Search squid archive

SSl Interception proxy

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

Hi,

I've been trying to implement "transparent" proxy for secure https websites using ssl-bump server-first feature.
Some websites will work properly with the running configuration, but some of them like hotmail (login.live.com) won't.

What I've found interesting about that is if, for example, IE 7 is used it will be possible to use hotmail. If I try with Google Chrome or Firefox 20, a blank page will be shown when going through "www.hotmail.com".

Some other sites like facebook won't display the images properly in the https front website.

Am I missing something in the configuration?

My iptables rules are the like below:
iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 443 -j REDIRECT --to-port 3129
iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 80 -j REDIRECT --to-port 3130

My squid.conf file has the following:

acl localhost src 127.0.0.1/32 ::1
acl to_localhost dst 127.0.0.0/8 0.0.0.0/32 ::1
visible_hostname linux-cyud.labviavarejo.br
acl localnet src 10.0.0.0/8     # RFC1918 possible internal network
acl localnet src 172.16.0.0/12  # RFC1918 possible internal network
acl localnet src 192.168.0.0/16 # RFC1918 possible internal network
acl localnet src fc00::/7       # RFC 4193 local private network range
acl localnet src fe80::/10      # RFC 4291 link-local (directly plugged) machines

acl SSL_ports port 443
acl Safe_ports port 80          # http
acl Safe_ports port 21          # ftp
acl Safe_ports port 443         # https
acl Safe_ports port 70          # gopher
acl Safe_ports port 210         # wais
acl Safe_ports port 1025-65535  # unregistered ports
acl Safe_ports port 280         # http-mgmt
acl Safe_ports port 488         # gss-http
acl Safe_ports port 591         # filemaker
acl Safe_ports port 777         # multiling http
acl CONNECT method CONNECT

always_direct allow all
ssl_bump server-first all
#sslproxy_cert_error allow all
#sslproxy_flags DONT_VERIFY_PEER
sslcrtd_program /usr/sbin/ssl_crtd -d -s /usr/local/squid/var/lib/ssl_db -M 4MB
sslcrtd_children 10 startup=5 idle=5
http_access allow localhost manager
http_access deny manager
http_access deny !Safe_ports

http_access deny CONNECT !SSL_ports

http_access allow localnet

http_access allow localhost
http_access deny all

http_port 3128
http_port 3130 intercept
https_port 3129 intercept ssl-bump generate-host-certificates=on dynamic_cert_mem_cache_size=4MB cert=/etc/squid/ssl_cert/CertificateSquid.pem

refresh_pattern ^ftp:           1440    20%     10080
refresh_pattern ^gopher:        1440    0%      1440
refresh_pattern -i (/cgi-bin/|\?) 0     0%      0
refresh_pattern .               0       20%     4320

debug_options ALL,9


Best Regards,
Alessandro
[Index of Archives]     [Linux Audio Users]     [Samba]     [Big List of Linux Books]     [Linux USB]     [Yosemite News]

  Powered by Linux