Hey Guys, I have been trying to run squid as a transparent proxy without configuring the client browser. This means that the traffic will NOT have CONNECT tunnelling involved. I have setup two linux machines, one acting as the gateway for the other. On the 2nd machine i have squid running and i have configured the ip-tables on that machine to re-direct all port 80(http) traffic to port 3128 and all port 443(https) traffic to port 3129. Things are working fine for me on HTTP only pages with no issues. My primary intention is to just act as a proxy and if that is achieved then may be bump into the ssl connections. The problem is that all HTTPS pages are getting stuck in a redirect loop to themselves. I used Mozilla Browser with http live headers add-on to see that i was getting 302 Moved Temporarily response for https pages. And the new location being pointed to in these response was the same url again hence the infinite loop. I could also see squid's access log to see that the same url was being fetched in a loop, ending with the browser giving me the error. Here is my squid conf related to ports: http_port 192.168.8.40:3128 transparent ssl-bump cert=/home/talha/squid/www.sample.com.pem key=/home/talha/squid/www.sample.com.pem https_port 192.168.8.40:3129 transparent ssl-bump cert=/home/talha/squid/www.sample.com.pem key=/home/talha/squid/www.sample.com.pem My client machine conf: Default route points to the machine running squid Squid machine conf: The concerned ip-tables entries ar: There are some other entries aswell but i dont think they have any issue. I can paste them if anyone asks *nat -A PREROUTING -p tcp -m tcp --dport 80 -j REDIRECT --to-ports 3128 -A PREROUTING -p tcp -m tcp --dport 443 -j REDIRECT --to-ports 3129 *filter -A INPUT -p tcp -m tcp --dport 3128 -j ACCEPT -A INPUT -p tcp -m tcp --dport 3129 -j ACCEPT Here is the output from the conversation between the browser and origin-sever: Note that the Location in the response again points to same URL which causes the loop. Also in response header see the VIA field which says squid. https://accounts.google.com/ServiceLogin?service=mail&passive=true&rm=false&continue=http://mail.google.com/mail/&scc=1<mpl=default<mplcache=2 GET /ServiceLogin?service=mail&passive=true&rm=false&continue=http://mail.google.com/mail/&scc=1<mpl=default<mplcache=2 HTTP/1.1^M Host: accounts.google.com^M User-Agent: Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.2.10) Gecko/20101005 Fedora/3.6.10-1.fc14 Firefox/3.6.10^M Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8^M Accept-Language: en-us,en;q=0.5^M Accept-Encoding: gzip,deflate^M Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7^M Keep-Alive: 115^M Connection: keep-alive^M Referer: http://mail.google.com/^M Cookie: PREF=ID=3c4702b684dfe11e:U=48b0a97895a0e7b3:FF=0:TM=1319019207:LM=1333617885:GM=1:S=j5JagRwK8dLDYf6y; NID=58=tKRL8nnjrH0BHfUGTyDysha5ioO4_7PqqCWqSnEbGcH9lZdjS9t0l-0fgzsPMRdeRAP1sh2jZj5JNeujrbJgSQhoZGynwYq4sGfGkFn2wjsBoU6hn1lSciDz2jX49qx7atVcgcflKFM; GAPS=1:p5qNZW-jRyUKeah8d1gHf_cRIxmy3g:_lt0kdMmaXcFkJPF; __utma=72592003.1110318804.1333617845.1334223605.1334227469.4; __utmz=72592003.1333617845.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); GALX=vArt1GzoL68; __utmc=72592003; GoogleAccountsLocale_session=en; GMAIL_RTT=407^M ^M HTTP/1.0 302 Moved Temporarily^M Content-Type: text/html; charset=UTF-8^M Location: https://accounts.google.com/ServiceLogin?service=mail&passive=true&rm=false&continue=http://mail.google.com/mail/&scc=1<mpl=default<mplcache=2 Content-Encoding: gzip^M Date: Fri, 13 Apr 2012 06:56:22 GMT^M Expires: Fri, 13 Apr 2012 06:56:22 GMT^M Cache-Control: private, max-age=0^M X-Content-Type-Options: nosniff^M X-XSS-Protection: 1; mode=block^M Content-Length: 254^M Server: GSE^M X-Cache: MISS from localhost.localdomain^M Via: 1.0 localhost.localdomain (squid/3.1.19-20120225-r10430)^M Connection: keep-alive^M -- Regards, -Ahmed Talha Khan
