Hello Matus,
Okay, so the terminology is no longer "transparent" and instead I should
use "intercepting".
Here is what I have:
-------------- -----------------
---------------------
| Client | Internet | Firewall host |
Internal Network | Secure Web |
| Computer | <--------------->| with IPtables
|<----------------------->| Server (https) |
| | | and Squid
| | port 80 and 443 |
-------------- -----------------
---------------------
The trouble we are having is Squid is not passing the https traffic through.
Sanitized squid.conf file.
================================================================================
#
# ----------------------------------------------------------------------
http_port 209.202.99.178:80
http_port 192.168.2.40:8080
https_port 209.202.99.178:443 cert=/etc/squid/KCL.pem
# ----------------------------------------------------------------------
# Visible and servers unique hostname.
visible_hostname proxy1.komatsu.ca
unique_hostname proxy1.komatsu.ca
# ----------------------------------------------------------------------
hierarchy_stoplist cgi-bin ?
acl QUERY urlpath_regex cgi-bin \?
no_cache deny QUERY
cache_effective_user squid
cache_dir ufs /usr/spool/squid 100 16 256
cache_access_log /usr/log/squid/access.log
cache_log /usr/log/squid/cache.log
cache_store_log /usr/log/squid/store.log
logfile_rotate 4
cache_mgr WebMaster@xxxxxxxxxx
#
cachemgr_passwd <blah> 5min
cachemgr_passwd <blah> 60min
cachemgr_passwd <blah> asndb
cachemgr_passwd <blah> authenticator
cachemgr_passwd <blah> cbdata
cachemgr_passwd <blah> client_list
cachemgr_passwd <blah> comm_incoming
cachemgr_passwd <blah> config *
cachemgr_passwd <blah> counters
cachemgr_passwd <blah> delay
cachemgr_passwd <blah> digest_stats
cachemgr_passwd <blah> dns
cachemgr_passwd <blah> events
cachemgr_passwd <blah> filedescriptors
cachemgr_passwd <blah> fqdncache
cachemgr_passwd <blah> histograms
cachemgr_passwd <blah> http_headers
cachemgr_passwd <blah> info
cachemgr_passwd <blah> io
cachemgr_passwd <blah> ipcache
cachemgr_passwd <blah> mem
cachemgr_passwd <blah> menu
cachemgr_passwd <blah> netdb
cachemgr_passwd <blah> non_peers
cachemgr_passwd <blah> objects
cachemgr_passwd <blah> pconn
cachemgr_passwd <blah> peer_select
cachemgr_passwd <blah> redirector
cachemgr_passwd <blah> refresh
cachemgr_passwd <blah> server_list
cachemgr_passwd <blah> shutdown *
cachemgr_passwd <blah> store_digest
cachemgr_passwd <blah> storedir
cachemgr_passwd <blah> utilization
cachemgr_passwd <blah> via_headers
cachemgr_passwd <blah> vm_objects
# ----------------------------------------------------------------------
# Use the external DNS servers.
dns_nameservers 192.168.2.41 192.168.2.42 209.202.99.178 209.202.99.179
# ----------------------------------------------------------------------
# ----------------------------------------------------------------------
auth_param basic program /usr/lib/squid/squid_ldap_auth -h ldap_host -p
port -P -b o=organization -f "(|(uid=%s)(mail=%s))"
auth_param basic children 20
auth_param basic realm Squid proxy-caching web server
auth_param basic credentialsttl 5 minute
external_acl_type ldap_group %LOGIN /usr/lib/squid/squid_ldap_group -h
ldap_host -p port -P -b o=organization -F "(|(uid=%s)(mail=%s))" -f
"(&(cn=%g)(uniquemember=%u)(objectClass=groupOfUniqueNames))"
