Re: [squid-users] SSL/SSH/SFTP/FTPS to alternate ports

Sat, 11 Oct 2014 20:37:40 -0700

check out your access log seeing what it says. Sounds like you are looking for an AFW from squid. The ports themselves are defined. You need to make sure the other ports are opened.
Your rule tells squid to block the non-allowed sites to the non-allowed ports. Still sounds like FW function, but with the domain feature only. 

-B
On 10/12/2014 7:48 AM, Timothy Spear wrote:

Hello,

Here is the issue:

I can proxy through Squid just fine to HTTP and HTTPS. I can also run 
SSH via Corkscrew to a SSH server running on port 443 and it works fine.
What I cannot do, is access HTTPS or SSH on any other port except 443. 
I have lost track of the number of things I have tried so any help 
will be appreciated and I feel like I am missing something simple.

OS: Ubuntu 14.04.1 LTS
Squid: 3.3.8-1ubuntu6.1

Here is my current Squid 3 configuration:


debug_optionsall,3

# local network we proxy for
acllocalnet src10.110.98.0/24

# what ports can be the desitnation
acl allowedPorts port 21
acl allowedPorts port 22
acl allowedPorts port 2222
acl allowedPorts port 80
acl allowedPorts port 443
acl allowedPorts port 8443

acl CONNECT method CONNECT

# determine the available sites
acl allowedSites dstdomain "/etc/squid3/allowed-sites.squid"

# now block anything not on the localnet or ports
http_access deny !localnet

# allow connect only for approved ports
http_access deny CONNECT !allowedPorts

# now only allow to the specific sites
http_access allow localnet allowedSites allowedPorts

http_port3128
access_log /var/log/squid3/access.log squid
hosts_file /etc/hosts


Background (just FYI):

I am trying to setup Squid to control network access from a local 
subnet to a select number of domains. I do not need to bump the 
encrypted traffic and play man in the middle, I just need to prevent 
the servers on the local network from accessing unauthorized networks. 
Yes, I know I can do this in the Firewall, but that is IP based and I 
am dealing with enough other companies that maintaining the IP list 
has become a major pain. Instead I want to use domains, which I can do 
in Squid.


Thanks,

Tim


_______________________________________________
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users



_______________________________________________
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users






















					Reply via email to