Re: [squid-users] SSL/SSH/SFTP/FTPS to alternate ports
Hello, About ports for SSH I think the best way add SSH server running on or ports and not need to change the https 443 ports with ssh ports. Is the simple way and not need the change the https way. On 12/10/2014 02:48 πμ, Timothy Spear wrote: Hello, Here is the issue: I can proxy through Squid just fine to HTTP and HTTPS. I can also run SSH via Corkscrew to a SSH server running on port 443 and it works fine. What I cannot do, is access HTTPS or SSH on any other port except 443. I have lost track of the number of things I have tried so any help will be appreciated and I feel like I am missing something simple. OS: Ubuntu 14.04.1 LTS Squid: 3.3.8-1ubuntu6.1 Here is my current Squid 3 configuration: debug_optionsall,3 # local network we proxy for acllocalnet src10.110.98.0/24 # what ports can be the desitnation acl allowedPorts port 21 acl allowedPorts port 22 acl allowedPorts port acl allowedPorts port 80 acl allowedPorts port 443 acl allowedPorts port 8443 acl CONNECT method CONNECT # determine the available sites acl allowedSites dstdomain /etc/squid3/allowed-sites.squid # now block anything not on the localnet or ports http_access deny !localnet # allow connect only for approved ports http_access deny CONNECT !allowedPorts # now only allow to the specific sites http_access allow localnet allowedSites allowedPorts http_port3128 access_log /var/log/squid3/access.log squid hosts_file /etc/hosts Background (just FYI): I am trying to setup Squid to control network access from a local subnet to a select number of domains. I do not need to bump the encrypted traffic and play man in the middle, I just need to prevent the servers on the local network from accessing unauthorized networks. Yes, I know I can do this in the Firewall, but that is IP based and I am dealing with enough other companies that maintaining the IP list has become a major pain. Instead I want to use domains, which I can do in Squid. Thanks, Tim ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users -- -- Don't send me documents in .doc , .docx, .xls, .ppt . , .pptx Send it with ODF format : .odt , .odp , .ods or .pdf . Try to use Open Document Format : http://el.libreoffice.org/ Save you money use GNU/Linux Distro http://distrowatch.com/ - First they ignore you, then they ridicule you, then they fight you, then you win!!! ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
Re: [squid-users] SSL/SSH/SFTP/FTPS to alternate ports
Here is the access log. I should have included it in the original post. This is accessing a test machine I setup to hit SSH on 22 and 443. I can also hit HTTPS on multiple other ports. 1413125068.706 87 10.110.98.21 TCP_MISS/503 0 CONNECT XXX..com:22 - HIER_NONE/- - 1413125086.496 8061 10.110.98.21 TCP_MISS/200 3657 CONNECT XXX..com:443 - HIER_DIRECT/54.68.15.208 - Yes, my intent in the rule set is to provide a list of allowed ports and sites. Tim On Oct 11, 2014, at 11:37 PM, B crazywo...@outlook.com wrote: check out your access log seeing what it says. Sounds like you are looking for an AFW from squid. The ports themselves are defined. You need to make sure the other ports are opened. Your rule tells squid to block the non-allowed sites to the non-allowed ports. Still sounds like FW function, but with the domain feature only. -B On 10/12/2014 7:48 AM, Timothy Spear wrote: Hello, Here is the issue: I can proxy through Squid just fine to HTTP and HTTPS. I can also run SSH via Corkscrew to a SSH server running on port 443 and it works fine. What I cannot do, is access HTTPS or SSH on any other port except 443. I have lost track of the number of things I have tried so any help will be appreciated and I feel like I am missing something simple. OS: Ubuntu 14.04.1 LTS Squid: 3.3.8-1ubuntu6.1 Here is my current Squid 3 configuration: debug_options all,3 # local network we proxy for acl localnet src 10.110.98.0/24 # what ports can be the desitnation acl allowedPorts port 21 acl allowedPorts port 22 acl allowedPorts port acl allowedPorts port 80 acl allowedPorts port 443 acl allowedPorts port 8443 acl CONNECT method CONNECT # determine the available sites acl