----- Original Message ----- > From: Amos Jeffries <squid3@xxxxxxxxxxxxx> > To: squid-users@xxxxxxxxxxxxxxx > Cc: > Sent: Thursday, 7 March 2013 4:11 AM > Subject: Re: Bypassing SSL Bump for dstdomain > > On 7/03/2013 2:03 a.m., Amm wrote: >>> >> I just tried 443 port interception with sslbump and is working perfectly. >> >> If sslbump none applies for request then it passes requests as is: >> Log shows something like this: >> >> 1362574305.069 90590 192.168.1.1 TCP_MISS/200 3600 CONNECT > 23.63.101.48:443 - HIER_DIRECT/23.63.101.48 - >> >> >> if sslbump server-first applied for request then log shows: >> 1362574001.569 294 192.168.1.1 TCP_MISS/200 515 GET > https://mail.google.com/mail/images/c.gif? - PINNED/2404:6800:4009:801::1015 > image/gif >> >> (Note: URL may not be same in both cases, these are just example) >> >> I dont have IPv6, why is it showing IPv6 address, in 2nd case? > > Because you *do* have IPv6, or at least the Squid box does. And Squid is > using it successfully to contact the upstream web server. > > Amos > Nope I do not have IPv6. I have been begging my ISP to give IPv6. squid is running on the very same machine. Rule used is: iptables -t nat -A OUTPUT -m owner ! --uid-owner squid -p tcp --dport 443 -j REDIRECT --to-ports 8081 URL accessed is https://www.google.com nslookup -q=a www.google.com = 173.194.36.48 (one of many IPs in result) nslookup -q=aaaa www.google.com = 2404:6800:4009:803::1014 (only 1 IPv6 in result) access.log: 1362629583.956 532 192.168.1.1 TCP_MISS/200 28088 GET https://www.google.com/ - PINNED/2404:6800:4009:803::1014 text/html I used wireshark to monitor the traffic. Result is: 0.000000 192.168.1.1 -> 173.194.36.48 TLSv1 775 Application Data 0.017809 173.194.36.48 -> 192.168.1.1 TCP 68 443 > 40400 [ACK] Seq=1 Ack=708 Win=1002 Len=0 TSval=1111 TSecr=1111 Clearly its using IPv4 and not IPv6. Note: I have replaced my public IP with 192.168.1.1 I have a feeling that since I am using REDIRECT, squid receives redirect packets on local (loopback) IPv6 address, so it assumes that connection is IPv6 and logs IPv6 address instead. (even though it connects to IPv4 address) So I tried to change iptables rule to: iptables -t nat -A OUTPUT -m owner ! --uid-owner squid -p tcp --dport 443 -j DNAT --to 127.0.0.1:8081 still it logs IPv6 address in access.log. So do not know why it assumes IPv6. So may be somewhere there is a bug. (either logical or coding) Regards, Amm.
