HI All: Now I have added below rule for iptabales, and config client A's browser proxy, it could not connect to server B anyway. Please kindly help it. Thanks! 1) Add rule to redirect all data from 80 -> 3128, 443 -> 3130 iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 80 -j REDIRECT --to-port 3128 iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 443 -j REDIRECT --to-port 3130 2) Change browser proxy setting (If I understand correct, I should change proxy port as server B has redirect) HTTP Proxy, 10.64.12.101, port 80 HTTPS Proxy, 10.64.12.101, port 443 Base on above change, client A could not access internet no matter http or https, and from access.log in squid, it seems there is no any log. What's wrong, I am confused, Thanks! On Thu, Feb 27, 2014 at 3:11 PM, Jerry OELoo <oyljerry@xxxxxxxxx> wrote: > Hi Amos: > After reading your comments, Below are my questions in detail, Thanks a lot. > 1) Squid SSL Bump must use in NAT network? as my environment, A and B > in the same LAN, Can B use Squid SSL Bump to capture all A's https > traffic? > 2) As mentioned in original mail, PC A and PC B are in same LAN, there > is no NAT network, and PC B (installed squid) which only has 1 network > interface eth0, As you suggested, I checked iptables, however, I do > not know how to redirect port 443 traffic to 3130 port as PC A and PC > B is not NAT. > > > On Wed, Feb 26, 2014 at 6:00 PM, Amos Jeffries <squid3@xxxxxxxxxxxxx> wrote: >> On 26/02/2014 8:06 p.m., Jerry OELoo wrote: >>> Hi Amos: >>> Thanks for your quick feedback. >>> 1) I do not much understand your said about connect to host >>> 10.64.12.100, I just find it in B (10.64.12.101) squid cache.log, >>> >> >> It is the reason your ssl-bump is not working. The SSL connection is not >> actually going to any relevant web server, but being connected back to >> the client IP. >> >> The ORIGINAL_DST indicates that it was the IP address details for server >> taken from the TCP packets on the client->server connection which was >> intercepted into Squid. >> >> These connections show up as client IP being server if you have one of >> these happening: >> >> * Linux TPROXY mechanism used to intercept, but "intercept" flag used on >> the port. >> >> * client making explicitly configured (PAC file, environment variable or >> browser config settings) connections directly to the proxy port. >> >> >>> 2) I do not add any other setting in squid.conf about interception. >>> >> >> >> I mean do you have iptables settings using DNAT, REDIRECT or TPROXY >> targets to point the port 443 traffic at the Squid https_port ? >> >> >> >>> 3) As you mentioned, https_port requires NAT interception, so in my >>> scenario, A, B are in the same LAN, and I want to A use B as HTTPS >>> proxy, and I want to use SSL bump to monitor A's HTTPS content. so is >>> there any way that can meet it? >> >> Yes. What you have shodul be enough for the Squid setup. However >> interceptio is done in teh networking layers... >> >> 1) you must first *route* the port 443 packets through the Squid box. >> >> 2) you must TPROXY/DNAT/REDIRECT *intercept* the packets into teh Squid >> listenign port. >> >> 3) catch the packets in Squid and ssl-bump. >> >> >> You have show that you are doing (3). The problem is happening somewhere >> at (1) or (2). >> >> Amos >> > > > > -- > Rejoice,I Desire! -- Rejoice,I Desire!