allowedSites dstdomain /etc/squid3/allowed-sites.squid # now block anything not on the localnet or ports http_access deny !localnet # allow connect only for approved ports http_access deny CONNECT !allowedPorts # now only allow to the specific sites http_access allow localnet allowedSites allowedPorts http_port 3128 access_log /var/log/squid3/access.log squid hosts_file /etc/hosts Background (just FYI): I am trying to setup Squid to control network access from a local subnet to a select number of domains. I do not need to bump the encrypted traffic and play man in the middle, I just need to prevent the servers on the local network from accessing unauthorized networks. Yes, I know I can do this in the Firewall, but that is IP based and I am dealing with enough other companies that maintaining the IP list has become a major pain. Instead I want to use domains, which I can do in Squid. Thanks, Tim ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
Re: [squid-users] SSL/SSH/SFTP/FTPS to alternate ports
Sergey, I do not control the destination ports, my servers communicate to servers at other companies. In some cases, there are SFTP communications I must perform on 443. Tim On Oct 12, 2014, at 8:08 AM, Sergey Tsabolov ( aka linuxman ) serg...@greeklug.gr wrote: Hello, About ports for SSH I think the best way add SSH server running on or ports and not need to change the https 443 ports with ssh ports. Is the simple way and not need the change the https way. On 12/10/2014 02:48 πμ, Timothy Spear wrote: Hello, Here is the issue: I can proxy through Squid just fine to HTTP and HTTPS. I can also run SSH via Corkscrew to a SSH server running on port 443 and it works fine. What I cannot do, is access HTTPS or SSH on any other port except 443. I have lost track of the number of things I have tried so any help will be appreciated and I feel like I am missing something simple. OS: Ubuntu 14.04.1 LTS Squid: 3.3.8-1ubuntu6.1 Here is my current Squid 3 configuration: debug_options all,3 # local network we proxy for acl localnet src 10.110.98.0/24 # what ports can be the desitnation acl allowedPorts port 21 acl allowedPorts port 22 acl allowedPorts port acl allowedPorts port 80 acl allowedPorts port 443 acl allowedPorts port 8443 acl CONNECT method CONNECT # determine the available sites acl allowedSites dstdomain /etc/squid3/allowed-sites.squid # now block anything not on the localnet or ports http_access deny !localnet # allow connect only for approved ports http_access deny CONNECT !allowedPorts # now only allow to the specific sites http_access allow localnet allowedSites allowedPorts http_port 3128 access_log /var/log/squid3/access.log squid hosts_file /etc/hosts Background (just FYI): I am trying to setup Squid to control network access from a local subnet to a select number of domains. I do not need to bump the encrypted traffic and play man in the middle, I just need to prevent the servers on the local network from accessing unauthorized networks. Yes, I know I can do this in the Firewall, but that is IP based and I am dealing with enough other companies that maintaining the IP list has become a major pain. Instead I want to use domains, which I can do in Squid. Thanks, Tim ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users -- -- Don't send me documents in .doc , .docx, .xls, .ppt . , .pptx Send it with ODF format : .odt , .odp , .ods or .pdf . Try to use Open Document Format : http://el.libreoffice.org/ Save you money use GNU/Linux Distro http://distrowatch.com/ - First they ignore you, then they ridicule you, then they fight you, then you win!!! ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
Re: [squid-users] SSL/SSH/SFTP/FTPS to alternate ports
