Search squid archive

Re: questions setting up transparent proxy

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On 04/01/18 14:09, John Ratliff wrote:
On 1/3/2018 3:26 PM, Antony Stone wrote:
On Wednesday 03 January 2018 at 21:06:42, John Ratliff wrote:

When I try to setup squid as a transparent proxy, I never get any
response from Squid.

When I try a wget request from a server that is being redirected

How (and more importantly, where) are you doing the redirect?

Both machines are behind the same firewall. I used
iptables -t nat -A PREROUTING -p tcp --dport 80 -j DNAT --to
10.77.9.120:3128

If that firewall is not on the machine running Squid, then that's your problem.

Traffic flows to the server running squid. I can verify this with
tcpdump. The packets are making it from wget to the server. I just don't
know what happens after that.

https://wiki.squid-cache.org/ConfigExamples/Intercept/LinuxRedirect

"NOTE: This configuration is given for use *on the squid box*. This is required
to perform intercept accurately and securely. To intercept from a gateway
machine and direct traffic at a *separate squid box* use policy routing."

https://wiki.squid-cache.org/ConfigExamples/Intercept/IptablesPolicyRoute


Antony.


Thanks. I put squid on the firewall itself. It works for http, but not for https. I get errors with curl and wget.

$ curl https://debian.org
curl: (35) error:140770FC:SSL routines:SSL23_GET_SERVER_HELLO:unknown protocol

$ wget https://debian.org
--2018-01-03 20:02:45--  https://debian.org/
Resolving debian.org (debian.org)... 5.153.231.4, 128.31.0.62, 130.89.148.14, ...
Connecting to debian.org (debian.org)|5.153.231.4|:443... connected.
GnuTLS: An unexpected TLS packet was received.
Unable to establish SSL connection.

I made some config changes:

http_port 3128 intercept
http_port 3129 intercept ssl-bump generate-host-certificates=on cert=/etc/squid/squid.pem

That should be:

 https_port 3129 intercept ssl-bump generate-host-certificates=on \
   cert=/etc/squid/squid.pem

Note the 's' in https_port.



sslcrtd_program /usr/lib/squid/ssl_crtd -s /var/lib/ssl_db -M 4MB

ssl_bump bump all


This instructs Squid to bump before even receiving the client TLS handshake - ie. generate a server certificate with zero details to work with about what the client wants.
That leads to a LOT of problems and security issues. Please do not do that.

See <https://wiki.squid-cache.org/Features/SslPeekAndSplice> for better config examples.



Here are my PREROUTING nat table rules.

REDIRECT tcp  --  10.77.9.0/24 anywhere tcp dpt:http redir ports 3128
REDIRECT tcp  --  10.77.9.0/24 anywhere tcp dpt:https redir ports 3129

And in the INPUT chain of the filter table:

ACCEPT tcp  --  10.77.9.0/24 anywhere tcp dpt:3128
ACCEPT tcp  --  10.77.9.0/24 anywhere tcp dpt:3129

The server I am on has IP 10.77.9.102.



You appear to be missing the MASQUERADE rule to send packets back to the client.

Also the mangle table (*not* filter) rules are important to block external traffic directly to those Squid ports without interfering with the NAT operations.

<https://wiki.squid-cache.org/ConfigExamples/Intercept/LinuxRedirect>

Amos
_______________________________________________
squid-users mailing list
squid-users@xxxxxxxxxxxxxxxxxxxxx
http://lists.squid-cache.org/listinfo/squid-users




[Index of Archives]     [Linux Audio Users]     [Samba]     [Big List of Linux Books]     [Linux USB]     [Yosemite News]

  Powered by Linux