[squid-users] Squid 4.8+ intercept
ngtech1ltd at gmail.com
ngtech1ltd at gmail.com
Thu Aug 18 14:05:29 UTC 2022
Hey K,
I need your Mikrotik and squid.conf and iptables to understand what the issue might be.
You will need to describe your setup in a way I can relate to it.
There is not much of a difference between port 80 to 443 just that the port need to have ssl-bump settings If you are using it.
The CONNECT port is a simple forward proxy and it seems your setup is not as simple as you describe.
If you do have NAT then you need this to be only on specific interfaces in the Mikrotik and the Squid server.
In my case the basic setup works for a very long time now so I cannot imagine what's wrong in your case.
Eliezer
----
Eliezer Croitoru
NgTech, Tech Support
Mobile: +972-5-28704261
Email: ngtech1ltd at gmail.com
Web: https://ngtech.co.il/
My-Tube: https://tube.ngtech.co.il/
-----Original Message-----
From: M K <mohammed.khallaf at gmail.com>
Sent: Thursday, 18 August 2022 6:20
To: ngtech1ltd at gmail.com
Cc: squid-users at lists.squid-cache.org; Rafael Akchurin <rafael.akchurin at diladele.com>
Subject: Re: [squid-users] Squid 4.8+ intercept
Hello Eliezer,
I finally got my setup to work; turned out to be intercepted clients
running into default nat, while my test squid server did not allow
them access, not even through iptables!
Now, I have one last bit to handle, which you did not cover in your
video. I'm using 3 ports for squid like Rafael's guide: one for normal
CONNECT, one for intercepted plain HTTP on 80, and one for intercepted
HTTPs on 443.
The setup works awesome for TLS addresses (i.e https://), but browser
redirection from Plain to TLS, say from http://cnn.com to
https://cnn.com, fails to happen. It just waits then time out.
What could be done to make it happen?
All best,
K
On Sat, Aug 13, 2022 at 7:57 PM <ngtech1ltd at gmail.com> wrote:
>
> Hey K,
>
>
>
> What RouterOS version are you using?
>
> Also, what rules have you applied?
>
> If there is a very long delay and then a failure you should verify that the rules you wrote are proper to your environment.
>
> You should route packets based on connection marks and mark only new connections from LAN IP addresses and only on the LAN interface.
>
> As I showed in the demo video it’s very simple to implement.
>
>
>
> Let me know if you are still having issues.
>
>
>
> Eliezer
>
>
>
> ----
>
> Eliezer Croitoru
>
> NgTech, Tech Support
>
> Mobile: +972-5-28704261
>
> Email: ngtech1ltd at gmail.com
>
> Web: https://ngtech.co.il/
>
> My-Tube: https://tube.ngtech.co.il/
>
>
>
> From: M K <mohammed.khallaf at gmail.com>
> Sent: Saturday, 13 August 2022 10:59
> To: ngtech1ltd at gmail.com
> Cc: squid-users at lists.squid-cache.org
> Subject: Re: [squid-users] Squid 4.8+ intercept
>
>
>
> Thank you for your quick reply. The text-drawing actually changed with different font; the squid server is effectively connected to MikroTik router, not the same physical link as the client.
>
>
>
> The MikroTik router sits between the client and squid server.
>
>
>
> That said, I can confirm that the MikroTik router is effectively able to route/DNat client packets going to ports 80 and 443 to squid server. Depending on router rules be it route or dnat, the client browser effectively displays the error page of squid, or goes into a very long delay then failure.
>
>
>
> I will retry and let you know.
>
>
>
> K
>
> On Wed, Aug 10, 2022, 10:08 <ngtech1ltd at gmail.com> wrote:
>
> Hey K,
>
>
>
> I am not sure about the network topology.
>
> Preferably the Squid should reside on another network then the clients if it’s intercepting the traffic.
>
> Also, I assume it’s not a TPROXY setup so it should be pretty simple and straight forward.
>
>
>
> I understand why are you asking this question.
>
> Also take into account that Mikrotik is now on 7.4 firmware and it’s recommended to use this one.
>
> If you are using any other version let me know so I can try to make sense on the differences.
>
> I will try to give a DEMO for such a setup and how to make it work.
>
>
>
> Eliezer
>
>
>
> ----
>
> Eliezer Croitoru
>
> NgTech, Tech Support
>
> Mobile: +972-5-28704261
>
> Email: ngtech1ltd at gmail.com
>
> Web: https://ngtech.co.il/
>
> My-Tube: https://tube.ngtech.co.il/
>
>
>
> From: squid-users <squid-users-bounces at lists.squid-cache.org> On Behalf Of M K
> Sent: Tuesday, 9 August 2022 22:29
> To: squid-users at lists.squid-cache.org
> Subject: [squid-users] Squid 4.8+ intercept
>
>
>
> Hello,
>
>
>
> I have a setup like this one:
>
>
> | Client | =====> | Router | =====> Internet
> ||
> \/
> | Squid |
>
>
>
> ...the router is a Mikrotik router capable of all things NAT/Redirect and whatnot. Squid server has only one network interface.
>
> Using the router:
>
> - I tried routing traffic to squid server IP.
>
> - I tried destination-NATing from client to server IP, with origin server IP-and-port natted to squid IP-and-port, and with origin server IP-only natted to squid-IP.
>
>
>
> I have been struggling for 2 days to setup a working Squid 4.8 or higher interception.
>
> Test server is running Ubuntu 18.4.3 and Squid 4.8.
>
> Documentation is either too much trim or extremely outdated.
>
> Any help would be very much appreciated.
>
>
>
> All best,
>
> K
More information about the squid-users
mailing list