refresh_pattern ^ftp: 1440 20% 10080
refresh_pattern ^gopher: 1440 0% 1440
refresh_pattern . 0 20% 4320
# ----------------------------------------------------------------------
# Default Squid ACL's
acl all src 0.0.0.0/0.0.0.0
acl manager proto cache_object
acl localhost src 127.0.0.1/255.255.255.255
acl to_localhost dst 127.0.0.0/8
acl SSL_ports port 443 563
acl Safe_ports port 21
acl Safe_ports port 70
acl Safe_ports port 80
acl Safe_ports port 81
acl Safe_ports port 82
acl Safe_ports port 86
acl Safe_ports port 88
acl Safe_ports port 89
acl Safe_ports port 210
acl Safe_ports port 280
acl Safe_ports port 488
acl Safe_ports port 443 563
acl Safe_ports port 591
acl Safe_ports port 777
acl Safe_ports port 1025-65535
acl CONNECT method CONNECT
# ----------------------------------------------------------------------
# KCL Defined ACL's and http_access definitions.
acl kcl_users proxy_auth REQUIRED
acl kcl_networks src 192.168.2.0/24
acl dmz_networks src 209.202.99.176/28
acl portals_url url_regex https://portal.komatsu.ca
acl portals_networks src 0.0.0.0/0
acl portal_url url_regex http://portal.komatsu.ca
acl portal_networks src 0.0.0.0/0
# LDAP group acl definitions.
#
# Proxy
acl proxy_groups external ldap_group proxy
http_access allow manager localhost
http_access allow manager kcl_networks
http_access deny manager
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
#
# ----------------------------------------------------------------------
# A problem has occurred with Microsoft's HotMail service. It seems
# MS did an update recently to IE and hotmail is no longer proxyable
# without the following controls. This is information from the
# Squid user's mailing list.
# Tim Neto 23 December 2004
#
acl hotmail_domains dstdomain .hotmail.msn.com
acl ie6 browser MSIE[[:space:]]6
header_access Accept-Encoding deny ie6 hotmail_domains
# ----------------------------------------------------------------------
# Note: KCL deny rules must exist before any allow rules.
#
acl no_errorguard_com dstdomain .errorguard.com
acl no_kazaa dstdomain .kazaa.com
acl no_kilopics dstdomain .kilopics.com
acl no_lingerie-mania dstdomain .lingerie-mania.com
acl no_lun_com dstdomain .lun.com
acl no_miniclip dstdomain .miniclip.com
acl no_puretracks dstdomain .puretracks.com
acl no_uproar dstdomain .uproar.com
http_access deny no_errorguard_com
http_access deny no_kazaa
http_access deny no_kilopics
http_access deny no_lingerie-mania
http_access deny no_lun_com
http_access deny no_miniclip
http_access deny no_puretracks
http_access deny no_uproar
# ----------------------------------------------------------------------
# Allow all proxy users to all web addresses.
#
http_access allow kcl_networks proxy_groups
# ----------------------------------------------------------------------
# Allow access from the Internet for portal
#
http_access allow portals_url portals_networks
http_access allow portal_url portal_networks
# ----------------------------------------------------------------------
http_access allow localhost
http_access deny all
http_reply_access allow all
icp_access allow all
# ----------------------------------------------------------------------
httpd_accel_host virtual
httpd_accel_port 0
httpd_accel_single_host off
httpd_accel_with_proxy on
httpd_accel_uses_host_header on
# ----------------------------------------------------------------------
coredump_dir /usr/spool/squid
================================================================================
The iptables definitions are:
================================================================================
# Firewall configuration written by redhat-config-securitylevel
# Manual customization of this file is not recommended.
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:RH-Firewall-1-INPUT - [0:0]