Do you have the log for the connection when you can't access? Other than 22 and 443 as you said. Thanks, -B Subject: Re: [squid-users] SSL/SSH/SFTP/FTPS to alternate ports From: n61...@gmail.com Date: Sun, 12 Oct 2014 10:49:05 -0400 CC: n61...@gmail.com; squid-users@lists.squid-cache.org To: crazywo...@outlook.com Here is the access log. I should have included it in the original post. This is accessing a test machine I setup to hit SSH on 22 and 443. I can also hit HTTPS on multiple other ports. 1413125068.706 87 10.110.98.21 TCP_MISS/503 0 CONNECT XXX..com:22 - HIER_NONE/- -1413125086.496 8061 10.110.98.21 TCP_MISS/200 3657 CONNECT XXX..com:443 - HIER_DIRECT/54.68.15.208 - Yes, my intent in the rule set is to provide a list of allowed ports and sites. Tim On Oct 11, 2014, at 11:37 PM, B crazywo...@outlook.com wrote: check out your access log seeing what it says. Sounds like you are looking for an AFW from squid. The ports themselves are defined. You need to make sure the other ports are opened. Your rule tells squid to block the non-allowed sites to the non-allowed ports. Still sounds like FW function, but with the domain feature only. -B On 10/12/2014 7:48 AM, Timothy Spear wrote: Hello, Here is the issue: I can proxy through Squid just fine to HTTP and HTTPS. I can also run SSH via Corkscrew to a SSH server running on port 443 and it works fine. What I cannot do, is access HTTPS or SSH on any other port except 443. I have lost track of the number of things I have tried so any help will be appreciated and I feel like I am missing something simple. OS: Ubuntu 14.04.1 LTS Squid: 3.3.8-1ubuntu6.1 Here is my current Squid 3 configuration: debug_options all,3 # local network we proxy for acl localnet src 10.110.98.0/24 # what ports can be the desitnation acl allowedPorts port 21 acl allowedPorts port 22 acl allowedPorts port acl allowedPorts port 80 acl allowedPorts port 443 acl allowedPorts port 8443 acl CONNECT method CONNECT # determine the available sites acl allowedSites dstdomain /etc/squid3/allowed-sites.squid # now block anything not on the localnet or ports http_access deny !localnet # allow connect only for approved ports http_access deny CONNECT !allowedPorts # now only allow to the specific sites http_access allow localnet allowedSites allowedPorts http_port 3128 access_log /var/log/squid3/access.log squid hosts_file /etc/hosts Background (just FYI): I am trying to setup Squid to control network access from a local subnet to a select number of domains. I do not need to bump the encrypted traffic and play man in the middle, I just need to prevent the servers on the local network from accessing unauthorized networks. Yes, I know I can do this in the Firewall, but that is IP based and I am dealing with enough other companies that maintaining the IP list has become a major pain. Instead I want to use domains, which I can do in Squid. Thanks, Tim ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
Re: [squid-users] SSL/SSH/SFTP/FTPS to alternate ports
B, I was going to attach the logs, but I now feel like an idiot. :D The jump box I am running Squid on, currently only allows 80 and 443 outbound. I recalled this when I went to scp the log files and the connection was refused I detest overlooking things like this. Sometimes, you really need question any assumptions. Tim On Oct 12, 2014, at 11:11 AM, crazy world crazywo...@outlook.com wrote: Do you have the log for the connection when you can't access? Other than 22 and 443 as you said. Thanks, -B Subject: Re: [squid-users] SSL/SSH/SFTP/FTPS to alternate ports From: n61...@gmail.com Date: Sun, 12 Oct 2014 10:49:05 -0400 CC: n61...@gmail.com; squid-users@lists.squid-cache.org To: crazywo...@outlook.com Here is the access log. I should have included it in the original post. This is accessing a test machine I setup to hit SSH on 22 and 443. I can also hit HTTPS on multiple other ports. 1413125068.706 87 10.110.98.21 TCP_MISS/503 0 CONNECT XXX..com:22 - HIER_NONE/- - 1413125086.496 8061 10.110.98.21 TCP_MISS/200 3657 CONNECT XXX..com:443 - HIER_DIRECT/54.68.15.208 - Yes, my intent in the rule set is to provide a list of allowed ports and sites. Tim On Oct 11, 2014, at 11:37 PM, B crazywo...