On 27/02/2014 10:22 p.m., Jerry OELoo wrote: > Sorry for spam, > It looks like I am wrong, after netstat, I find there is no any > program listen on 80 and 443 port, I think this is the reason that > there is no any traffic redirect by iptables from 80/443 to 3128/3130. > after I change client chrome's proxy port from 80 to 3128, it can > access internet. > > So back to my question. Client A and Server B in the same LAN, and B > has squid ssl bump feature on, Now, I want to Client A access HTTPS > via B as proxy, and I want to use ssl bump to read/modify HTTPS > package from Client A. > Below are my testing result, > > 1) Client A, Chrome browser HTTPS proxy seting both point to Server B > IP with port 3128, It's work, Client A can access HTTPS successfully. > 2) Client A, Chrome browser HTTPS proxy direct point to Sever B IP > with port 3130, It's NOT work, Client A could not access HTTPS > As Amos's suggestion, I should redirect packets from port 443 to squid > port 3130 (iptables .....).It means Squid ssl bump could not support > that client A directly connect to server B 3130 port with HTTPS > request? Correct. Keep the squid port receiving NAT'ed connections separate from the Squid port receiving direct / expicit connections. This is easy, just give Squid another http_port line. BTW: I recommend using 3128 as the port for normal/explicit proxy usage. The NAT receiving port is only necesarily used by the Squid box kernel, so it can be 100% private - right down to the point of firewalling it in "iptables -t mangle -p tcp --dport XX -j REJECT" against external packets arriving straight there. > I should add another application that listen for HTTPS 443 > port on Server B, and add iptables to redirect 443 traffic to 3130 > port for squid ssl bump do further analysis? Is this the correct way? > if is, I should use which HTTPS server? see my other email. :-) Amos
