Re: 4.0.21 Ssl bump access denied

[snable snable <thesnable@xxxxxxxxx>]

Access.log brings for www.heise.de on https

NECT 192.168.1.222:443 - HIER_NONE/- -          

1510489280.731      2 192.168.1.200 NONE/200 0 CO

NNECT 192.168.1.222:443 - HIER_NONE/- -          

1510489280.836      1 192.168.1.200 TCP_MISS/503 

4691 GET https://www.heise.de/ - ORIGINAL_DST/192

.168.1.222 text/html                             

1510489280.892      1 192.168.1.200 TCP_MISS/503 

4703 GET https://www.heise.de/favicon.ico - ORIGI

NAL_DST/192.168.1.222 text/html                  

1510489283.136      2 192.168.1.200 NONE/200 0 CO

NNECT 192.168.1.222:443 - HIER_NONE/- -          

1510489283.224      1 192.168.1.200 TCP_MISS/503 

Am 12.11.2017 12:46 schrieb "snable snable" <thesnable@xxxxxxxxx>:

hey

thanks:

i post in detail

i have an openwrt box. clients are attached there to the 192.168.2.0/24 network via nat. i attached the router as a wan device on my 192.168.1.0/24 with 192.168.1.254 as my internet gateway.

i have a squidbox  with squid 4 running on ports 3128 and 3129 and 3130.

 i forward the traffic from the openwrt via:

                                                

iptables -t mangle -A PREROUTING -j ACCEPT -p tcp

 --dport 80 -s 192.168.1.222                     

iptables -t mangle -A PREROUTING -j MARK --set-ma

rk 3 -p tcp --dport 80                           

iptables -t mangle -A PREROUTING -j ACCEPT -p tcp

 --dport 443 -s 192.168.1.222                    

iptables -t mangle -A PREROUTING -j MARK --set-ma

rk 3 -p tcp --dport 443                          

ip rule add fwmark 3 table 2                     

ip route add default via 192.168.1.222 dev eth0.2

 table 2

on the squid box redirected it via

iptables -A PREROUTING -t nat -i eth0 -p tcp --dp

ort 443 -j REDIRECT --to-port 3129               

                                                 

iptables -A PREROUTING -t nat -i eth0 -p tcp --dp

ort 80 -j REDIRECT --to-port 3128

http works fine

https brings:

ERROR

The requested URL could not be retrieved

---

The following error was encountered while trying to retrieve the URL: https://192.168.1.222/*

Connection to 192.168.1.222 failed.

The system returned: (111) Connection refused

The remote host or network may be down. Please try the request again.

Your cache administrator is webmaster.

i had this working a while ago but i forget how.

Am 08.11.2017 05:32 schrieb "Amos Jeffries" <squid3@xxxxxxxxxxxxx>:

On 08/11/17 04:52, snable snable wrote:

Hello

i forward from.my openwrt router the traffic for 443 and 80 to my squid box to port 3129 and 3128

What do you mean by "forward" ?

Any dst-IP:port NAT operation *MUST* only happen on the Squid device itself or _later_ down the traffic path. Traffic must be *routed* to that Squid device.


Amos
_______________________________________________
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

_______________________________________________
squid-users mailing list
squid-users@xxxxxxxxxxxxxxxxxxxxx
http://lists.squid-cache.org/listinfo/squid-users