm going about it correctly...but it does work  :Wink: 

Cheers,

W.

----------

## solamour

Q1) BoxA's port 3128 is forwarded to BoxB's 3128 (that would be 8080 in your case). Do I need to forward anything else?

Q2) Is it OK to set "Use this proxy server for all protocols" in BoxC's Firefox? Or should I set something else for "SSL Proxy" in Firefox?

__

sol

----------

## ketjap

 *solamour wrote:*   

> Q1) BoxA's port 3128 is forwarded to BoxB's 3128 (that would be 8080 in your case). Do I need to forward anything else?
> 
> Q2) Is it OK to set "Use this proxy server for all protocols" in BoxC's Firefox? Or should I set something else for "SSL Proxy" in Firefox?
> 
> __
> ...

 

Q1) 3128 will do the job  :Very Happy: 

Q2) It's okay to set "Use this proxy server for all protocols"

There is another acl that I remember for my time using squid. Something like acl deny !SavePorts. When you put that off, every port will work and you are not restricted to the SafePorts anymore. But thiss is only a guess. I don't have any configuration here.

----------

## solamour

I believe when it comes to security, I'm supposed to open only what is really necessary, but because I'm lazy, I ended up taking an easy way out, allowing everyone inside my network.

```
/etc/squid/squid.conf

acl our_networks src 192.168.0.0/24

acl SSL_ports port 443

http_access allow our_networks

visible_hostname myhostname

```

__

sol

----------

## fbcyborg

Hello wah, hello everybody.

I tried your squid.conf on my server but I can't still browse https pages.

I made a few changes in your config file, to accomodate my needs, but, it doesn't feet my necessities.  :Sad: 

It's about two days I am trying to get it properly working.

Furthermore, it doesn't work in transparent mode. If I put "no proxy" in Firefox settings, there's no way to surf the internet from the subnet I created.

I have to put 10.0.0.1:3128 in the manual configuration for the proxy server, in order to be able to browse (only) some websites (through port 80).

This is my squid.conf:

```
http_port 3128 transparent

hierarchy_stoplist cgi-bin ?

acl QUERY urlpath_regex cgi-bin \?

cache deny QUERY

acl apache rep_header Server ^Apache

broken_vary_encoding allow apache

access_log /var/log/squid/access.log squid

refresh_pattern ^ftp:           1440    20%     10080

refresh_pattern ^gopher:        1440    0%      1440

refresh_pattern .               0       20%     4320

acl all src 0.0.0.0/0.0.0.0

acl manager proto cache_object

acl localhost src 127.0.0.1/255.255.255.255

acl SSL_ports port 443 563

acl Safe_ports port 80          # http

acl Safe_ports port 21          # ftp

acl Safe_ports port 443 563     # https, snews

acl Safe_ports port 70          # gopher

acl Safe_ports port 210         # wais

acl Safe_ports port 1025-65535  # unregistered ports

acl Safe_ports port 280         # http-mgmt

acl Safe_ports port 488         # gss-http

acl Safe_ports port 591         # filemaker

acl Safe_ports port 777         # multiling http

acl Safe_ports port 901         # SWAT

acl purge method PURGE

acl CONNECT method CONNECT

acl manager proto cache_object

acl allowed_hosts src 10.0.0.0/255.0.0.0

http_access allow Safe_ports

acl our_networks src 10.0.0.0/8

http_access allow our_networks

http_access allow localhost

icp_access allow allowed_hosts

icp_access deny all

miss_access allow allowed_hosts

miss_access deny all

http_access allow localhost

http_access deny all

http_reply_access allow all

icp_access allow all

forwarded_for off

coredump_dir /var/cache/squid

url_rewrite_children 15

url_rewrite_access deny localhost

url_rewrite_access deny SSL_ports
```

----------

