On 11/12/19 3:48 am, aashutosh kalyankar wrote: > > Hi! I am trying to set up a HTTPs intercept proxy but I cannot get it to > work. Can someone point me in the right direction? > > I tried following the > tutorial @ https://www.youtube.com/watch?v=Bogdplu_lsE (Transparent > HTTP+HTTPS Proxy with Squid and iptables) for squid file. > and https://github.com/diladele/squid-ubuntu for building squid 3.5 on > ubuntu. > > *squid.conf file * > > acl clients src 172.16.10.0/24 > acl clients src 172.18.10.0/24 > > http_access allow localhost > http_access allow clients > http_access deny all > http_port 8080 > http_port 3128 intercept > https_port 3129 intercept ssl-bump cert=/etc/squid/ssl_certs/myCA.pem > generate-host-certificates=on dynamic_cert_mem_cache_size=4MB > > sslcrtd_program /usr/lib/squid/ssl_crtd -s /var/lib/ssl_db -M 4MB > acl step1 at_step SslBump1 > ssl_bump peek step1 > ssl_bump bump all > > # only wait 5 seconds to terminate active connections > shutdown_lifetime 5 > ~ > > I am forced to use old 3.5 version of squid as I am running very old > version of Vsphere supporting ubuntu 14.04 and below. Such things do not apply when building from source. You can build any version which your build tools can handle. That should be any Squid-3.5 release, including the daily auto-generated code. > *Squid Cache: Version 3.5.19 * > Service Name: squid > Ubuntu linux > configure options: '--build=x86_64-linux-gnu' '--prefix=/usr' > '--includedir=${prefix}/include' '--mandir=${prefix}/share/man' > '--infodir=${prefix}/share/info' '--sysconfdir=/etc' > '--localstatedir=/var' '--libexecdir=${prefix}/lib/squid3' '--srcdir=.' > '--disable-maintainer-mode' '--disable-dependency-tracking' > '--disable-silent-rules' 'BUILDCXXFLAGS=-g -O2 -fPIE -fstack-protector > --param=ssp-buffer-size=4 -Wformat -Werror=format-security > -D_FORTIFY_SOURCE=2 -Wl,-Bsymbolic-functions -fPIE -pie -Wl,-z,relro > -Wl,-z,now' '--datadir=/usr/share/squid' '--sysconfdir=/etc/squid' > '--libexecdir=/usr/lib/squid' '--mandir=/usr/share/man' > '--enable-inline' '--disable-arch-native' '--enable-async-io=8' > '--enable-storeio=ufs,aufs,diskd,rock' > '--enable-removal-policies=lru,heap' '--enable-delay-pools' > '--enable-cache-digests' '--enable-icap-client' > '--enable-follow-x-forwarded-for' > '--enable-auth-basic=DB,fake,getpwnam,LDAP,NCSA,NIS,PAM,POP3,RADIUS,SASL,SMB' > '--enable-auth-digest=file,LDAP' > '--enable-auth-negotiate=kerberos,wrapper' > '--enable-auth-ntlm=fake,smb_lm' > '--enable-external-acl-helpers=file_userip,kerberos_ldap_group,LDAP_group,session,SQL_session,time_quota,unix_group,wbinfo_group' > '--enable-url-rewrite-helpers=fake' '--enable-eui' '--enable-esi' > '--enable-icmp' '--enable-zph-qos' '--enable-ecap' > '--disable-translation' '--with-swapdir=/var/spool/squid' > '--with-logdir=/var/log/squid' '--with-pidfile=/var/run/squid.pid' > '--with-filedescriptors=65536' '--with-large-files' > '--with-default-user=proxy' '--with-openssl' '--enable-ssl' > '--enable-ssl-crtd' '--enable-build-info=Ubuntu linux' > '--enable-linux-netfilter' 'build_alias=x86_64-linux-gnu' 'CFLAGS=-g -O2 > -fPIE -fstack-protector --param=ssp-buffer-size=4 -Wformat > -Werror=format-security -Wall' 'LDFLAGS=-Wl,-Bsymbolic-functions -fPIE > -pie -Wl,-z,relro -Wl,-z,now' 'CPPFLAGS=-D_FORTIFY_SOURCE=2' > 'CXXFLAGS=-g -O2 -fPIE -fstack-protector --param=ssp-buffer-size=4 > -Wformat -Werror=format-security' > > > *Firewall & Nat rules added * > sudo iptables -A INPUT -j ACCEPT -p tcp --dport 3128 -m comment > --comment "squid http proxy" > sudo iptables -A INPUT -j ACCEPT -p tcp --dport 3129 -m comment > --comment "squid https proxy" > sudo iptables -A INPUT -j ACCEPT -p tcp --dport 8080 -m comment > -comment "squid http8080 proxy Irrelevant unless you have a local policy of requiring these for any port to receive traffic. There should be mangle table PREROUTING chain rule(s) to DROP or REJECT any packets headed to Squid intercept ports. > > sudo iptables -t nat -A PREROUTING -i eth0 -p tcp -m tcp --dport 80 -m > comment --comment "transparent http proxy" -j REDIRECT --to-ports 3128 > sudo iptables -t nat -A PREROUTING -i eth0 -p tcp -m tcp --dport 443 -m > comment --comment "transparent https proxy" -j REDIRECT --to-ports 3129 > sudo iptables -t nat -A PREROUTING -i eth0 -p tcp -m tcp --dport 80 -m > comment --comment " http 8080 proxy" -j REDIRECT --to-ports 8080 You already REDIRECT port 80 to port 3128. This last rule will do nothing. > > *CACHE.log* > My machine ip: 172.16.10.5 > Squid server ip(vmware): 172.18.10.15 > 2019/12/09 19:42:00.677 kid1| SECURITY ALERT: Host header forgery > detected on local=172.18.10.15:3128 > <http://172.18.10.15:3128/> remote=172.16.10.5:35346 > <http://172.16.10.5:35346/> FD 21 flags=33 (intercepted port does not > match 443) Squid is receiving a request for the URL https://172.18.10.15:3128/ or equivalent. It looks to me like you are making the classic mistake of sending traffic directly to the Squid intercept port. To test an interceptor proxy you MUST have a client making normal requests like you would see them do in production environment ... directly to the HTTP(S) origin servers. Let the intercept/NAT systems catch the traffic and deliver it to the proxy - only then will that proxy have a chance at working as intended. Amos _______________________________________________ squid-users mailing list squid-users@xxxxxxxxxxxxxxxxxxxxx http://lists.squid-cache.org/listinfo/squid-users