Search squid archive

Re: Re: HTTP/HTTPS transparent proxy doesn't work

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Hey,

What is the full ICAP server request and response?
You need to use a 302 redirect for what you want to work.

Eliezer

On 08/15/2014 02:32 PM, agent_js03 wrote:
I upgraded to squid 3.3.8 with the same config and iptables and everything
now works. I guess intercept just doesn't work with squid 3.2. However now I
am having a different issue. I am running a content filter that interfaces
with squid through ICAP. I have a blockpage running on the same box at
192.168.1.145:8089 (192.168.1.145 is the IP of the proxy server). If I try
to access blocked content from my client, then the ICAP will do a reqmod and
change the url to:
http://192.168.1.145:8089/blockpage.php?arg1=val1&arg2=val2
etc. This worked flawlessly when I had my browser configured to point
directly to the proxy server. But now I am using transparent proxying I have
different behavior: if I access blocked content, on the client side I get a
"connection reset by peer" error (104) and on the server in the access.log I
get a TCP_MISS/502 line. I am wondering why this would be any different with
transparent proxying. Based on my configuration, do you think this is a
problem with my access control in squid.conf or is it a problem with
iptables? Here is my configuration again:

*squid.conf*
acl localnet src 192.168.1.0/24 # local network
acl localnet src 192.168.3.0/24 # vpn network
http_access allow localnet
http_access allow localhost
http_access none all
http_port 3128
http_port 3129 intercept
http_port 3130 intercept ssl-bump generate-host-certificates=on
dynamic_cert_mem_cache_size=4MB key=/etc/squid3/ssl/private.pem
cert=/etc/squid3/ssl/public.pem
always_direct allow all
ssl_bump server-first all
sslproxy_cert_error allow all
sslproxy_flags DONT_VERIFY_PEER
sslcrtd_program /usr/lib/squid3/ssl_crtd -s /var/lib/ssl_db -M 4MB
sslcrtd_children 5

*iptables*
sysctl -w net.ipv4.ip_forward=1
iptables -F
iptables -t nat -F

# transparent proxy for vpn
iptables -t nat -A PREROUTING -i ppp+ -p tcp --dport 80 -j REDIRECT
--to-ports 192.168.1.145:3128
iptables -t nat -A PREROUTING -i ppp+ -p tcp --dport 443 -j REDIRECT
--to-ports 3128

iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE

iptables --table nat --append POSTROUTING --out-interface ppp+ -j MASQUERADE
iptables -I INPUT -s 192.168.3.0/24 -i ppp+ -j ACCEPT
iptables --append FORWARD --in-interface eth0 -j ACCEPT


Thanks for all the help.



--
View this message in context:http://squid-web-proxy-cache.1019090.n4.nabble.com/HTTP-HTTPS-transparent-proxy-doesn-t-work-tp4667193p4667229.html
Sent from the Squid - Users mailing list archive at Nabble.com.






[Index of Archives]     [Linux Audio Users]     [Samba]     [Big List of Linux Books]     [Linux USB]     [Yosemite News]

  Powered by Linux