[squid-users] Problem with Squid 3.4 and transparent SSL proxy

Job Job at colliniconsulting.it
Tue Nov 11 15:06:57 UTC 2014 

Hello Elizier,

first of all thank you for your patience and help!
I use this directives in iptables:

iptables -t nat -A PREROUTING -p tcp --dport 80 -j REDIRECT --to-port 3128 (for http)
iptables -t nat -A PREROUTING -p tcp --dport 443 -j REDIRECT --to-port 3129 (for https)

In a normal http-only transparent proxy everything works fine, but i would like to implement ssl bump for proxying transparently https connection.

When telnetting 3128 or 3129 mode, from Linux machine shell, it seems that connection fails.
When telnetting 3128 port not in interception mode (for standard http transparent proxying), the socket opens and stay connected!

The squid.conf seciont regarding SSL:

http_port 3128
https_port 3129 intercept ssl-bump generate-host-certificates=on dynamic_cert_mem_cache_size=16MB cert=/etc/squid/ssl/squid.pem key=/etc/squid/ssl/squid.key
sslcrtd_program /usr/lib/squid/ssl_crtd -s /var/lib/squid_ssl_db -M 16MB
sslcrtd_children 50 startup=5 idle=1
ssl_bump server-first all


Thank you again,
Francesco


________________________________________
Da: squid-users [squid-users-bounces at lists.squid-cache.org] per conto di Eliezer Croitoru [eliezer at ngtech.co.il]
Inviato: martedì 11 novembre 2014 15.31
A: squid-users at lists.squid-cache.org
Oggetto: Re: [squid-users] Problem with Squid 3.4 and transparent SSL proxy

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hey,

Your configuration seems to not include any iptables and other
relevant details.
What is this machine details?

Eliezer

On 11/11/2014 04:20 PM, Job wrote:
> Hello,
>
> i initialize correctly SSL Bump with Squid 3.4.4, following some
> guides. In iptables i redirect 80 and 443 ports to squid ports.
>
> Squid starts with no error, lines involving SSL bump are the
> following:
>
> http_port 3128 intercept https_port 3129 intercept ssl-bump
> generate-host-certificates=on dynamic_cert_mem_cache_size=16MB
> cert=/etc/squid/ssl/squid.pem key=/etc/squid/ssl/squid.key
>
> But no request arrives to squid.
>
> If i telnet, from Linux machine, this:
>
> telnet localhost 3128 or telnet localhost 3129, even though the
> socket is open (netstat -avn | grep 3128 and 3129), connection
> close immediately.
>
> I see no errors in cache.log, access.log and messages.
>
> Thank you Francesco

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQEcBAEBAgAGBQJUYh2nAAoJENxnfXtQ8ZQUoEEIAI71G38BNCtTTyeGeNB0VHu8
0r2ta5KZKcFLcI3NxcyHN6ygKatSk1zkZQu8uzFOlPIrrAQ1bvql1shpq5vhPjLw
8T8IGEeiULrhx5ms+6ErgvB8sg3wkq1Z+jyJ4Q40lgcPU07ncXzBOyWV5ODaSFXC
zYPII8hrtVH0taPgJpW35XcNb/0htyjxdtXbEs3ZCoAmXLwJQsRfHmdeSdn0Am+Y
swDybjHpMsaf90SJUVFZN3uDLVxKOcMBVLhbCpWt50g+lsJcQeNCZ4xo2QaRURxT
c2lfQD4h1k3ck52r/70dtMZzwTYnoSymyfEGp5zUh8yYSzmd2moDC2z89PEGSQI=
=2uuM
-----END PGP SIGNATURE-----
_______________________________________________
squid-users mailing list
squid-users at lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

More information about the squid-users mailing list