[squid-users] problem in configuring squid

Shark myshark at gmail.com
Tue Oct 4 15:42:19 UTC 2016 

Sorry for my bad english,

I want to make a anonymous https & http proxy that pass through any
requests without decrypting or change them,
only change ip address from client ip to my server ip address and define ip
address of my websites that i want to access them from my client in
/etc/hosts,
so i try to install squid on my server and i have good experience when i
set proxy in client with server ip and port 3128 and i can access http &
https behind this proxy,
but when i try to using /etc/hosts i cannot access to https websites. i try
to install squid lot of time with any install instructions that i found
from googling.
I have server with CentOS 7 with one valid internet ip address.

For more explain of what i want to do, i need my squid to work like this ip
173.161.0.227
When i add *173.161.0.227 www.iplocation.net <http://www.iplocation.net>* to
my client /etc/hosts
I can browse https://www.iplocation.net that tell me my client ip address
is 173.161.0.227
I want do my proxy server same as 173.161.0.227

*My problem is now with below config is:*

when i define *216.55.x.x www.iplocation.net <http://www.iplocation.net>* to
/etc/hosts in my client i cannot access to https://www.iplocation.net and
hang on connecting and then give me timeout error,
I`m appreciate for help me to resolve this problem.
I ask it before in
http://serverfault.com/questions/805413/squid-with-iptables-bypass-https
 but i cannot resolve it

*My Iptables config is:*

iptables -t nat -A PREROUTING -p tcp --dport 443 -j REDIRECT --to-port 3130

*My squid config is:*

acl localnet src 10.0.0.0/8     # RFC1918 possible internal network
acl localnet src fc00::/7 # RFC 4193 local private network range
acl localnet src fe80::/10 # RFC 4291 link-local (directly plugged) machines
acl localnet src 127.0.0.1

acl SSL_ports port 443
acl Safe_ports port 80          # http
acl Safe_ports port 21          # ftp
acl Safe_ports port 443         # https
acl Safe_ports port 70          # gopher
acl Safe_ports port 210         # wais
acl Safe_ports port 1025-65535  # unregistered ports
acl Safe_ports port 280         # http-mgmt
acl Safe_ports port 488         # gss-http
acl Safe_ports port 591         # filemaker
acl Safe_ports port 777         # multiling http

acl CONNECT method CONNECT

http_access allow !Safe_ports
http_access deny CONNECT !SSL_ports
http_access allow localhost manager
http_access allow manager
http_access allow localnet
http_access allow localhost
http_access allow all

http_port 3128
http_port 80
http_port 0.0.0.0:3129 ssl-bump  cert=/etc/squid/ssl_cert/myCA.pem
generate-host-certificates=on dynamic_cert_mem_cache_size=4MB
https_port 0.0.0.0:3130 ssl-bump intercept
cert=/etc/squid/ssl_cert/myCA.pem generate-host-certificates=on
dynamic_cert_mem_cache_size=4MB

sslproxy_cert_error allow all
sslproxy_flags DONT_VERIFY_PEER

cache_dir ufs /var/cache/squid 100 16 256

coredump_dir /var/cache/squid

sslcrtd_program /usr/lib64/squid/ssl_crtd -s /var/squid/ssl_db -M 4MB
sslcrtd_children 50 startup=1 idle=1

sslproxy_cert_error allow all
sslproxy_flags DONT_VERIFY_PEER

ssl_bump peek all
ssl_bump splice all
ssl_bump bump all

refresh_pattern ^ftp:           1440    20%     10080
refresh_pattern ^gopher:        1440    0% 1440
refresh_pattern -i (/cgi-bin/|\?) 0     0% 0
refresh_pattern .               0       20%     4320forwarded_for delete



On Tue, Oct 4, 2016 at 4:44 PM, Antony Stone <
Antony.Stone at squid.open.source.it> wrote:

> On Tuesday 04 October 2016 at 14:51:13, Mehdi Yeganeh wrote:
>
> > Thanks for quick replay,
> > I need to use my server, i configure my ip address in some software like
> > antivirus and ...
>
> ... and what?
>
> I do not understand what antivirus software has to do with our discussion.
> Please give details, don't just write "...".
>
> > So, I want all of that working
>
> All of what?
>
> > with my server ip address and for this reason I cannot use torproxy or
> > torproject. I need a proxy server (squid) on my server
>
> In that case install Squid on your server.  What is the problem?
>
> > More details about 173.161.0.227:
> > Its sophos web appliance that use squid on debian and using some other
> > proxy software (Astaro HttpProxy) with squid and
> > iptables for forwarding ports. but i can`t find the other proxy software
> > for download. so, i just have squid alone (although iptables is present)
>
> Okay, so I understand that the machine on that IP address (which appears
> to be
> serving Pennoyer School in Illinois, with connectivity provided by
> Comcast) is
> a "Sophos web appliance" - some sort of combined firewall / proxy / port
> forwarder.
>
> What is the relevance of that machine to your question?
>
> > Please tell me that should i use other tools or squid can do it?
>
> Do what?
>
> Please explain exactly what it is you are trying to achieve, and hoping
> that
> Squid is a solution for.
>
>
> Regards,
>
>
> Antony.
>
> --
> Police have found a cartoonist dead in his house.  They say that details
> are
> currently sketchy.
>
>                                                    Please reply to the
> list;
>                                                          please *don't* CC
> me.
> _______________________________________________
> squid-users mailing list
> squid-users at lists.squid-cache.org
> http://lists.squid-cache.org/listinfo/squid-users
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.squid-cache.org/pipermail/squid-users/attachments/20161004/b529445f/attachment-0001.html>

More information about the squid-users mailing list