On 8/06/2013 2:39 a.m., MyName IsLive wrote:
Look i just need a server to set it as gateway on all my clients ALL their traffic passing from my server and me can log all the traffic all http, https traffics.
i already paste all my config i did all changes npf-mlists@xxxxxxxxxxx said, but that is the log file!
i can visit http sites but as i said http://yahoo.com is ok i can visit but when im clicking on other link from inside yahoo.com website i cannot visit "Internet explorer cannot display the webpage" same with chrome and Firefox!
for https i tries with https://facebook.com not working means this:
1370611784.763 2407 192.168.4.99 TCP_MISS/200 1376 GET http://www.facebook.com/ - HIER_DIRECT/31.13.86.8 text/html
1370611784.790 0 192.168.4.99 NONE/400 3972 NONE error:invalid-request - HIER_NONE/- text/html
1370611801.238 0 192.168.4.99 NONE/400 3972 NONE error:invalid-request - HIER_NONE/- text/html
i compiled from source code and this is parameter that i passed to configure:
./configure --enable-ssl --enable-ssl-crtd --enable-linux-netfilter --enable-ltdl-convenienc
if you need more information that i missed please let me know :)
His instructions were not quite correct. You require intercept flag on
*both* Squid receiving ports to de-NAT the TCP layer and parse the HTTP
origin server message syntax which is used on port 80 and 443. You
require ssl-bump flag and the related ssl settings on the https_port to
enable proper security handling of intercepted port 443 traffic. The
ssl-bump settings usage on the http_port along with intercept is
optional, but rarely useful as CONNECT messages on port 80 are undefined.
The error:invalid-request are intercepted traffic arriving at one or
other of the ports and being detected as non-HTTP. This *usually* (but
not always) means HTTPS / port 443 data has arrived at an http_port, or
has not been decrypted properly, or is not actually HTTPS at all but one
of the other protocols using port 443.
It may appear simple but there is a large amount of complexity going on
in the background for both Squid and the operating system network stack.
Your iptables rules and your Squid settings need to line up properly or
you will get any one of a large number of problems occuring, and
intercepted traffic is the hardest traffic to debug.
Also, you *cannot* test by sending requests directly to the proxy
interception port. You must test by passing traffic as a client would.
Nothing else will give you accurate results.
Amos
thank you very much
----------------------------------------
From: squid3@xxxxxxxxxxxxx
Overview of what you are needing:
* For all Squid ports receiving traffic via rules in iptables "nat"
table, you require "intercept" flag.
* For ports expecting to need decryption of SSL/TLS you need ssl-bump
Squid-3.3 can intercept both port 80 and 443. Although there are
limitations on port 43 interception which can easily be described as
"not working" if you don't understand what the interception is actually
doing.
... so please describe in details what you mean by "dont work".
Amos
On 8/06/2013 1:41 a.m., MyName IsLive wrote:
Hi,
this is the log after i run those iptables rule and those changes in squid.conf:
1370611784.763 2407 192.168.4.99 TCP_MISS/200 1376 GET http://www.facebook.com/ - HIER_DIRECT/31.13.86.8 text/html
1370611784.790 0 192.168.4.99 NONE/400 3972 NONE error:invalid-request - HIER_NONE/- text/html
1370611801.238 0 192.168.4.99 NONE/400 3972 NONE error:invalid-request - HIER_NONE/- text/html
i just add https_port 3127 "intercept" ....
and for normal http connection i dont have a stable connection randomly works or not work!!
1370611744.028 2358 192.168.4.99 TCP_MISS/304 395 GET http://l2.yimg.com/nn/lib/metro/p2.gif - HIER_DIRECT/66.196.65.188 -
1370611744.034 2361 192.168.4.99 TCP_MISS/200 1555 GET http://l2.yimg.com/dh/ap/default/130507/twitter-sprite_desktop.png - HIER_DIRECT/66.196.65.188 image/png
1370611744.684 2432 192.168.4.99 TCP_MISS/200 1560 GET http://ad.yieldmanager.com/imp? - HIER_DIRECT/217.163.21.41 application/x-javascript
1370611755.711 2419 192.168.4.99 TCP_MISS/301 573 GEThttp://hsrd.yahoo.com/_ylt=AtxMHaLUD5AnwWofb8kKFvabvZx4;_ylu=X3oDMTJycjUzcHE1BGNwb3MDMARnA2lkLTMzMjYxMDYEaW50bAN1cwRsdHh0A01lbCBCcm9va3MEcG9zAzIEc2VjA3RjLXRzBHNsawN0aXRsZQR0ZXN0AzkwMAR3b2UDMTI3MjM4NjQ-/RV=1/RE=1371821336/RH=aHNyZC55YWhvby5jb20-/RO=2/RU=aHR0cDovL3NlYXJjaC55YWhvby5jb20vc2VhcmNoP2NzPWJ6JnA9TWVsJTIwQnJvb2tzJmZyPWZwLXR0cy05MDAmZnIyPXBz/RS=%5EADAIOfP8qyIhCUF7TQ9B0kysUTI99I-- HIER_DIRECT/98.139.180.157 text/html
thanks you
----------------------------------------
From: npf-mlists@xxxxxxxxxxx
To: squid-users@xxxxxxxxxxxxxxx
Date: Fri, 7 Jun 2013 11:53:34 +0100
Subject: Re: squid 3.3.5 http and https transparent proxy
in /etc/sysctl.conf ipforwading is enabled.
and for iptables:
iptables -t nat -A PREROUTING -i eth1 -p tcp -m tcp --dport 80 -j REDIRECT --to-ports 3128
iptables -t nat -A PREROUTING -i eth0 -p tcp -m tcp --dport 80 -j DNAT --to-destination 192.168.4.96:3128
i added these two rules work well for http, i tried many rules for https non them works!
Please check squid configuration if its okay please give me the firewall rule
thank you very much
Hello,
Change
http_port 3128 intercept ssl-bump generate-host-certificates=on dynamic_cert_mem_cache_size=4MB cert=/usr/local/squid/ssl_cert/myCA.pem
to
http_port 3128 intercept
https_port 3127 ssl-bump generate-host-certificates=on dynamic_cert_mem_cache_size=4MB cert=/usr/local/squid/ssl_cert/myCA.pem
And add do:
iptables -t nat -A PREROUTING -i eth1 -p tcp -m tcp --dport 80 -j REDIRECT --to-ports 3128
iptables -t nat -A PREROUTING -i eth0 -p tcp -m tcp --dport 80 -j DNAT --to-destination 192.168.4.96:3128
iptables -t nat -A PREROUTING -i eth1 -p tcp -m tcp --dport 443 -j REDIRECT --to-ports 3127
iptables -t nat -A PREROUTING -i eth0 -p tcp -m tcp --dport 443 -j DNAT --to-destination 192.168.4.96:3127
iptables -I INPUT -p tcp -m tcp --dport 3127 -j ACCEPT
Does it work after that?
./npf