-A INPUT -j RH-Firewall-1-INPUT
-A FORWARD -j RH-Firewall-1-INPUT
-A RH-Firewall-1-INPUT -p icmp --icmp-type any -j ACCEPT
-A RH-Firewall-1-INPUT -p tcp -m tcp --dport 21 --syn -j ACCEPT
-A RH-Firewall-1-INPUT -p tcp -m tcp -d 192.168.2.4 --dport 23 --syn -j
ACCEPT
-A RH-Firewall-1-INPUT -p tcp -m tcp --dport 80 --syn -j ACCEPT
-A RH-Firewall-1-INPUT -p tcp -m tcp --dport 443 --syn -j ACCEPT
#
# Block all X11 and VNC packets on the external interface.
#
-A RH-Firewall-1-INPUT -p tcp -m tcp -d 209.202.99.178 --dport 5800:6100
--syn -j REJECT
-A RH-Firewall-1-INPUT -p tcp -m tcp -d 209.202.99.178 --dport 8003
--syn -j ACCEPT
-A RH-Firewall-1-INPUT -i lo -j ACCEPT
-A RH-Firewall-1-INPUT -i eth1 -j ACCEPT
-A RH-Firewall-1-INPUT -i eth2 -j ACCEPT
-A RH-Firewall-1-INPUT -p udp -m udp -s 192.168.2.42 --sport 53 -d 0/0
-j ACCEPT
-A RH-Firewall-1-INPUT -p udp -m udp -s 209.202.99.178 --sport 53 -d 0/0
-j ACCEPT
-A RH-Firewall-1-INPUT -p udp -m udp -s 209.202.99.179 --sport 53 -d 0/0
-j ACCEPT
-A RH-Firewall-1-INPUT -p tcp -m tcp --syn -j REJECT
-A RH-Firewall-1-INPUT -p udp -m udp -j REJECT
-A RH-Firewall-1-INPUT -j REJECT --reject-with icmp-host-prohibited
COMMIT
#
#
# The Mangle table. For reverse routes the packets are accepted in the
# FORWARD chain for replying packets on the internal NIC only.
#
*mangle
:PREROUTING ACCEPT [0:0]
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
-A FORWARD -s 192.168.2.229 -d 192.168.2.4 -i eth2 -o eth1 -p tcp
--dport 8080 -j ACCEPT
:OUTPUT ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
COMMIT
#
#
# Here is the "magic" table. All SNAT rules here only work with the
# POSTROUTING chain. The DNAT rules work best in the PREROUTING chain,
# but according to the "bible" the rules can be defined in the OUTPUT
# chain too.
#
*nat
:PREROUTING ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
# -------------------
-A PREROUTING -i eth1 -s ! 209.202.99.178 -p tcp --dport 443 -j DNAT
--to 192.168.2.4:8080
# -------------------
-A POSTROUTING -o eth1 -s 192.168.2.229 -d 192.168.2.4 -j SNAT --to
127.0.0.1
# -------------------
COMMIT
#
================================================================================
So the question remains, how do I pass HTTPS traffic from the open
Internet to my internal web server using Squid 2.5STABLE11?
Thanks.
Tim
-----------------------------------------------------------
Timothy E. Neto
Computer Systems Engineer Komatsu Canada Limited
Ph#: 905-625-6292 x265 1725B Sismet Road
Fax: 905-625-6348 Mississauga, Canada
E-Mail: tneto@xxxxxxxxxx L4W 1P9
-----------------------------------------------------------
Matus UHLAR - fantomas wrote:
On 30.11 17:47, Tim Neto wrote:
The remark about "This is really only useful for situations where you
are running squid in accelerator mode and you want to do the SSL work at
the accelerator level." makes me question whether I need an "https_port"
directive.
So do I need "https_port" for transparent (reverse) proxying in 2.5
STABLE 11?
No.
At first, there is no need for "transparent" reverse proxying, alghough it
is possible to do.
At second, there is no need for proxying https, unless you can't directly
reach https server from client.
The meaning of reverse HTTPS proxy is to alow https connections to HTTP
servers that do not support it, or to speed up http servers byu moving SSL
functionalitty off them.
If you want "transparent" proxy, which we call intercepting (because the
word "transparent" means something completely different from HTTP's point of
view), you do not need to set https port.
