Search squid archive

Re: Configuring SSL Bump in transparent/intercept mode

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



> When I send traffic that I expect be be intercepted to Squid, I get
> the following errors in the log file (and a TCP RST from squid):
> 
> ERROR: No forward-proxy ports configured
> NF getsockopt(SO_ORIGINAL_DST) failed on local=10.174.14.75:80
> remote=107.3.142.99:60377 FD 10 flags=33: (92) Protocol not available
> 
> I know I am missing something pretty simple here.
> 

I wouldn't say it is simple. I may be wrong but i think it may not work. To my knowledge, squid in intercept mode will use the original destination of the tcp connection (as passed by netfilter in SO_ORIGINAL_DST) as the server address were it will fetch the x509 cert and mimic that.
For what i've read in your email, the original destination is your amazon box so it can't connect to itself and fetch the certificate.

Without transparent mode the browser explicits connect to the proxy and request a connection to some server. Then squid can fetch the certificate and mimic that.

A working scenario would be to place a box at customer premisses that would do a GRE tunneling to the Amazon BOX.

Best regards,
Nuno Fernandes




[Index of Archives]     [Linux Audio Users]     [Samba]     [Big List of Linux Books]     [Linux USB]     [Yosemite News]

  Powered by Linux