Search squid archive

Re: transparent proxy bypass https traffic

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Razvan Grigore wrote:
Hello,

I'm using squid 2.6.STABLE6 on CentOS. I succesfully configured squid
both as a transparent proxy and normal proxy that's working fine on
http and https in normal mode, but on transparent mode https is a
challenge.

http_port 3128
http_port 3129 transparent

i'm redirecting with iptables like this:

iptables -t nat -A PREROUTING -i eth0 -p tcp -d ! 10.0.0.0/8 --dport
80 -m mark --mark 0x0 -j REDIRECT --to-port 3129

I have 2 types of clients, that are accessing internet through squid
or directly.

How can i bypass squid for https traffic ONLY for squid users?

What do you mean by this?
1) explicitly configured proxy clients should have no problems with HTTPS.
2) transparently redirecting encrypted traffic to squid 2.6 will fail since squid is expecting HTTP, not binary encryption.


I tried like this:

iptables -t nat -A PREROUTING -i eth0 -p tcp -d ! 10.0.0.0/8 --dport
443 -m mark --mark 0x0 -j REDIRECT --to-port 3129

but it gives:

2008/03/22 16:54:41| parseHttpRequest: Requestheader contains NULL characters
2008/03/22 16:54:41| parseHttpRequest: Unsupported method ''
2008/03/22 16:54:41| clientReadRequest: FD 19 (10.x.x.3:1104) Invalid Request

I think that i can make iptables rules for every ip in squid for
allowing direct https, but i want to avoid this.

2.6 has no capability for transparent HTTPS. If you continue with that version of squid you will have to unblock the HTTP outbound traffic. Configured clients will use the proxy even if its open, others will get working HTTPS direct traffic.


is squid 3 capable through ssl bump for allowing https traffic without
braking the certificate? or at least without notiffing the user.

Yes Squid 3-HEAD (3.1 alpha) can cope with this. You will need to build it yourself from sources, but give it try.

http://www.squid-cache.org/Versions/v3/HEAD/

Thank you!

Thank you.

Amos
--
Please use Squid 2.6STABLE17+ or 3.0STABLE1+
There are serious security advisories out on all earlier releases.

[Index of Archives]     [Linux Audio Users]     [Samba]     [Big List of Linux Books]     [Linux USB]     [Yosemite News]

  Powered by Linux