+ Post New Thread
Page 1 of 2 12 LastLast
Results 1 to 15 of 16
Internet Related/Filtering/Firewall Thread, Squid proxy on Windows - immediate "this page cannot be displayed" on HTTPS in Technical; Been at this for days now. Proxy is on Windows Server 2003 and testing is done with a Windows 7 ...
  1. #1

    Join Date
    Jan 2014
    Location
    Tinton Falls
    Posts
    9
    Thank Post
    0
    Thanked 0 Times in 0 Posts
    Rep Power
    0

    Squid proxy on Windows - immediate "this page cannot be displayed" on HTTPS

    Been at this for days now. Proxy is on Windows Server 2003 and testing is done with a Windows 7 machine. Using Internet Explorer (v 9, 10) or Firefox when trying to load HTTPS pages the browser IMMEDIATELY shoots back a
    "this page can't be displayed" message. This does not happen with ALL HTTPS sites, just some. If I look in the cache.log file I see that the site I am trying is "allowed" by the proxy so it is getting to the proxy and is not denied. I
    have tried a couple registry jhacks for Bad Proxy Timeouts in Windows but no luck.

    This is driving me nuts and I REALLY NEED a resolution. A project needs access to an Internet site for testing and I can't seem to get them there.

    HELP!

  2. #2

    localzuk's Avatar
    Join Date
    Dec 2006
    Location
    Minehead
    Posts
    17,631
    Thank Post
    514
    Thanked 2,442 Times in 1,890 Posts
    Blog Entries
    24
    Rep Power
    831
    Can you post your squid.conf file?

  3. #3

    Join Date
    Jan 2014
    Location
    Tinton Falls
    Posts
    9
    Thank Post
    0
    Thanked 0 Times in 0 Posts
    Rep Power
    0
    I'd like to but I don't see an option to make an attachment in the reply. Unless I make a ne thread.

  4. #4

    localzuk's Avatar
    Join Date
    Dec 2006
    Location
    Minehead
    Posts
    17,631
    Thank Post
    514
    Thanked 2,442 Times in 1,890 Posts
    Blog Entries
    24
    Rep Power
    831
    You should be able to put the contents of the squid.conf file just as text in [code] tags

  5. #5

    Join Date
    Jan 2014
    Location
    Tinton Falls
    Posts
    9
    Thank Post
    0
    Thanked 0 Times in 0 Posts
    Rep Power
    0
    attached
    Attached Files Attached Files

  6. #6

    localzuk's Avatar
    Join Date
    Dec 2006
    Location
    Minehead
    Posts
    17,631
    Thank Post
    514
    Thanked 2,442 Times in 1,890 Posts
    Blog Entries
    24
    Rep Power
    831
    Hmm... an initial glance doesn't have anything jump out at me.

  7. #7
    cpjitservices's Avatar
    Join Date
    Jul 2010
    Location
    Hessle
    Posts
    2,421
    Thank Post
    508
    Thanked 282 Times in 258 Posts
    Rep Power
    81
    Try enabling access to ssl and safe ports. Change the default deny for allow like this :

    http_access allow !Safe_ports
    http_access allow CONNECT !SSL_ports.

    Maybe this works for you!

    Be aware enabling this 'cause your granting access to other related ports in you acl list. So be sure to have a good firewall already configure in your network.
    Last edited by cpjitservices; 15th January 2014 at 04:29 PM.

  8. #8

    Join Date
    Jan 2014
    Location
    Tinton Falls
    Posts
    9
    Thank Post
    0
    Thanked 0 Times in 0 Posts
    Rep Power
    0
    Yes those sites have BEEN in the ACL for a while. I get the "allowed" message in the cache.log.

  9. #9
    cpjitservices's Avatar
    Join Date
    Jul 2010
    Location
    Hessle
    Posts
    2,421
    Thank Post
    508
    Thanked 282 Times in 258 Posts
    Rep Power
    81
    Try enabling access to ssl and safe ports. Change the default deny for allow like this :

    http_access allow !Safe_ports
    http_access allow CONNECT !SSL_ports.

    Maybe this works for you!

    Be aware enabling this 'cause your granting access to other related ports in you acl list. So be sure to have a good firewall already configure in your network.

    Quote Originally Posted by araczek View Post
    Yes those sites have BEEN in the ACL for a while. I get the "allowed" message in the cache.log.

  10. #10
    free780's Avatar
    Join Date
    Sep 2012
    Posts
    907
    Thank Post
    41
    Thanked 69 Times in 66 Posts
    Rep Power
    18
    How are you pushing out the proxy setting?

  11. #11

    Join Date
    Jan 2014
    Location
    Tinton Falls
    Posts
    9
    Thank Post
    0
    Thanked 0 Times in 0 Posts
    Rep Power
    0
    Quote Originally Posted by cpjitservices View Post
    Try enabling access to ssl and safe ports. Change the default deny for allow like this :

    http_access allow !Safe_ports
    http_access allow CONNECT !SSL_ports.

    Maybe this works for you!

    Be aware enabling this 'cause your granting access to other related ports in you acl list. So be sure to have a good firewall already configure in your network.
    Maybe I'm wrong but doesn't http_access !Safe_Ports mean allow access to all ports NOT in the safe list? Same with http_access allow CONNECT !SSL_ports. Wouldn't that say essentially allow connect to all ports that are NOT SLL ports??? I am trying to connect to an SSL site.
    Forgive me if I am wrong.

