[squid-users] Setting up a transparent http and https proxy server using squid 4.6

jean francois hasson jfhasson at club-internet.fr
Sat Jan 2 10:26:03 UTC 2021 

Hi,

Thank you Amos Jeffries and Antony Stone. It seems the configuration I 
have provides the functionality of filtering I am looking for.

There is a strange behavior I can see when accessing some legitimate 
sites which I see traces of in cache.log :

    2021/01/02 10:55:48 kid1| helperOpenServers: Starting 1/20
    'squidGuard' processes
    2021/01/02 10:57:31 kid1| ERROR: negotiating TLS on FD 39:
    error:1407743E:SSL routines:SSL23_GET_SERVER_HELLO:tlsv1 alert
    inappropriate fallback (1/-1/0)
    2021/01/02 10:57:31 kid1| Error negotiating SSL connection on FD 38:
    error:00000001:lib(0):func(0):reason(1) (1/-1)
    2021/01/02 10:57:32 kid1| ERROR: negotiating TLS on FD 38:
    error:1407743E:SSL routines:SSL23_GET_SERVER_HELLO:tlsv1 alert
    inappropriate fallback (1/-1/0)
    2021/01/02 10:57:32 kid1| Error negotiating SSL connection on FD 35:
    error:00000001:lib(0):func(0):reason(1) (1/-1)
    2021/01/02 10:57:40 kid1| Starting new redirector helpers...
    2021/01/02 10:57:40 kid1| helperOpenServers: Starting 1/20
    'squidGuard' processes
    2021/01/02 10:58:09 kid1| ERROR: negotiating TLS on FD 51:
    error:1407743E:SSL routines:SSL23_GET_SERVER_HELLO:tlsv1 alert
    inappropriate fallback (1/-1/0)
    2021/01/02 10:58:09 kid1| Error negotiating SSL connection on FD 40:
    error:00000001:lib(0):func(0):reason(1) (1/-1)
    2021/01/02 10:58:10 kid1| ERROR: negotiating TLS on FD 51:
    error:1407743E:SSL routines:SSL23_GET_SERVER_HELLO:tlsv1 alert
    inappropriate fallback (1/-1/0)
    2021/01/02 10:58:10 kid1| Error negotiating SSL connection on FD 40:
    error:00000001:lib(0):func(0):reason(1) (1/-1)

I noticed other users of squid encountered similar issues but I did not 
find a clear answer to the issue. Is there a problem with my setup ? I 
am not sure to be able to solve it on my own ! Any help would be 
appreciated.

Best regards,

JF Hasson

Le 31/12/2020 à 10:14, Antony Stone a écrit :
> On Thursday 31 December 2020 at 10:10:11, jean francois hasson wrote:
>
>> If I set up on a device connected to the access point a proxy manually
>> ie 10.3.141.1 on port 8080, I can access the internet. If I put the
>> following rules for iptables to use in files rules.v4 :
>>
>> *nat
>> -A PREROUTING -i eth0 -p tcp -m tcp --dport 80 -j DNAT --to-destination
>> 10.3.141.1:3128
>> -A PREROUTING -i eth0 -p tcp -m tcp --dport 80 -j REDIRECT --to-ports 3128
>> -A PREROUTING -i eth0 -p tcp -m tcp --dport 443 -j DNAT --to-destination
>> 10.3.141.1:3129
>> -A PREROUTING -i eth0 -p tcp -m tcp --dport 443 -j REDIRECT --to-ports 3129
>> -A POSTROUTING -s 10.3.141.0/24 -o eth0 -j MASQUERADE
> Try removing the DNAT rules above.  You should be using REDIRECT for intercept
> mode to work correctly.
>
>
> Antony.
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.squid-cache.org/pipermail/squid-users/attachments/20210102/8d8fe785/attachment.htm>

More information about the squid-users mailing list