Re: Setting up a transparent http and https proxy server using squid 4.6

jean francois hasson <jfhasson@xxxxxxxxxxxxxxxx> · Sat, 2 Jan 2021 11:26:03 +0100

    Hi,
    Thank you Amos Jeffries and Antony Stone. It seems the
      configuration I have provides the functionality of filtering I am
      looking for.
    There is a strange behavior I can see when accessing some
      legitimate sites which I see traces of in cache.log :

      2021/01/02 10:55:48 kid1| helperOpenServers: Starting 1/20
        'squidGuard' processes

        2021/01/02 10:57:31 kid1| ERROR: negotiating TLS on FD 39:
        error:1407743E:SSL routines:SSL23_GET_SERVER_HELLO:tlsv1 alert
        inappropriate fallback (1/-1/0)

        2021/01/02 10:57:31 kid1| Error negotiating SSL connection on FD
        38: error:00000001:lib(0):func(0):reason(1) (1/-1)

        2021/01/02 10:57:32 kid1| ERROR: negotiating TLS on FD 38:
        error:1407743E:SSL routines:SSL23_GET_SERVER_HELLO:tlsv1 alert
        inappropriate fallback (1/-1/0)

        2021/01/02 10:57:32 kid1| Error negotiating SSL connection on FD
        35: error:00000001:lib(0):func(0):reason(1) (1/-1)

        2021/01/02 10:57:40 kid1| Starting new redirector helpers...

        2021/01/02 10:57:40 kid1| helperOpenServers: Starting 1/20
        'squidGuard' processes

        2021/01/02 10:58:09 kid1| ERROR: negotiating TLS on FD 51:
        error:1407743E:SSL routines:SSL23_GET_SERVER_HELLO:tlsv1 alert
        inappropriate fallback (1/-1/0)

        2021/01/02 10:58:09 kid1| Error negotiating SSL connection on FD
        40: error:00000001:lib(0):func(0):reason(1) (1/-1)

        2021/01/02 10:58:10 kid1| ERROR: negotiating TLS on FD 51:
        error:1407743E:SSL routines:SSL23_GET_SERVER_HELLO:tlsv1 alert
        inappropriate fallback (1/-1/0)

        2021/01/02 10:58:10 kid1| Error negotiating SSL connection on FD
        40: error:00000001:lib(0):func(0):reason(1) (1/-1)

    I noticed other users of squid encountered similar issues but I
      did not find a clear answer to the issue. Is there a problem with
      my setup ? I am not sure to be able to solve it on my own ! Any
      help would be appreciated.
    Best regards,
    JF Hasson

    Le 31/12/2020 à 10:14, Antony Stone a
      écrit :

      On Thursday 31 December 2020 at 10:10:11, jean francois hasson wrote:

        If I set up on a device connected to the access point a proxy manually
ie 10.3.141.1 on port 8080, I can access the internet. If I put the
following rules for iptables to use in files rules.v4 :

*nat
-A PREROUTING -i eth0 -p tcp -m tcp --dport 80 -j DNAT --to-destination
10.3.141.1:3128
-A PREROUTING -i eth0 -p tcp -m tcp --dport 80 -j REDIRECT --to-ports 3128
-A PREROUTING -i eth0 -p tcp -m tcp --dport 443 -j DNAT --to-destination
10.3.141.1:3129
-A PREROUTING -i eth0 -p tcp -m tcp --dport 443 -j REDIRECT --to-ports 3129
-A POSTROUTING -s 10.3.141.0/24 -o eth0 -j MASQUERADE

      Try removing the DNAT rules above.  You should be using REDIRECT for intercept 
mode to work correctly.

Antony.

_______________________________________________
squid-users mailing list
squid-users@xxxxxxxxxxxxxxxxxxxxx
http://lists.squid-cache.org/listinfo/squid-users