[squid-users] original_dst wrong when using intercept
monopot
andy.roberts at wexinc.co.nz
Tue May 22 21:27:43 UTC 2018
I'm trying to setup a Squid proxy to use in one of our AWS accounts. If I
put Squid in with a basic http/https filtering setup (no interception) it
all works great, but the problem is my company wants us to do HTTPS
interception so I need to use ssl bump.
Now if I set Squid up following the AWS guide for SSL numping (
https://aws.amazon.com/blogs/security/how-to-add-dns-filtering-to-your-nat-instance-with-squid/
<https://aws.amazon.com/blogs/security/how-to-add-dns-filtering-to-your-nat-instance-with-squid/>
) and make the Squid instance have traffic default routed too it, everything
works perfect. BUT, we can't route direct to it as we already have NAT
Gateways we need to keep, so i need to send traffic to it either direct or
via an ELB and have clients configured to where Squid is. I thought if I
just take the same instance which works when routed and direct traffic to
it, everything would work but no.
Turns out as soon as I turn on interception such as /http_port 3129
*intercept*/ traffic drops. In the access log the ORIGINAL_DST is
incorrect with the intercept option in use as it shows the local IP of the
squid proxy. If I remove intercept it works, shown below.
1527022455.315 178 10.10.7.36 TCP_MISS/503 3944 GET
http://www.google.com/ - ORIGINAL_DST/10.10.3.214 text/html
*(original_dst is squid local IP, not working)*
1527022535.319 170 10.10.7.36 TCP_MISS/200 12194 GET
http://www.google.com/ - HIER_DIRECT/216.58.196.132 text/html * (remove
intercept, original_dst is correct and works)*
Any ideas why this is and why it works OK if I route traffic direct and
don't tell the clients specifically to talk to the proxy with
export_httpproxy etc?
My squid.conf is this (no blocking atm)
visible_hostname squid
#Handling HTTP requests
http_port 3129 intercept
http_access allow all
#Handling HTTPS requests
https_port 3130 cert=/etc/squid/ssl/squid.pem ssl-bump intercept
acl SSL_port port 443
http_access allow SSL_port
acl step1 at_step SslBump1
acl step2 at_step SslBump2
acl step3 at_step SslBump3
ssl_bump peek step1 all
ssl_bump peek step2 all
ssl_bump splice step3 all
ssl_bump terminate step2 all
http_access deny all
And my IP tables simply has
iptables -t nat -A PREROUTING -p tcp --dport 80 -j REDIRECT --to-port 3129
iptables -t nat -A PREROUTING -p tcp --dport 443 -j REDIRECT --to-port 3130
Thanks guys!
--
Sent from: http://squid-web-proxy-cache.1019090.n4.nabble.com/Squid-Users-f1019091.html
More information about the squid-users
mailing list