On 2013/03/16 18:40, John Tate wrote: > It seems the version of squid in ports for 5.2 doesn't support SSL or > doesn't support it the same way. What changed? > > The errors: > 2013/03/16 00:33:30| The request CONNECT bitomat.pl:443 is DENIED, > because it matched 'Safe_ports' > 2013/03/16 00:33:30| The reply for CONNECT bitomat.pl:443 is ALLOWED, > because it matched 'Safe_ports'
This is slightly confusing but afaik is normal behaviour when something is rejected; first it indicates the the *request* was rejected, then that the *reply* (i.e. the "access denied" response) was allowed. Still it gives a clue that the problem is with Safe_ports: -- -- -- acl Safe_ports port 21 80 acl SSL_ports port 443 ... http_access deny !Safe_ports http_access deny CONNECT !SSL_ports ... acl lan src 127.0.0.1 http_access allow localhost http_access allow lan -- -- -- ...so you deny ANY requests unless the dest port is 21/80. ...then you deny CONNECT requests except for port 443 - but this is never reached because you already denied any request other than to 21/80. so you just need to fix Safe_ports. > It only started doing this after I upgraded from 5.1 to 5.2 and rebuilt > squid in ports. I don't see how this config can have worked with 5.1 either. In any event there were no substantial changes in the Squid port between 5.1 (2.7.STABLE9p15) and 5.2 (2.7.STABLE9p19), just readme tweaks and ports infrastructure changes. (There are bigger changes in 5.3 which has a choice of squid 2.7 and squid 3.2 - generally 3.2 is preferred though it doesn't build on some arch so 2.7 is kept around for now).
