I'm trying to setup a Squid proxy to use in one of our AWS accounts. If I put Squid in with a basic http/https filtering setup (no interception) it all works great, but the problem is my company wants us to do HTTPS interception so I need to use ssl bump. Now if I set Squid up following the AWS guide for SSL numping ( https://aws.amazon.com/blogs/security/how-to-add-dns-filtering-to-your-nat-instance-with-squid/ <https://aws.amazon.com/blogs/security/how-to-add-dns-filtering-to-your-nat-instance-with-squid/> ) and make the Squid instance have traffic default routed too it, everything works perfect. BUT, we can't route direct to it as we already have NAT Gateways we need to keep, so i need to send traffic to it either direct or via an ELB and have clients configured to where Squid is. I thought if I just take the same instance which works when routed and direct traffic to it, everything would work but no. Turns out as soon as I turn on interception such as /http_port 3129 *intercept*/ traffic drops. In the access log the ORIGINAL_DST is incorrect with the intercept option in use as it shows the local IP of the squid proxy. If I remove intercept it works, shown below. 1527022455.315 178 10.10.7.36 TCP_MISS/503 3944 GET http://www.google.com/ - ORIGINAL_DST/10.10.3.214 text/html *(original_dst is squid local IP, not working)* 1527022535.319 170 10.10.7.36 TCP_MISS/200 12194 GET http://www.google.com/ - HIER_DIRECT/216.58.196.132 text/html * (remove intercept, original_dst is correct and works)* Any ideas why this is and why it works OK if I route traffic direct and don't tell the clients specifically to talk to the proxy with export_httpproxy etc? My squid.conf is this (no blocking atm) visible_hostname squid #Handling HTTP requests http_port 3129 intercept http_access allow all #Handling HTTPS requests https_port 3130 cert=/etc/squid/ssl/squid.pem ssl-bump intercept acl SSL_port port 443 http_access allow SSL_port acl step1 at_step SslBump1 acl step2 at_step SslBump2 acl step3 at_step SslBump3 ssl_bump peek step1 all ssl_bump peek step2 all ssl_bump splice step3 all ssl_bump terminate step2 all http_access deny all And my IP tables simply has iptables -t nat -A PREROUTING -p tcp --dport 80 -j REDIRECT --to-port 3129 iptables -t nat -A PREROUTING -p tcp --dport 443 -j REDIRECT --to-port 3130 Thanks guys! -- Sent from: http://squid-web-proxy-cache.1019090.n4.nabble.com/Squid-Users-f1019091.html _______________________________________________ squid-users mailing list squid-users@xxxxxxxxxxxxxxxxxxxxx http://lists.squid-cache.org/listinfo/squid-users
