Search squid archive

Re: squid 3.3.5 http and https transparent proxy

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

Overview of what you are needing:
* For all Squid ports receiving traffic via rules in iptables "nat" table, you require "intercept" flag. 
* For ports expecting to need decryption of SSL/TLS you need ssl-bump
Squid-3.3 can intercept both port 80 and 443. Although there are limitations on port 43 interception which can easily be described as "not working" if you don't understand what the interception is actually doing. 

... so please describe in details what you mean by "dont work".

Amos


On 8/06/2013 1:41 a.m., MyName IsLive wrote:

Hi,
this is the log after i run those iptables rule and those changes in squid.conf:

1370611784.763   2407 192.168.4.99 TCP_MISS/200 1376 GET http://www.facebook.com/ - HIER_DIRECT/31.13.86.8 text/html
1370611784.790      0 192.168.4.99 NONE/400 3972 NONE error:invalid-request - HIER_NONE/- text/html
1370611801.238      0 192.168.4.99 NONE/400 3972 NONE error:invalid-request - HIER_NONE/- text/html

i just add https_port 3127 "intercept" ....

and for normal http connection i dont have a stable connection randomly works or not work!!

1370611744.028   2358 192.168.4.99 TCP_MISS/304 395 GET http://l2.yimg.com/nn/lib/metro/p2.gif - HIER_DIRECT/66.196.65.188 -
1370611744.034   2361 192.168.4.99 TCP_MISS/200 1555 GET http://l2.yimg.com/dh/ap/default/130507/twitter-sprite_desktop.png - HIER_DIRECT/66.196.65.188 image/png
1370611744.684   2432 192.168.4.99 TCP_MISS/200 1560 GET http://ad.yieldmanager.com/imp? - HIER_DIRECT/217.163.21.41 application/x-javascript

1370611755.711   2419 192.168.4.99 TCP_MISS/301 573 GEThttp://hsrd.yahoo.com/_ylt=AtxMHaLUD5AnwWofb8kKFvabvZx4;_ylu=X3oDMTJycjUzcHE1BGNwb3MDMARnA2lkLTMzMjYxMDYEaW50bAN1cwRsdHh0A01lbCBCcm9va3MEcG9zAzIEc2VjA3RjLXRzBHNsawN0aXRsZQR0ZXN0AzkwMAR3b2UDMTI3MjM4NjQ-/RV=1/RE=1371821336/RH=aHNyZC55YWhvby5jb20-/RO=2/RU=aHR0cDovL3NlYXJjaC55YWhvby5jb20vc2VhcmNoP2NzPWJ6JnA9TWVsJTIwQnJvb2tzJmZyPWZwLXR0cy05MDAmZnIyPXBz/RS=%5EADAIOfP8qyIhCUF7TQ9B0kysUTI99I-- HIER_DIRECT/98.139.180.157 text/html


thanks you


----------------------------------------

From: npf-mlists@xxxxxxxxxxx
To: squid-users@xxxxxxxxxxxxxxx
Date: Fri, 7 Jun 2013 11:53:34 +0100
Subject: Re:  squid 3.3.5 http and https transparent proxy




in /etc/sysctl.conf ipforwading is enabled.

and for iptables:
iptables -t nat -A PREROUTING -i eth1 -p tcp -m tcp --dport 80 -j REDIRECT --to-ports 3128
iptables -t nat -A PREROUTING -i eth0 -p tcp -m tcp --dport 80 -j DNAT --to-destination 192.168.4.96:3128
i added these two rules work well for http, i tried many rules for https non them works!

Please check squid configuration if its okay please give me the firewall rule


thank you very much



Hello,

Change

http_port 3128 intercept ssl-bump generate-host-certificates=on dynamic_cert_mem_cache_size=4MB cert=/usr/local/squid/ssl_cert/myCA.pem

to

http_port 3128 intercept
https_port 3127 ssl-bump generate-host-certificates=on dynamic_cert_mem_cache_size=4MB cert=/usr/local/squid/ssl_cert/myCA.pem

And add do:

iptables -t nat -A PREROUTING -i eth1 -p tcp -m tcp --dport 80 -j REDIRECT --to-ports 3128
iptables -t nat -A PREROUTING -i eth0 -p tcp -m tcp --dport 80 -j DNAT --to-destination 192.168.4.96:3128

iptables -t nat -A PREROUTING -i eth1 -p tcp -m tcp --dport 443 -j REDIRECT --to-ports 3127
iptables -t nat -A PREROUTING -i eth0 -p tcp -m tcp --dport 443 -j DNAT --to-destination 192.168.4.96:3127
iptables -I INPUT -p tcp -m tcp --dport 3127 -j ACCEPT

Does it work after that?

./npf
[Index of Archives]     [Linux Audio Users]     [Samba]     [Big List of Linux Books]     [Linux USB]     [Yosemite News]

  Powered by Linux