Search squid archive

Re: HTTP/HTTPS transparent proxy doesn't work

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On 8/12/2014 11:33 PM, agent_js03 wrote:
Hello,

I am having trouble with my squid setup. Here is exactly what I am trying to
do: I am setting up a VPN server and I want all VPN traffic to be
transparently proxied by squid with ssl bumping enabled. Right now when I
try to do this I get an access denied page from the client.

Here are lines from my squid.conf:

=================================================
acl localnet src 192.168.1.0/24 # local network
acl localnet src 192.168.3.0/24 # vpn network
http_access allow localnet
http_access allow localhost
http_access deny all
http_port 192.168.1.145:3127 intercept
http_port 192.168.1.145:3128 intercept ssl-bump
generate-host-certificates=on dynamic_cert_mem_cache_size=4MB
key=/etc/squid3/ssl/private.pem cert=/etc/squid3/ssl/public.pem
always_direct allow all
ssl_bump allow all
sslproxy_cert_error allow all
sslproxy_flags DONT_VERIFY_PEER
sslcrtd_program /usr/lib/squid3/ssl_crtd -s /var/lib/ssl_db -M 4MB
sslcrtd_children 5

=================================================

Here are my iptables rules:

=================================================
sysctl -w net.ipv4.ip_forward=1
iptables -F
iptables -t nat -F

# transparent proxy for vpn
iptables -t nat -A PREROUTING -i ppp+ -p tcp --dport 80 -j DNAT
--to-destination 192.168.1.145:3127
iptables -t nat -A PREROUTING -i ppp+ -p tcp --dport 443 -j DNAT
--to-destination 192.168.1.145:3128

iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE

iptables --table nat --append POSTROUTING --out-interface ppp+ -j MASQUERADE
iptables -I INPUT -s 192.168.3.0/24 -i ppp+ -j ACCEPT
iptables --append FORWARD --in-interface eth0 -j ACCEPT

=================================================


When I connect to VPN and try to browse the web I get the following error in
/etc/squid3/cache.log on the vpn server:

2014/08/12 21:21:02 kid1| ERROR: No forward-proxy ports configured.
2014/08/12 21:21:02 kid1| WARNING: Forwarding loop detected for:
GET /Artwork/SN.png HTTP/1.1
Host: www.squid-cache.org
User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:30.0) Gecko/20100101
Firefox/30.0
Accept: image/png,image/*;q=0.8,*/*;q=0.5
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://www.google.com/
Via: 1.1 localhost (squid/3.2.11)
X-Forwarded-For: 127.0.0.1
Cache-Control: max-age=259200
Connection: keep-alive


2014/08/12 21:21:02 kid1| ERROR: No forward-proxy ports configured.



I am wondering about this erro "No forward-proxy ports configured." What do
I need to change about my squid.conf that would allow me to do transparent
proxying?

Thanks in advance.



--
View this message in context: http://squid-web-proxy-cache.1019090.n4.nabble.com/HTTP-HTTPS-transparent-proxy-doesn-t-work-tp4667193.html
Sent from the Squid - Users mailing list archive at Nabble.com.

I have found some systems do not like its IP mixed with the port (generally Red Hat, CentOS or derivatives)....

From my squid setups:

http_port 3128
# above port is what will be used for all proxy settings on client browser
http_port 3129 intercept
https_port 3130 intercept ssl-bump connection-auth=off generate-host-certificates=on dynamic_cert_mem_cache_size=16MB cert=/etc/squid/ssl/squid.pem key=/etc/squid/ssl/squid.key cipher=ECDHE-RSA-RC4-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-AES128-SHA:DHE-RSA-CAMELLIA128-SHA:AES128-SHA:RC4-SHA:HIGH:!aNULL:!MD5:!ADH
sslcrtd_program /usr/lib64/squid/ssl_crtd -s /var/lib/squid_ssl_db -M 16MB
sslcrtd_children 50 startup=5 idle=1
ssl_bump server-first all
ssl_bump none localhost



This allows 3128 to see all GET requests from the clients, and then if it is standard http, the http_port 3129 intercepts it, and if it is a secure https request, then it is intercepted by 3130. Squid sees incoming proxy connections anyways using the sysem IP already, so the IP:port is redundant and can cause some issues. This also means you would only need one iptables entry for 3128 and none for 3129 or 3130 since squid would automatically intercept based on insecure or secure site GET request. Other iptables rules may be needed since it is VPN based requests, which can vary depending on the type of VPN setup.

*Internet Protocol Security (IPSec)* uses IP protocol 50 for Encapsulated Security Protocol (ESP), IP protocol 51 for Authentication Header (AH), and UDP port 500 for IKE Phase 1 negotiation and Phase 2 negotiations. UDP ports 500 and 4500 are used, if NAT-T is used for IKE Phase 1 negotiation and Phase 2 negotiations

*Secure Sockets Layer (SSL)* uses TCP port 443 and works by using a private key to encrypt data that is transferred over the SSL connection. SSL also uses 465 Secure SMTP, 993 Secure IMAP, and 995 Secure POP.

*Layer Two Tunneling Protocol (L2TP)* uses TCP port 1701 and is an extension of the Point-to-Point Tunneling Protocol. L2TP is often used with IPSec to establish a Virtual Private Network (VPN).

*Point-to-Point Tunneling Protocol (PPTP)* uses TCP port 1723 and IP port 47 Generic Routing Encapsulation (GRE). PPTP provides a low-cost, private connection to a corporate network through the Internet. PPTP works well for people who work from home or travel and need to access their corporate networks. It is often used to access a Microsoft Remote Access Server (RAS).

Mike






[Index of Archives]     [Linux Audio Users]     [Samba]     [Big List of Linux Books]     [Linux USB]     [Yosemite News]

  Powered by Linux