I'm having issues getting squid to send traffic through a specific upstream gateway. I need for a MS WSUS server and a Symantec Endpoint Protection Manager to get through a squid proxy to get out to Microsoft and Symantec respectively to get MS patches and Symantec DAT files. The traffic needs to go through the squid proxy, through a firewall, and through an upstream McAfee gateway server. If it tries to take a path different than that upstream gateway to get out to the internet, it'll get dropped. However, once the traffic goes through the proxy, it tries to go directly to the vendor website and not go through the McAfee gateway, and therefore is getting blocked by the firewall. The traffic never reaches the McAfee gateway. If I configure a browser to use the proxy server and browse to some websites, it can get to http sites, but not https sites. Port 443 is what isn't getting through. I thought this line in squid.conf was supposed to send the traffic to an upstream cache_peer parent gateway, but I could easily be misunderstanding what its supposed to do. (I'm pretty new with squid) cache_peer <upstream gateway IP address> parent 8080 3130 proxy-only no-query no-netdb-exchange default login=<username>:<password> The Safe_ports and SSL_ports is the squid.conf default settings, and include both port 443 and port 80 traffic Thanks, PG
I should have mentioned - this is squid 3.3 running on Centos 7 ..... On 10/29/2016 3:37 PM, paul.greene.va wrote:> I'm having issues getting squid to send traffic through a specific > upstream gateway. > > I need for a MS WSUS server and a Symantec Endpoint Protection Manager > to get through a squid proxy to get out to Microsoft and Symantec > respectively to get MS patches and Symantec DAT files. > > The traffic needs to go through the squid proxy, through a firewall, > and through an upstream McAfee gateway server. If it tries to take a > path different than that upstream gateway to get out to the internet, > it'll get dropped. > > However, once the traffic goes through the proxy, it tries to go > directly to the vendor website and not go through the McAfee gateway, > and therefore is getting blocked by the firewall. The traffic never > reaches the McAfee gateway. > > If I configure a browser to use the proxy server and browse to some > websites, it can get to http sites, but not https sites. Port 443 is > what isn't getting through. > > I thought this line in squid.conf was supposed to send the traffic to > an upstream cache_peer parent gateway, but I could easily be > misunderstanding what its supposed to do. (I'm pretty new with squid) > > cache_peer <upstream gateway IP address> parent 8080 3130 > proxy-only no-query no-netdb-exchange default login=<username>:<password> > > The Safe_ports and SSL_ports is the squid.conf default settings, and > include both port 443 and port 80 traffic > > Thanks, > > PG > > _______________________________________________ > CentOS mailing list > CentOS at centos.org > https://lists.centos.org/mailman/listinfo/centos >
for SSL inception, SSLBump is required: http://wiki.squid-cache.org/Features/SslBump This a bit complex to setup. SSL inception is not really good idea to implement.. I think it will not work with upstream proxy also. -- Eero 2016-10-29 22:37 GMT+03:00 paul.greene.va <paul.greene.va at verizon.net>:> I'm having issues getting squid to send traffic through a specific > upstream gateway. > > I need for a MS WSUS server and a Symantec Endpoint Protection Manager to > get through a squid proxy to get out to Microsoft and Symantec respectively > to get MS patches and Symantec DAT files. > > The traffic needs to go through the squid proxy, through a firewall, and > through an upstream McAfee gateway server. If it tries to take a path > different than that upstream gateway to get out to the internet, it'll get > dropped. > > However, once the traffic goes through the proxy, it tries to go directly > to the vendor website and not go through the McAfee gateway, and therefore > is getting blocked by the firewall. The traffic never reaches the McAfee > gateway. > > If I configure a browser to use the proxy server and browse to some > websites, it can get to http sites, but not https sites. Port 443 is what > isn't getting through. > > I thought this line in squid.conf was supposed to send the traffic to an > upstream cache_peer parent gateway, but I could easily be misunderstanding > what its supposed to do. (I'm pretty new with squid) > > cache_peer <upstream gateway IP address> parent 8080 3130 > proxy-only no-query no-netdb-exchange default login=<username>:<password> > > The Safe_ports and SSL_ports is the squid.conf default settings, and > include both port 443 and port 80 traffic > > Thanks, > > PG > > _______________________________________________ > CentOS mailing list > CentOS at centos.org > https://lists.centos.org/mailman/listinfo/centos >