Squid 3.1 Not Allowing Cookies Possible SSL issue?

Question

I'm doing a poor job finding this in the documentation, but as of right now attempting to login to sites like gmail through the proxy gets me into a redirect loop with sites saying cookies aren't enabled.

In old documentation I can find there is a header_access but that doesn't seem to exist in 3.1 -- What simple thing am I missing? Does it have anything to do with SSL?

# /usr/local/sbin/squid -v
Squid Cache: Version 3.1.0.13

# uname -mrs
FreeBSD 8.0-RELEASE i386



squid.conf

acl manager proto cache_object
acl localhost src 127.0.0.1/32
acl to_localhost dst 127.0.0.0/8


# auth info
auth_param basic program /usr/local/libexec/squid/ncsa_auth /usr/local/squid/squid_passwd
acl ncsa_users proxy_auth REQUIRED

acl SSL_ports port 443
acl Safe_ports port 80          # http
acl Safe_ports port 21          # ftp
acl Safe_ports port 443         # https
acl Safe_ports port 70          # gopher
acl Safe_ports port 210         # wais
acl Safe_ports port 1025-65535  # unregistered ports
acl Safe_ports port 280         # http-mgmt
acl Safe_ports port 488         # gss-http
acl Safe_ports port 591         # filemaker
acl Safe_ports port 777         # multiling http
acl CONNECT method CONNECT
http_access allow manager localhost
http_access deny manager
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
http_access allow localhost

# allow users who auth
http_access allow ncsa_users
http_access allow ncsa_users CONNECT
http_access deny all

# port
http_port 1987

hierarchy_stoplist cgi-bin ?
coredump_dir /usr/local/squid/cache
refresh_pattern ^ftp:           1440    20%     10080
refresh_pattern ^gopher:        1440    0%      1440
refresh_pattern -i (/cgi-bin/|\?) 0     0%      0
refresh_pattern .               0       20%     4320

visible_hostname rickon

If using FireFox, can you give the output of LiveHTTPHeaders in capture mode when you try to access GMail? Remember to obfuscate usernames and passwords, please! — BMDan, Jul 01 '10 at 19:39
Here's perhaps the random-est question you've heard recently: have you checked the clocks on the proxy server and your client computer? Remember to check their time zones/DST settings, as well. — BMDan, Jul 05 '10 at 16:46
All time zone/settings match proxy server and clients, happening on at least three client machines I was able to test. — scraft3613, Jul 06 '10 at 06:14

score 1 · Accepted Answer · answered Jul 06 '10 at 20:44

1

In version 3.0 of Squid header_access was removed. More specifically, according to http://www.squid-cache.org/Versions/v3/3.0/RELEASENOTES.html#ss6.3, the use of header_access has been replaced by request_header_access / reply_header_access.

See the following for more details on using request_header_access and reply_header_access:

www.squid-cache.org/Doc/config/request_header_access/

www.squid-cache.org/Doc/config/reply_header_access/

answered Jul 06 '10 at 20:44

runlevelsix

2,609
21
19

Ah okay, and do any of those options seem like it would pertain to the redirect loop I'm getting? ( http://pastebin.ca/1893472 ) None seems to specifically mention cookies or anything of that sort. Still having trouble figuring out exactly what's going on with this, just can't use squid for anything I need users to login to. – scraft3613 Jul 07 '10 at 00:15
It looks like you need to add support for passing headers from the web server through Squid to the client computer. I think you need at least add "request_header_access Cookie allow all" to the configuration file to allow cookies to be passed to the client computer. For additional reference, check out http://www.sohailriaz.com/anonymous-proxy-using-squid-3/ which is a walkthrough for setting up Squid 3 as a proxy and includes a series of request_header_access options (specifically the section titled "Enable Anonymizer (Anonymous Proxy)"). Some of those might also be relevant. – runlevelsix Jul 07 '10 at 03:07
I added that option, still same loop, also added all the request_header_access allow alls in the link provided and still experiencing the same loop. Seems like something else must be going on, I'm just still unsure where to look (and the live-header data I showed here: http://pastebin.ca/1893472 is indecipherable to me). – scraft3613 Jul 07 '10 at 19:36
It looks like it's a problem with SSL redirection. I will do some research on our squid server tonight when I am not on the road and see if I can determine the cause and fix for it. – runlevelsix Jul 07 '10 at 20:43
Much appreciated, looks like you'll get the bounty on this regardless so I'm glad for any further help. – scraft3613 Jul 07 '10 at 21:36
I am assuming you are trying to make this a transparent proxy. After http_port 1987 add 'transparent' ("http_port 1987 transparent"). Also, make sure that you are not trying to redirect port 443 to a different port as SSL is designed to prevent this. (See http://pastebin.mozilla.org/746452 for a copy of squid.conf that we currently have for using Squid as a transparent proxy). – runlevelsix Jul 08 '10 at 03:57
Also, what happens when you run "nc -zvw 1 gmail.com 443" and when you run "openssl s_client -host gmail.com -port 443" from the Squid server? The first should show that https is open and working and the second that it can retrieve the SSL certificate. – runlevelsix Jul 08 '10 at 03:58

Squid 3.1 Not Allowing Cookies Possible SSL issue?

1 Answers1