[squid-users] 4.0.21 Ssl bump access denied

snable snable thesnable at gmail.com
Sun Nov 12 12:25:00 UTC 2017 

Access.log brings for www.heise.de on https

NECT 192.168.1.222:443 - HIER_NONE/- -
1510489280.731      2 192.168.1.200 NONE/200 0 CO
NNECT 192.168.1.222:443 - HIER_NONE/- -
1510489280.836      1 192.168.1.200 TCP_MISS/503
4691 GET https://www.heise.de/ - ORIGINAL_DST/192
.168.1.222 text/html
1510489280.892      1 192.168.1.200 TCP_MISS/503
4703 GET https://www.heise.de/favicon.ico - ORIGI
NAL_DST/192.168.1.222 text/html
1510489283.136      2 192.168.1.200 NONE/200 0 CO
NNECT 192.168.1.222:443 - HIER_NONE/- -
1510489283.224      1 192.168.1.200 TCP_MISS/503


Am 12.11.2017 12:46 schrieb "snable snable" <thesnable at gmail.com>:



hey

thanks:

i post in detail

i have an openwrt box. clients are attached there to the 192.168.2.0/24
network via nat. i attached the router as a wan device on my 192.168.1.0/24
with 192.168.1.254 as my internet gateway.

i have a squidbox  with squid 4 running on ports 3128 and 3129 and 3130.
 i forward the traffic from the openwrt via:


iptables -t mangle -A PREROUTING -j ACCEPT -p tcp
 --dport 80 -s 192.168.1.222
iptables -t mangle -A PREROUTING -j MARK --set-ma
rk 3 -p tcp --dport 80
iptables -t mangle -A PREROUTING -j ACCEPT -p tcp
 --dport 443 -s 192.168.1.222
iptables -t mangle -A PREROUTING -j MARK --set-ma
rk 3 -p tcp --dport 443
ip rule add fwmark 3 table 2
ip route add default via 192.168.1.222 dev eth0.2
 table 2

on the squid box redirected it via

iptables -A PREROUTING -t nat -i eth0 -p tcp --dp
ort 443 -j REDIRECT --to-port 3129

iptables -A PREROUTING -t nat -i eth0 -p tcp --dp
ort 80 -j REDIRECT --to-port 3128


http works fine


https brings:

ERRORThe requested URL could not be retrieved
------------------------------

The following error was encountered while trying to retrieve the URL:
https://192.168.1.222/*

*Connection to 192.168.1.222 failed.*

The system returned: *(111) Connection refused*

The remote host or network may be down. Please try the request again.

Your cache administrator is webmaster
<webmaster?subject=CacheErrorInfo%20-%20ERR_CONNECT_FAIL&body=CacheHost%3A%20raspberrypi%0D%0AErrPage%3A%20ERR_CONNECT_FAIL%0D%0AErr%3A%20%28111%29%20Connection%20refused%0D%0ATimeStamp%3A%20Sun,%2012%20Nov%202017%2011%3A44%3A04%20GMT%0D%0A%0D%0AClientIP%3A%20192.168.1.200%0D%0AServerIP%3A%20192.168.1.222%0D%0A%0D%0AHTTP%20Request%3A%0D%0ACONNECT%20%2F%20HTTP%2F1.1%0AHost%3A%20192.168.1.222%0D%0A%0D%0A%0D%0A>
.




i had this working a while ago but i forget how.


Am 08.11.2017 05:32 schrieb "Amos Jeffries" <squid3 at treenet.co.nz>:

> On 08/11/17 04:52, snable snable wrote:
>
>> Hello
>>
>> i forward from.my openwrt router the traffic for 443 and 80 to my squid
>> box to port 3129 and 3128
>>
>>
> What do you mean by "forward" ?
>
> Any dst-IP:port NAT operation *MUST* only happen on the Squid device
> itself or _later_ down the traffic path. Traffic must be *routed* to that
> Squid device.
>
>
> Amos
> _______________________________________________
> squid-users mailing list
> squid-users at lists.squid-cache.org
> http://lists.squid-cache.org/listinfo/squid-users
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.squid-cache.org/pipermail/squid-users/attachments/20171112/6a23c335/attachment.html>

More information about the squid-users mailing list