@outlook.com wrote: check out your access log seeing what it says. Sounds like you are looking for an AFW from squid. The ports themselves are defined. You need to make sure the other ports are opened. Your rule tells squid to block the non-allowed sites to the non-allowed ports. Still sounds like FW function, but with the domain feature only. -B On 10/12/2014 7:48 AM, Timothy Spear wrote: Hello, Here is the issue: I can proxy through Squid just fine to HTTP and HTTPS. I can also run SSH via Corkscrew to a SSH server running on port 443 and it works fine. What I cannot do, is access HTTPS or SSH on any other port except 443. I have lost track of the number of things I have tried so any help will be appreciated and I feel like I am missing something simple. OS: Ubuntu 14.04.1 LTS Squid: 3.3.8-1ubuntu6.1 Here is my current Squid 3 configuration: debug_options all,3 # local network we proxy for acl localnet src 10.110.98.0/24 # what ports can be the desitnation acl allowedPorts port 21 acl allowedPorts port 22 acl allowedPorts port acl allowedPorts port 80 acl allowedPorts port 443 acl allowedPorts port 8443 acl CONNECT method CONNECT # determine the available sites acl allowedSites dstdomain /etc/squid3/allowed-sites.squid # now block anything not on the localnet or ports http_access deny !localnet # allow connect only for approved ports http_access deny CONNECT !allowedPorts # now only allow to the specific sites http_access allow localnet allowedSites allowedPorts http_port 3128 access_log /var/log/squid3/access.log squid hosts_file /etc/hosts Background (just FYI): I am trying to setup Squid to control network access from a local subnet to a select number of domains. I do not need to bump the encrypted traffic and play man in the middle, I just need to prevent the servers on the local network from accessing unauthorized networks. Yes, I know I can do this in the Firewall, but that is IP based and I am dealing with enough other companies that maintaining the IP list has become a major pain. Instead I want to use domains, which I can do in Squid. Thanks, Tim ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
Re: [squid-users] SSL/SSH/SFTP/FTPS to alternate ports
On 12/10/2014 11:33 AM, Timothy Spear wrote: B, I was going to attach the logs, but I now feel like an idiot. :D The jump box I am running Squid on, currently only allows 80 and 443 outbound. I recalled this when I went to scp the log files and the connection was refused I detest overlooking things like this. Sometimes, you really need question any assumptions. You are not alone! Sometimes-Always Tim On Oct 12, 2014, at 11:11 AM, crazy world crazywo...@outlook.com mailto:crazywo...@outlook.com wrote: Do you have the log for the connection when you can't access? Other than 22 and 443 as you said. Thanks, -B Subject: Re: [squid-users] SSL/SSH/SFTP/FTPS to alternate ports From: n61...@gmail.com mailto:n61...@gmail.com Date: Sun, 12 Oct 2014 10:49:05 -0400 CC: n61...@gmail.com mailto:n61...@gmail.com; squid-users@lists.squid-cache.org mailto:squid-users@lists.squid-cache.org To: crazywo...@outlook.com mailto:crazywo...@outlook.com Here is the access log. I should have included it in the original post. This is accessing a test machine I setup to hit SSH on 22 and 443. I can also hit HTTPS on multiple other ports. 1413125068.706 87 10.110.98.21 TCP_MISS/503 0 CONNECTXXX..com http://xxx..com/:22 - HIER_NONE/- - 1413125086.496 8061 10.110.98.21 TCP_MISS/200 3657 CONNECTXXX..com http://xxx..com/:443 - HIER_DIRECT/54.68.15.208 - Yes, my intent in the rule set is to provide a list of allowed ports and sites. Tim On Oct 11, 2014, at 11:37 PM, B crazywo...@outlook.com mailto:crazywo...@outlook.com wrote: check out your access log seeing what it says. Sounds like you are looking for an AFW from squid. The ports themselves are defined. You need to make sure the other ports are opened. Your rule tells squid to block the non-allowed sites to the non-allowed ports. Still sounds like FW function, but with the domain feature only. -B On 10/12/2014 7:48 AM, Timothy Spear wrote: Hello, Here is the issue: I can proxy through Squid just fine to HTTP and HTTPS. I can also run SSH via Corkscrew to a SSH server running on port 443 and it works fine. What I cannot do, is access HTTPS or SSH on any other port except 443. I have lost track of the number of things I have tried so any help will be appreciated and I feel like I am missing something simple. OS: Ubuntu 14.04.1 LTS Squid: 3.3.8-1ubuntu6.1 Here is my current Squid 3 configuration: debug_optionsall,3 # local