To summarize it. Please correct me if anything wrong, Thanks in advance. If I want to just transparent pass through http/https packets (Do not read, modify it), I can just use http_port to open some port, and client set browser proxy+port directly, and from my testing, it is right. If I want to get client's https request, such as get the browser html content in https, insert some javascript into client's browser https response page, I need set up NAT on server B (B should be a gateway or server? A is a LAN PC whose gateway points B?, Am i right here?), and then iptables to redirect client A's https packets to squid https_port. then use squid ssl bump to read/write client's html content in https. On Thu, Feb 27, 2014 at 6:06 PM, Amos Jeffries <squid3@xxxxxxxxxxxxx> wrote: > On 27/02/2014 10:22 p.m., Jerry OELoo wrote: >> Sorry for spam, >> It looks like I am wrong, after netstat, I find there is no any >> program listen on 80 and 443 port, I think this is the reason that >> there is no any traffic redirect by iptables from 80/443 to 3128/3130. >> after I change client chrome's proxy port from 80 to 3128, it can >> access internet. >> >> So back to my question. Client A and Server B in the same LAN, and B >> has squid ssl bump feature on, Now, I want to Client A access HTTPS >> via B as proxy, and I want to use ssl bump to read/modify HTTPS >> package from Client A. >> Below are my testing result, >> >> 1) Client A, Chrome browser HTTPS proxy seting both point to Server B >> IP with port 3128, It's work, Client A can access HTTPS successfully. >> 2) Client A, Chrome browser HTTPS proxy direct point to Sever B IP >> with port 3130, It's NOT work, Client A could not access HTTPS >> As Amos's suggestion, I should redirect packets from port 443 to squid >> port 3130 (iptables .....).It means Squid ssl bump could not support >> that client A directly connect to server B 3130 port with HTTPS >> request? > > Correct. Keep the squid port receiving NAT'ed connections separate from > the Squid port receiving direct / expicit connections. > This is easy, just give Squid another http_port line. > > BTW: I recommend using 3128 as the port for normal/explicit proxy usage. > > The NAT receiving port is only necesarily used by the Squid box kernel, > so it can be 100% private - right down to the point of firewalling it in > "iptables -t mangle -p tcp --dport XX -j REJECT" against external > packets arriving straight there. > > >> I should add another application that listen for HTTPS 443 >> port on Server B, and add iptables to redirect 443 traffic to 3130 >> port for squid ssl bump do further analysis? Is this the correct way? >> if is, I should use which HTTPS server? > > see my other email. :-) > > Amos -- Rejoice,I Desire!
