My problem:
- I wish for several client PCs to open chrome browser using an http_proxy and route all communication through this proxy.
- The http_proxy setting will be localhost:3128 and a local ssh tunnel will forward the communication to a squid server.
- The Squid server will be set to handle only localhost connections on 3128.
- The Squid server should forward all requests (http and https).
- No need for any other feature! no caching, no monitoring, etc. Just forwarding.
- The squid server will forward from several ports to different outgoing IP addresses.
I used the following squid.conf:
acl SSL_ports port 443
acl Safe_ports port 80 # http
acl Safe_ports port 21 # ftp
acl Safe_ports port 443 # https
acl Safe_ports port 70 # gopher
acl Safe_ports port 210 # wais
acl Safe_ports port 1025-65535 # unregistered ports
acl Safe_ports port 280 # http-mgmt
acl Safe_ports port 488 # gss-http
acl Safe_ports port 591 # filemaker
acl Safe_ports port 777 # multiling http
acl CONNECT method CONNECT
acl SSL method CONNECT
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
http_access allow localhost manager
http_access deny manager
http_access allow localhost
# configuring port 3128 to 1.2.3.4 # there's a real IP here
http_port 127.0.0.1:3128 name=3128
acl port3128 myportname 3128 src 127.0.0.1
http_access allow port3128
tcp_outgoing_address 1.2.3.4 port3128
# configuring port 3129 to 1.2.3.5 # there's a real IP here
http_port 127.0.0.1:3129 name=3129
acl port3129 myportname 3129 src 127.0.0.1
http_access allow port3129
tcp_outgoing_address 1.2.3.5 port3129
With the above setup, http is working fine, however https doesn't work. That is the website is not appearing at all. I tried this mainly with google.com. Strangely enough, https://www.amazon.com does work!
What should be the right config for this scenario?
Best Answer
The "local ssh tunnel" software you are using needs to connect to an https_port on Squid which will accept HTTP over TLS. The "http_port" directive only receives un-encrypted HTTP syntax.
The proxy https_port should be configured with a regular server TLS certificate and should work fine so long as the tunnel software at the client end trusts the CA used to sign that proxy cert.