Search squid archive

Re: IPTABLES - Can't redirect HTTPS traffic to external Squid

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Hey,

Sorry I missed understand the scenario.
For now lets assume the packets are routed to the proxy properly but, lets try to understand how do you route the traffic to the proxy?

Also what is defined on the proxy http_port

Are you using artica proxy?
Where do you implement the iptables rules?

Eliezer


בתאריך יום ג׳, 30 ביולי 2024, 23:54, מאת Bolinhas André ‏<andre.bolinhas@xxxxxxxxxxxxxx>:

Hi


Do you mean user this

iptables -t nat -I PREROUTING -s 192.168.60.90/32 -p tcp -m tcp --dport 443 -m comment --comment ArticaSquidTransparent -j DNAT --to-destination 172.31.0.1:25976

iptables -t nat -I PREROUTING -s 192.168.60.90/32 -p tcp -m tcp --dport 80 -m comment --comment ArticaSquidTransparent -j DNAT --to-destination 172.31.0.1:52406


Instead this

iptables -t nat -I PREROUTING -s 192.168.60.90/32 -p tcp -m tcp --dport 443 -m comment --comment ArticaSquidTransparent -j REDIRECT --to-ports 25976

iptables -t nat -I PREROUTING -s 192.168.60.90/32 -p tcp -m tcp --dport 80 -m comment --comment ArticaSquidTransparent -j REDIRECT --to-ports 52406


?

Do I also need some kind of

-m state --state NEW,ESTABLISHED,RELATED -j ACCEPT

?


Best regards

Sent from Nine

De: NgTech LTD <ngtech1ltd@xxxxxxxxx>
Enviado: terça-feira, 30 de julho de 2024 14:44
Para: Bolinhas André
Cc: squid-users@xxxxxxxxxxxxxxxxxxxxx
Assunto Re: [squid-users] IPTABLES - Can't redirect HTTPS traffic to external Squid



Hey,

The dnat rule should be done on the squid itsef.
You will need to re-route the relevant traffic over the ipsec tunnel to the squid ip.
It's possible to do that over ipip or gre tunnels.

Eliezer


בתאריך יום ג׳, 30 ביולי 2024, 15:41, מאת Bolinhas André ‏<andre.bolinhas@xxxxxxxxxxxxxx>:

I have a external proxy server connected by VPN (IPSEC) to my main branch, and i'm trying to redirect all users HTTP / HTTPS traffic to this proxy.

Scenario Users -> Gateway (Main Branch) -> IPSEC -> Squid Proxy (transparent mode)

In my Gateway (Main Branch) I have this test iptables rule, that is forwarding all the TPC / UDP traffic to the Proxy server.

iptables -t nat -I PREROUTING -s 192.168.60.90 -p tcp -j DNAT --to-destination 172.31.0.1
iptables -t nat -I PREROUTING -s 192.168.60.90 -p udp -j DNAT --to-destination 172.31.0.1
In Squidd Proxy server I have the followed rules
iptables -t nat -I PREROUTING -s 192.168.60.90/32 -p tcp -m tcp --dport 443 -m comment --comment ArticaSquidTransparent -j REDIRECT --to-ports 8081
iptables -t nat -I PREROUTING -s 192.168.60.90/32 -p tcp -m tcp --dport 80 -m comment --comment ArticaSquidTransparent -j REDIRECT --to-ports 8080
Everything is working correctly, HTTP traffic is ok, DNS are also working, the only exeption is the HTTPS traffic, I can see the HTTPS traffic inside the squid access.log but on client side I got a timeout
1722265740.867      1 192.168.60.90 TCP_TUNNEL/200 0 CONNECT cnn.com:443 - HIER_DIRECT/51.210.183.2:443 - mac="00:00:00:00:00:00" webfilterpolicy:%200%0D%0A exterr="-|-"
Anyone can help me to understant if I'm missing so iptable rule to handle the HTTPS traffic?

Sent from Nine
_______________________________________________
squid-users mailing list
squid-users@xxxxxxxxxxxxxxxxxxxxx
https://lists.squid-cache.org/listinfo/squid-users
_______________________________________________
squid-users mailing list
squid-users@xxxxxxxxxxxxxxxxxxxxx
https://lists.squid-cache.org/listinfo/squid-users

[Index of Archives]     [Linux Audio Users]     [Samba]     [Big List of Linux Books]     [Linux USB]     [Yosemite News]

  Powered by Linux