network we proxy for acllocalnetsrc10.110.98.0/24 # what ports can be the desitnation aclallowedPortsport21 aclallowedPortsport22 acl allowedPorts port aclallowedPortsport80 acl allowedPorts port 443 acl allowedPorts port 8443 aclCONNECTmethodCONNECT # determine the available sites aclallowedSitesdstdomain/etc/squid3/allowed-sites.squid # now block anything not on the localnet or ports http_accessdeny!localnet # allow connect only for approved ports http_access deny CONNECT !allowedPorts # now only allow to the specific sites http_accessallowlocalnet allowedSites allowedPorts http_port3128 access_log/var/log/squid3/access.logsquid hosts_file /etc/hosts Background (just FYI): I am trying to setup Squid to control network access from a local subnet to a select number of domains. I do not need to bump the encrypted traffic and play man in the middle, I just need to prevent the servers on the local network from accessing unauthorized networks. Yes, I know I can do this in the Firewall, but that is IP based and I am dealing with enough other companies that maintaining the IP list has become a major pain. Instead I want to use domains, which I can do in Squid. Thanks, Tim ___ squid-users mailing list squid-users@lists.squid-cache.org mailto:squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users -- Ron Wheeler President Artifact Software Inc email: rwhee...@artifact-software.com skype: ronaldmwheeler phone: 866-970-2435, ext 102 ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
Re: [squid-users] SSL/SSH/SFTP/FTPS to alternate ports
On 10/12/2014 05:18 AM, Timothy Spear wrote: Hello, Here is the issue: I can proxy through Squid just fine to HTTP and HTTPS. I can also run SSH via Corkscrew to a SSH server running on port 443 and it works fine. What I cannot do, is access HTTPS or SSH on any other port except 443. Look at SSL_ports and Safe_ports in your squid.conf (unless you rewrote it completely) Amm. ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
Re: [squid-users] SSL/SSH/SFTP/FTPS to alternate ports
check out your access log seeing what it says. Sounds like you are looking for an AFW from squid. The ports themselves are defined. You need to make sure the other ports are opened. Your rule tells squid to block the non-allowed sites to the non-allowed ports. Still sounds like FW function, but with the domain feature only. -B On 10/12/2014 7:48 AM, Timothy Spear wrote: Hello, Here is the issue: I can proxy through Squid just fine to HTTP and HTTPS. I can also run SSH via Corkscrew to a SSH server running on port 443 and it works fine. What I cannot do, is access HTTPS or SSH on any other port except 443. I have lost track of the number of things I have tried so any help will be appreciated and I feel like I am missing something simple. OS: Ubuntu 14.04.1 LTS Squid: 3.3.8-1ubuntu6.1 Here is my current Squid 3 configuration: debug_optionsall,3 # local network we proxy for acllocalnet src10.110.98.0/24 # what ports can be the desitnation acl allowedPorts port 21 acl allowedPorts port 22 acl allowedPorts port acl allowedPorts port 80 acl allowedPorts port 443 acl allowedPorts port 8443 acl CONNECT method CONNECT # determine the available sites acl allowedSites dstdomain /etc/squid3/allowed-sites.squid # now block anything not on the localnet or ports http_access deny !localnet # allow connect only for approved ports http_access deny CONNECT !allowedPorts # now only allow to the specific sites http_access allow localnet allowedSites allowedPorts http_port3128 access_log /var/log/squid3/access.log squid hosts_file /etc/hosts Background (just FYI): I am trying to setup Squid to control network access from a local subnet to a select number of domains. I do not need to bump the encrypted traffic and play man in the middle, I just need to prevent the servers on the local network from accessing unauthorized networks. Yes, I know I can do this in the Firewall, but that is IP based and I am dealing with enough other companies that maintaining the IP list has become a major pain. Instead I want to use domains, which I can do in Squid. Thanks, Tim ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users