On Wed, Oct 12, 2011 at 11:05 AM, Amos Jeffries <squid3@xxxxxxxxxxxxx> wrote: > On 12/10/11 17:33, nipun_mlist Assam wrote: >> >> This may be relevant to this question. >> While trying to use squid for transparent proxy (tproxy ) on linux >> (kerne 2.6.39 with centos 6.0), I noticed the following >> >> 1. Client IP spoofing doesn't work (but for our work, this requirement >> was a must). > > In what way? The root web server was seeing the IP of the squid box, not of the client machine for all http requests. I.e. the web server will see that the HTTP requests are coming from the squid box. Our requirement is that, both the web servers and client machines should not be aware of a squid proxy sitting in between and hence they should not see the IP of squid box in HTTP related traffics. squid.conf is as shown below (I am pasting only http_port related lines): . . http_port 85 tproxy http_port 86 ssl-bump cert=/extra/squid/etc/Centos6.0.pem tproxy generate-host-certificates=on dynamic_cert_mem_cache_size=4MB . . IPTABLES was configured as shown below (port 80 traffics are forwarded to port 85 where squid "expects" HTTP traffic, and port 443 traffic are forwarded to port 86 where "HTTPS" traffic are expected): iptables -t mangle -N DIVERT iptables -t mangle -A PREROUTING -p tcp -m socket -j DIVERT iptables -t mangle -A DIVERT -j MARK --set-mark 1 iptables -t mangle -A DIVERT -j ACCEPT ip rule add fwmark 1 lookup 100 ip route add local 0.0.0.0/0 dev lo table 100 iptables -t mangle -A PREROUTING -p tcp --dport 80 -j TPROXY --tproxy-mark 0x1/0x1 --on-port 85 iptables -t mangle -A PREROUTING -p tcp --dport 443 -j TPROXY --tproxy-mark 0x1/0x1 --on-port 86 > >> 2. Squid with tproxy doesn't work with HTTPS traffic. > > In what way? > > HTTP: > http_port 1 tproxy ... > > HTTPS: > https_port 2 tproxy ... > >> We cannot use https_port here. Because, we are seeing the traffic from squid to the root webserver goes as http traffic after that. We configured squid as given following: http_port port1 tproxy http_port port2 ssl-bump cert=/extra/squid/etc/Centos6.0.pem tproxy generate-host-certificates=on dynamic_cert_mem_cache_size=4MB In case of http_port, squid uses the "HTTP CONNECT" as a trigger to switch to SSL. But with tproxy, there won't be any HTTP CONNECT from the browsers (as browsers won't know they are going through a proxy), and then squid fails (as It expects a HTTP request, but actually SSL connect/handshake related data arrives). >> I made fixes for both the issues and then above problems were solved. >> I made an assumption that traffic with destination port 443 will be >> always used for HTTPs, and, that I used as an indication to switch >> to SSL on squid side. Squid will transparently listen on two ports, >> one of this port will be used for port 80 traffic and the other for >> port 443 traffic. > > > You cannot make this assumption. The system administrator has configured the > port (http_port vs https_port) to match the traffic arriving. Both in Squid > and in the firewall. Replacing this manual configuration automatically with > a possibly wrong assumption is not a good thing to do. > Ok. I will do the change. > Also, Squid does not correctly handle the SSL when it arrives via > interception. Due to not having the SSL security keys which are installed on > the destination web server the client was contacting. > Do not confuse this with a TPROXY failure. > Yes. We are aware of this issue. Working around this issue might be a lot of work. >> I made the changes in squid 3.2.0.10 code base. I am wondering if >> those fixes are already available somewhere. >> >> Regards, >> Nipun >> > > Please first re-check your solution to #2 in light of the https_port > directive and comments above. > > Please check that the changes will still apply easily on the latest 3.2 > series or 3.HEAD series code. > > Then please submit to squid-dev mailing list for review. The submission > guidelines can be found at: > http://wiki.squid-cache.org/MergeProcedure > > Amos > -- > Please be using > Current Stable Squid 2.7.STABLE9 or 3.1.15 > Beta testers wanted for 3.2.0.12 >
