[squid-users] squid intercept mode fo http & https

Ahmad Alzaeem ahmed.zaeem at netstream.ps
Sat Nov 21 16:02:56 UTC 2015


Hi Guys I have a squid runnng in intercept mode 

I have a dns to resolve all the websites to the ip of proxy 

I want the proxy to be able to operate nornmally and don't look @ the
destination ip since all packet will have the destination ip as the ip of
proxy

 

I want  the proxy to operate based on the domain name .

 

So far I have the squid listenting on port 11611 interept mode and I have
traffic 80 , 443 hit the linux proxy server

 

Now I cant open either http or https .

 

Here is my settings below  :

 

 

Here is squid logs :

1448121483.753     xx.79.120 TCP_MISS/503 399 HEAD http://cnn.com/ -
ORIGINAL_DST/10.159.144.206 text/html

1448121485.740      0 xxx.79.120 TCP_MISS/503 4183 GET http://cnn.com/ -
ORIGINAL_DST/10.159.144.206 text/html

1448121518.483      0 xx.79.120 TCP_MISS/503 399 HEAD http://cnn.com/ -
ORIGINAL_DST/10.159.144.206 text/html

1448121518.847      0 xx.79.120 TCP_MISS/503 4183 GET http://cnn.com/ -
ORIGINAL_DST/10.159.144.206 text/html

1448121526.056      0 xx.79.120 TCP_MISS/503 399 HEAD http://cnn.com/ -
ORIGINAL_DST/10.159.144.206 text/html

1448121527.423      0 xx.79.120 TCP_MISS/503 4183 GET http://cnn.com/ -
ORIGINAL_DST/10.159.144.206 text/html

1448121554.217      0 xx.79.120 TCP_MISS/503 4771 GET http://cnn.com/ -
ORIGINAL_DST/10.159.144.206 text/html

1448121555.574      0 xx.79.120 TCP_MISS/503 4685 GET
http://cnn.com/favicon.ico - ORIGINAL_DST/10.159.144.206 text/html

 

 

root at ip-10-159-144-206:~# ifconfig

eth0      Link encap:Ethernet  HWaddr 22:00:0b:f9:70:59  

          inet addr:10.159.144.206  Bcast:10.159.144.255
Mask:255.255.255.192

          inet6 addr: fe80::2000:bff:fef9:7059/64 Scope:Link

          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1

          RX packets:69462 errors:0 dropped:0 overruns:0 frame:0

          TX packets:27158 errors:0 dropped:0 overruns:0 carrier:0

          collisions:0 txqueuelen:1000 

          RX bytes:77163635 (77.1 MB)  TX bytes:8280045 (8.2 MB)

 

 

Squid.conf :

 

root at ip-10-159-144-206:~# cat /etc/squid/squid.conf

dns_nameservers 8.8.8.8

############################

visible_hostname seerver.server

#

# Recommended minimum configuration:

#

 

# Example rule allowing access from your local networks.

# Adapt to list your (internal) IP networks from where browsing

# should be allowed

acl localnet src 10.0.0.0/8     # RFC1918 possible internal network

acl localnet src 172.16.0.0/12  # RFC1918 possible internal network

acl localnet src xxx.0.0/16 xxx.0.0/16 192.168.0.0/16    # RFC1918 possible
internal network

acl localnet src fc00::/7       # RFC 4193 local private network range

acl localnet src fe80::/10      # RFC 4291 link-local (directly plugged)
machines

 

acl SSL_ports port 443

acl Safe_ports port 80          # http

acl Safe_ports port 21          # ftp

acl Safe_ports port 443         # https

acl Safe_ports port 70          # gopher

acl Safe_ports port 210         # wais

acl Safe_ports port 1025-65535  # unregistered ports

acl Safe_ports port 280         # http-mgmt

acl Safe_ports port 488         # gss-http

acl Safe_ports port 591         # filemaker

acl Safe_ports port 777         # multiling http

acl CONNECT method CONNECT

 

#

# Recommended minimum Access Permission configuration:

#

# Deny requests to certain unsafe ports

http_access deny !Safe_ports

 

# Deny CONNECT to other than secure SSL ports

http_access deny CONNECT !SSL_ports

 

# Only allow cachemgr access from localhost

http_access allow localhost manager

http_access deny manager

 

# We strongly recommend the following be uncommented to protect innocent

# web applications running on the proxy server who think the only

# one who can access services on "localhost" is a local user

#http_access deny to_localhost

 

#

# INSERT YOUR OWN RULE(S) HERE TO ALLOW ACCESS FROM YOUR CLIENTS

#

 

# Example rule allowing access from your local networks.

# Adapt localnet in the ACL section to list your (internal) IP networks

# from where browsing should be allowed

http_access allow localnet

http_access allow localhost

http_port 3128

# And finally deny all other access to this proxy

http_access allow all

 

# Squid normally listens to port 3128

#http_port 443 intercept

http_port 10.159.144.206:11611 intercept

# Uncomment and adjust the following to add a disk cache directory.

#cache_dir ufs /var/cache/squid 100 16 256

 

# Leave coredumps in the first cache dir

coredump_dir /var/cache/squid

 

#

# Add any of your own refresh_pattern entries above these.

#

refresh_pattern ^ftp:           1440    20%     10080

refresh_pattern ^gopher:        1440    0%      1440

refresh_pattern -i (/cgi-bin/|\?) 0     0%      0

refresh_pattern .               0       20%     4320

 

iptables settings :

iptables -t nat -A PREROUTING -p tcp -m tcp --dport 80 -j DNAT
--to-destination 10.159.144.206:11611

 

 

any help ?????

 

cheers

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.squid-cache.org/pipermail/squid-users/attachments/20151121/76ce42b1/attachment.html>


More information about the squid-users mailing list