HTTP Anti-Virus Proxy http://havp.hege.li/forum/ |
|
Error while Connecting SSL Sites http://havp.hege.li/forum/viewtopic.php?f=3&t=463 |
Page 1 of 1 |
Author: | Dhaval [ 26 May 2009 17:17 ] |
Post subject: | Error while Connecting SSL Sites |
Hi all, I have User--->havp---->squid---->internet setup. I have configured havp to go through parent proxy, Here is my configuration of havp. Code: USER havp GROUP havp DAEMON true PIDFILE /var/run/havp/havp.pid SERVERNUMBER 8 MAXSERVERS 100 ACCESSLOG /var/log/havp/access.log LOG_OKS false LOGLEVEL 1 SCANTEMPFILE /var/tmp/havp/havp-XXXXXX TEMPDIR /var/tmp DBRELOAD 60 TRANSPARENT false PARENTPROXY localhost PARENTPORT 3128 FORWARDED_IP true X_FORWARDED_FOR true PORT 8080 TEMPLATEPATH /etc/havp/templates/en FAILSCANERROR true SCANNERTIMEOUT 10 RANGE true MAXSCANSIZE 5000000 KEEPBACKBUFFER 200000 KEEPBACKTIME 5 TRICKLING 30 TRICKLINGBYTES 1 MAXDOWNLOADSIZE 0 STREAMSCANSIZE 20000 ENABLECLAMLIB true ENABLECLAMD false ENABLEFPROT false ENABLEAVG false ENABLEAVESERVER false ENABLESOPHIE false ENABLETROPHIE false ENABLENOD32 false ENABLEAVAST false ENABLEARCAVIR false ENABLEDRWEB false squid is also configured to listen on localhost:3128 I have simple web pages are working fine, but problem occurs when I try to access ssl enable web pages(https) I get error in /var/log/havp/error.log Code: 26/05/2009 17:49:39 (192.168.1.1) SSL tunneling failed through parentproxy (response: 301) 26/05/2009 17:51:15 (192.168.1.1) SSL tunneling failed through parentproxy (response: 301) 26/05/2009 17:51:15 (192.168.1.1) SSL tunneling failed through parentproxy (response: 301) 26/05/2009 17:56:27 (127.0.0.1) Could not read server header (192.168.1.1/ev.yieldbuild.com:80) 26/05/2009 17:58:28 (127.0.0.1) Could not read server header (192.168.1.1/ev.yieldbuild.com:80) 26/05/2009 18:04:58 (192.168.1.1) SSL tunneling failed through parentproxy (response: 301) 26/05/2009 18:05:56 (192.168.1.1) Could not send body to browser 26/05/2009 18:53:18 (127.0.0.1) Could not send browser body to server (192.168.1.1/httpcs.msg.yahoo.com:80) 26/05/2009 19:25:46 (127.0.0.1) Could not send browser body to server (192.168.1.1/httpcs.msg.yahoo.com:80) 26/05/2009 19:28:10 (127.0.0.1) Could not read server header (192.168.1.1/98.136.113.171:80) 26/05/2009 19:29:59 (192.168.1.1) Could not read browser header 26/05/2009 19:30:16 (127.0.0.1) Could not read server header (192.168.1.1/98.136.113.171:80) 26/05/2009 19:35:28 (127.0.0.1) Could not read server header (192.168.1.1/98.136.113.171:80) 26/05/2009 19:38:24 (127.0.0.1) Could not read server header (192.168.1.1/suggestqueries.google.com:80) 26/05/2009 19:40:27 (127.0.0.1) Could not read server header (192.168.1.1/98.136.112.136:80) here is 192.168.1.1 is user's ip address. Can any one tell me whats problem here? |
Author: | karesmakro [ 27 May 2009 09:56 ] |
Post subject: | Re: Error while Connecting SSL Sites |
Hi Dhaval! HAVP can't handle any SSL connections! The reason is, that your server can't decrypt the requests, because this is a point to point encryption. You can find some ways on google, to let apache doing handle the ssl requests. But think about twice, this is a perfomance question! In your configuration, clients have to connect directly to squid for any ssl connections. I suppose that you manually fill out the proxy settings for your clients. Another way would be to configure squid -> havp -> internet or squid->havp->squid and create an exception for ssl requests in your squid configuration. regards, karesmakro EDIT: One keyword to search for apache example is mod proxy! |
Author: | TD-4242 [ 18 Jun 2010 20:26 ] |
Post subject: | Re: Error while Connecting SSL Sites |
This is similar to what we're doing: Code: user:80 -> squid -----\ -havp ->mod_proxy -> internet server user:443->mod_proxy---/ We're currently working on the 443 mod_proxy and a single wildcard certificate and replacing it with an sslproxy with dynamic cert generation. This is being developed not only for virus scanning but also for Data Loss Prevention. allowing us to scan incoming/outgoing traffic for possible restricted data. |
Author: | karesmakro [ 18 Jun 2010 20:31 ] |
Post subject: | Re: Error while Connecting SSL Sites |
This sounds nice! Hope you want to share your solution |
Author: | TD-4242 [ 18 Jun 2010 23:03 ] |
Post subject: | Re: Error while Connecting SSL Sites |
once it's at least in the works for me phase I'll post the config and hopefully code. The sslproxy is based on gpl code but i have to get an ok to distribute it outside the company. |
Page 1 of 1 | All times are UTC + 2 hours [ DST ] |
Powered by phpBB® Forum Software © phpBB Group https://www.phpbb.com/ |