Hi, I'm new to this list, so let me introduce myself. I'm a 50-year old Austrian living in Montpezat (South France), and I'm the manager of a small IT company with a focus on Linux and free software. I've been using Squid for a few years, but only as a transparent HTTP proxy. Here's my blog article (in French) about that configuration on CentOS 7: https://blog.microlinux.fr/squid-centos/ These last two weeks I've been experimenting quite a lot with using Squid as a transparent HTTP+HTTPS proxy. I've also written a blog article about this setup: https://blog.microlinux.fr/squid-https-centos/ This configuration is running quite nicely, though I still have to sand down a few rough edges. I went through quite a lot of trial and error, using the Squid wiki as well as a handful of tutorials I found on the Internet. Here's the section of my squid.conf file defining ports: --8<------------------------------------------------------------- # Ports du proxy http_port 3130 http_port 3128 intercept https_port 3129 intercept ssl-bump \ cert=/etc/squid/ssl_cert/amandine.sandbox.lan.pem \ generate-host-certificates=on dynamic_cert_mem_cache_size=4MB --8<------------------------------------------------------------- And here's the corresponding section of my firewall script: --8<------------------------------------------------------------- # Commandes IPT=/usr/sbin/iptables SYS=/usr/sbin/sysctl SERVICE=/usr/sbin/service # Internet IFACE_INET=enp2s0 # Réseau local IFACE_LAN=virbr0 IFACE_LAN_IP=192.168.2.0/24 # Serveur SERVER_IP=192.168.2.1 ... # Squid $IPT -A INPUT -p tcp -i $IFACE_LAN --dport 3128 -j ACCEPT $IPT -A INPUT -p udp -i $IFACE_LAN --dport 3128 -j ACCEPT $IPT -A PREROUTING -t nat -i $IFACE_LAN -p tcp ! -d $SERVER_IP \ --dport 80 -j REDIRECT --to-port 3128 $IPT -A INPUT -p tcp -i $IFACE_LAN --dport 3129 -j ACCEPT $IPT -A INPUT -p udp -i $IFACE_LAN --dport 3129 -j ACCEPT $IPT -A PREROUTING -t nat -i $IFACE_LAN -p tcp ! -d $SERVER_IP \ --dport 443 -j REDIRECT --to-port 3129 $IPT -A INPUT -p tcp -i $IFACE_LAN --dport 3130 -j ACCEPT $IPT -A INPUT -p udp -i $IFACE_LAN --dport 3130 -j ACCEPT --8<------------------------------------------------------------- This configuration works perfectly and gives me no errors or whatsoever, though I don't quite understand why I need all these ports. When I used only HTTP, I had this configuration http_port 3128 transparent So I wonder why it wasn't possible to have something like this: http_port 3128 transparent https_port 3129 transparent ssl-bump I'm not sure about how the "intercept" mode works. As far as I understand, connections to port 80 get redirected to port 3128 by the firewall, but what then? Does "http_port 3128 intercept" mean that Squid redirects these again and sends them to its internal port 3130? Similarly, connections to port 443 get redirected to port 3129 by the firewall, so far so good. But I don't understand how to read "https_port 3129 intercept". Again, does this mean that Squid redirects these to its internal port 3130, along with HTTP connections? In short, my configuration works, but I'd like to get a better grasp on *how* it works. Cheers from the sunny South of France, Niki Kovacs -- Microlinux - Solutions informatiques durables 7, place de l'église - 30730 Montpezat Site : https://www.microlinux.fr Blog : https://blog.microlinux.fr Mail : info@xxxxxxxxxxxxx Tél. : 04 66 63 10 32 _______________________________________________ squid-users mailing list squid-users@xxxxxxxxxxxxxxxxxxxxx http://lists.squid-cache.org/listinfo/squid-users