  12. #12
    Duke5A's Avatar
    Join Date
    Jul 2010
    Posts
    795
    Thank Post
    81
    Thanked 130 Times in 113 Posts
    Blog Entries
    8
    Rep Power
    31
    That config file is really hard to parse by hand with all the comments in it; here it is with the comments stripped:

    Code:
    acl all src all
    acl manager proto cache_object
    acl localhost src 127.0.0.1/32
    acl to_localhost dst 127.0.0.0/8
    acl localnet src 172.16.10.0	# RFC1918 possible internal network
    acl localnet src 172.16.80.0	# RFC1918 possible internal network
    acl SSL_ports port 443
    acl SSL_ports port 873          # rsync_SSL
    acl Safe_ports port 80		# http
    acl Safe_ports port 21		# ftp
    acl Safe_ports port 443		# https
    acl Safe_ports port 873         # rsync
    acl Safe_ports port 70		# gopher
    acl Safe_ports port 210		# wais
    acl Safe_ports port 1025-65535	# unregistered ports
    acl Safe_ports port 280		# http-mgmt
    acl Safe_ports port 488		# gss-http
    acl Safe_ports port 591		# filemaker
    acl Safe_ports port 777		# multiling http
    acl CONNECT method CONNECT
    http_access allow manager localhost
    http_access deny manager
    http_access deny !Safe_ports
    http_access deny to_localhost
    acl GoodHosts src "c:/squid/etc/squid-allowedhosts.acl"
    acl Goodsites dstdomain "c:/squid/etc/squid-site_noblock.acl"
    http_access allow GoodHosts Goodsites
    http_access allow localnet
    http_access deny all
    icp_access allow localnet
    icp_access deny all
    http_port 3128
    cache_peer 127.0.0.1 parent 4001 7 no-query
    hierarchy_stoplist cgi-bin
    cache_dir ufs c:/squid/var/cache 3000 16 256
    access_log c:/squid/var/logs/access.log squid
    logfile_daemon c:/squid/libexec/logfile-daemon.exe
    cache_log c:/squid/var/logs/cache.log
    cache_store_log c:/squid/var/logs/store.log
    mime_table c:/squid/etc/mime.conf
    pid_filename c:/squid/var/logs/squid.pid
    debug_options ALL,1 33,2
     log_fqdn off
    unlinkd_program c:/squid/libexec/unlinkd.exe
    refresh_pattern ^ftp:		1440	20%	10080
    refresh_pattern ^gopher:	1440	0%	1440
    refresh_pattern -i (/cgi-bin/|\?) 0	0%	0
    refresh_pattern .		0	20%	4320
    acl apache rep_header Server ^Apache
    broken_vary_encoding allow apache
    connect_timeout 1 minute
    icon_directory c:/squid/share/icons
    error_directory c:/squid/share/errors/English
    dns_testnames abs.us.army.mil
    coredump_dir c:/squid/var/cache
    I used this Power Shell snippet to do it:
    Code:
    Get-Content .\squid.conf2.txt | Where-Object { $_ -ne ''} | Where-Object { $_.SubString(0,1) -NotMatch '#' } > squidclean.conf
    Anyhow, since you said this only happens with a few HTTPS pages it's probably safe to assume you have your configuration correct. What is probably happening is the ones that are failing can't call back to the certificate authority for a revocation check. I actually had this happen to a handful of domains on my Squid box. My proxies require authentication to get out and the connection request to the CA wasn't passing credentials to the proxy so the connection attempt was being swatted down. This resulted in the same problem you're having - where most SSL pages will work, but some won't. I know you're not using authentication, but from the looks of it you're using a whitelist setup and this would require the domains for those certificate authorities to be part of the list. Here is a couple:

    Code:
    .verisign.com
    .usertrust.com
    .entrust.net
    There are probably more that can be added. You can find them easily enough by browsing to one of the sites that don't work while looking at the access log. There will be a deny request right next to the allow for the domain you're trying to access and it'll be for a certificate authority. Add the domain to your noblock ACL and you should be good.

    I hope this helps.

  13. #13

    Join Date
    Jan 2014
    Location
    Tinton Falls
    Posts
    9
    Thank Post
    0
    Thanked 0 Times in 0 Posts
    Rep Power
    0
    Sir, thank you for your response! We had done a workaround but it seems this won't suffice. Are you saying check access.log? Don't see much there. I will try cache.log next.

  14. #14

    Join Date
    Jan 2014
    Location
    Tinton Falls
    Posts
    9
    Thank Post
    0
    Thanked 0 Times in 0 Posts
    Rep Power
    0
    What I do see in the access.log are TCP_MISS/404 if that means anything. Site not found??

  15. #15

    Join Date
    Jan 2014
    Location
    Tinton Falls
    Posts
    9
    Thank Post
    0
    Thanked 0 Times in 0 Posts
    Rep Power
    0
    Tried modifying the allowed sites list with:
    .com
    .net
    .gov
    .edu
    That's it, nothing else. So not much is blocked but I still have the same problem.

SHARE:
+ Post New Thread
Page 1 of 2 12 LastLast

Similar Threads

  1. YouTube for Schools - This content cannot be displayed in a frame
    By Lewys in forum Internet Related/Filtering/Firewall
    Replies: 3
    Last Post: 22nd March 2013, 05:41 PM
  2. IE8 page cannot be displayed
    By j17sparky in forum Windows
    Replies: 0
    Last Post: 27th November 2012, 01:55 PM
  3. Replies: 9
    Last Post: 13th September 2011, 02:07 PM
  4. Page cannot be displayed
    By Edu-IT in forum Windows
    Replies: 3
    Last Post: 25th June 2009, 01:03 PM

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Tags for this Thread

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •