<div dir="ltr"><br><div class="gmail_extra"><br><div class="gmail_quote">On 27 February 2017 at 08:41, Test User <span dir="ltr"><<a href="mailto:tuser6485@gmail.com" target="_blank">tuser6485@gmail.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">On Mon, Feb 27, 2017 at 2:53 AM, Eliezer Croitoru <<a href="mailto:eliezer@ngtech.co.il">eliezer@ngtech.co.il</a>> wrote:<br>
> Let me know if you need some help..<br>
<span class="">><br>
> Eliezer<br>
><br>
> ----<br>
> Eliezer Croitoru<br>
> Linux System Administrator<br>
> Mobile: +972-5-28704261<br>
> Email: <a href="mailto:eliezer@ngtech.co.il">eliezer@ngtech.co.il</a><br>
><br>
><br>
> -----Original Message-----<br>
</span><div><div class="h5">> From: squid-users [mailto:<a href="mailto:squid-users-bounces@lists.squid-cache.org">squid-users-bounces@<wbr>lists.squid-cache.org</a>] On Behalf Of Eliezer Croitoru<br>
> Sent: Sunday, February 26, 2017 8:51 PM<br>
> To: 'Test User' <<a href="mailto:tuser6485@gmail.com">tuser6485@gmail.com</a>><br>
> Cc: <a href="mailto:squid-users@lists.squid-cache.org">squid-users@lists.squid-cache.<wbr>org</a><br>
> Subject: Re: [squid-users] SSL-Bump: NAT/TPROXY lookup failed to locate original IPs<br>
><br>
> Hey Michael,<br>
><br>
> The details you attached explained pretty well the cause for the issues you have described.<br>
> What you will need to do in order to make this setup to work can be done in more then one way.<br>
> For a sysadmin the simplest way is to create a VPN or some kind of a tunnel between the AWS instance to the local router.<br>
> I am almost sure that you can use haproxy to do a local tproxy or interception that will forward the traffic to the remote squid with the PROXY protocol keeping original source and original destination visible to the remote squid.<br>
><br>
> The choice will depend on both:<br>
> - your skills and will to dig some time about couple subjects<br>
> - The availability of static IP addresses(both local and AWS).<br>
> - The OS on both sides<br>
><br>
> I believe that the next haproxy settings can be used as a compromise to a tunnel:<br>
> <a href="http://ngtech.co.il/paste/1605/" rel="noreferrer" target="_blank">http://ngtech.co.il/paste/<wbr>1605/</a><br>
> And some tproxy route and iptables rules ..<br>
> With a squid.conf which will be similar to:<br>
> acl frontend src 100.0.0.1<br>
> proxy_protocol_access allow frontend<br>
> http_port 3127<br>
> http_port 3128 require-proxy-header ... ssl-bump settings<br>
> ##END of example<br>
><br>
> However I do still believe that the more secure way would be to use some kind of vpn tunnel like OpenVPN between the local router to the remote AWS instance.<br>
><br>
> All The Bests,<br>
> Eliezer<br>
><br>
> ----<br>
> Eliezer Croitoru<br>
> Linux System Administrator<br>
> Mobile: +972-5-28704261<br>
> Email: <a href="mailto:eliezer@ngtech.co.il">eliezer@ngtech.co.il</a><br>
><br>
><br>
> -----Original Message-----<br>
> From: Test User [mailto:<a href="mailto:tuser6485@gmail.com">tuser6485@gmail.com</a>]<br>
> Sent: Sunday, February 26, 2017 8:38 AM<br>
> To: Eliezer Croitoru <<a href="mailto:eliezer@ngtech.co.il">eliezer@ngtech.co.il</a>><br>
> Cc: <a href="mailto:squid-users@lists.squid-cache.org">squid-users@lists.squid-cache.<wbr>org</a><br>
> Subject: Re: [squid-users] SSL-Bump: NAT/TPROXY lookup failed to locate original IPs<br>
><br>
> On Sun, Feb 26, 2017 at 10:40 AM, Eliezer Croitoru <<a href="mailto:eliezer@ngtech.co.il">eliezer@ngtech.co.il</a>> wrote:<br>
>> Hey Michael,<br>
>><br>
>> You will need to clear out couple things for us.<br>
>> First we will need one of the next ouputs or both:<br>
>> iptables-save<br>
>> iptables -L -nv<br>
>><br>
>> And then clear out where is this proxy sittings and the network structure.<br>
>> It's not clear if the squid box is the router or a machine somewhere on AWS.<br>
>> If you wish to pass traffic from a local router to a one on AWS you will need to create a tunnel like using OpenVPN or a similar solution and to use some routing rules to pass the traffic from the local LAN to AWS without removing the original destination address.<br>
>><br>
>> When more details on the setup will be available it will be much simpler to understand what is the root for some of the issues you are having.<br>
>><br>
>> All The Bests,<br>
>> Eliezer<br>
>><br>
>> ----<br>
>> Eliezer Croitoru<br>
>> Linux System Administrator<br>
>> Mobile: +972-5-28704261<br>
>> Email: <a href="mailto:eliezer@ngtech.co.il">eliezer@ngtech.co.il</a><br>
>><br>
>><br>
>> -----Original Message-----<br>
>> From: squid-users [mailto:<a href="mailto:squid-users-bounces@lists.squid-cache.org">squid-users-bounces@<wbr>lists.squid-cache.org</a>] On Behalf Of Test User<br>
>> Sent: Friday, February 24, 2017 8:52 AM<br>
>> To: <a href="mailto:squid-users@lists.squid-cache.org">squid-users@lists.squid-cache.<wbr>org</a><br>
>> Subject: [squid-users] SSL-Bump: NAT/TPROXY lookup failed to locate original IPs<br>
>><br>
>> Hi,<br>
>> Sorry I am asking this question again. I am trying to setup HTTPS<br>
>> proxy using ssl-bump. I have followed<br>
>> steps mentioned in:<br>
>> <a href="http://wiki.squid-cache.org/ConfigExamples/Intercept/SslBumpExplicit" rel="noreferrer" target="_blank">http://wiki.squid-cache.org/<wbr>ConfigExamples/Intercept/<wbr>SslBumpExplicit</a><br>
>><br>
>> Following are Squid setup details:<br>
>><br>
>> Squid Cache: Version 3.5.12<br>
>> Service Name: squid<br>
>> Ubuntu linux<br>
>><br>
>> configure options: '--build=x86_64-linux-gnu' '--prefix=/usr'<br>
>> '--includedir=${prefix}/<wbr>include' '--mandir=${prefix}/share/man'<br>
>> '--infodir=${prefix}/share/<wbr>info' '--sysconfdir=/etc'<br>
>> '--localstatedir=/var' '--libexecdir=${prefix}/lib/<wbr>squid3'<br>
>> '--srcdir=.' '--disable-maintainer-mode'<br>
>> '--disable-dependency-<wbr>tracking' '--disable-silent-rules'<br>
>> 'BUILDCXXFLAGS=-g -O2 -fPIE -fstack-protector-strong -Wformat<br>
>> -Werror=format-security -Wl,-Bsymbolic-functions -fPIE -pie<br>
>> -Wl,-z,relro -Wl,-z,now' '--datadir=/usr/share/squid'<br>
>> '--sysconfdir=/etc/squid' '--libexecdir=/usr/lib/squid'<br>
>> '--mandir=/usr/share/man' '--enable-inline' '--disable-arch-native'<br>
>> '--enable-async-io=8' '--enable-storeio=ufs,aufs,<wbr>diskd,rock'<br>
>> '--enable-removal-policies=<wbr>lru,heap' '--enable-delay-pools'<br>
>> '--enable-cache-digests' '--enable-icap-client'<br>
>> '--enable-follow-x-forwarded-<wbr>for'<br>
>> '--enable-auth-basic=DB,fake,<wbr>getpwnam,LDAP,NCSA,NIS,PAM,<wbr>POP3,RADIUS,SASL,SMB'<br>
>> '--enable-auth-digest=file,<wbr>LDAP'<br>
>> '--enable-auth-negotiate=<wbr>kerberos,wrapper'<br>
>> '--enable-auth-ntlm=fake,smb_<wbr>lm'<br>
>> '--enable-external-acl-<wbr>helpers=file_userip,kerberos_<wbr>ldap_group,LDAP_group,session,<wbr>SQL_session,unix_group,wbinfo_<wbr>group'<br>
>> '--enable-url-rewrite-helpers=<wbr>fake' '--enable-eui' '--enable-esi'<br>
>> '--enable-icmp' '--enable-zph-qos' '--enable-ecap' '--with-openssl'<br>
>> '--enable-ssl-crtd' '--disable-translation'<br>
>> '--with-swapdir=/var/spool/<wbr>squid' '--with-logdir=/var/log/squid'<br>
>> '--with-pidfile=/var/run/<wbr>squid.pid' '--with-filedescriptors=65536'<br>
>> '--with-large-files' '--with-default-user=proxy'<br>
>> '--enable-build-info=Ubuntu linux' '--enable-linux-netfilter'<br>
>> 'build_alias=x86_64-linux-gnu' 'CFLAGS=-g -O2 -fPIE<br>
>> -fstack-protector-strong -Wformat -Werror=format-security -Wall'<br>
>> 'LDFLAGS=-Wl,-Bsymbolic-<wbr>functions -fPIE -pie -Wl,-z,relro -Wl,-z,now'<br>
>> 'CPPFLAGS=-Wdate-time -D_FORTIFY_SOURCE=2' 'CXXFLAGS=-g -O2 -fPIE<br>
>> -fstack-protector-strong -Wformat -Werror=format-security'<br>
>><br>
>><br>
>> Following is my squid.conf file:<br>
>><br>
>> acl SSL_ports port 443<br>
>> acl Safe_ports port 80 # http<br>
>> acl Safe_ports port 21 # ftp<br>
>> acl Safe_ports port 443 # https<br>
>> acl Safe_ports port 70 # gopher<br>
>> acl Safe_ports port 210 # wais<br>
>> acl Safe_ports port 1025-65535 # unregistered ports<br>
>> acl Safe_ports port 280 # http-mgmt<br>
>> acl Safe_ports port 488 # gss-http<br>
>> acl Safe_ports port 591 # filemaker<br>
>> acl Safe_ports port 777 # multiling http<br>
>> acl CONNECT method CONNECT<br>
>> acl step1 at_step SslBump1<br>
>> http_access deny !Safe_ports<br>
>> http_access deny CONNECT !SSL_ports<br>
>> http_access allow localhost manager<br>
>> http_access deny manager<br>
>> http_access allow localhost<br>
>> http_access allow all<br>
>> http_port 3128 ssl-bump \<br>
>> cert=/etc/squid/ssl_cert/<wbr>squidCA.pem \<br>
>> generate-host-certificates=on dynamic_cert_mem_cache_size=<wbr>4MB<br>
>> https_port 3129 intercept ssl-bump generate-host-certificates=on \<br>
>> dynamic_cert_mem_cache_size=<wbr>4MB cert=/etc/squid/ssl_cert/<wbr>squidCA.pem \<br>
>> dhparams=/etc/squid/ssl_cert/<wbr>dhparam.pem<br>
>> sslproxy_options NO_SSLv2,NO_SSLv3,SINGLE_DH_<wbr>USE<br>
>> sslproxy_cipher<br>
>> EECDH+ECDSA+AESGCM:EECDH+aRSA+<wbr>AESGCM:EECDH+ECDSA+SHA384:<wbr>EECDH+ECDSA+SHA256:EECDH+aRSA+<wbr>SHA384:EECDH+aRSA+SHA256:<wbr>EECDH+aRSA+RC4:EECDH:EDH+aRSA:<wbr>!RC4:!aNULL:!eNULL:!LOW:!3DES:<wbr>!MD5:!EXP:!PSK:!SRP:!DSS<br>
>> sslcrtd_program /usr/lib/squid/ssl_crtd -s /var/spool/squid3_ssldb -M 4MB<br>
>> debug_options ALL,1 3,5 4,5 11,5 17,5 23,5 46,5 78,5 rotate=1<br>
>> coredump_dir /var/spool/squid<br>
>> refresh_pattern ^ftp: 1440 20% 10080<br>
>> refresh_pattern ^gopher: 1440 0% 1440<br>
>> refresh_pattern -i (/cgi-bin/|\?) 0 0% 0<br>
>> refresh_pattern (Release|Packages(.gz)*)$ 0 20% 2880<br>
>> refresh_pattern . 0 20% 4320<br>
>><br>
>><br>
>> I get no errors while starting Squid. Following are the logs when Squid starts:<br>
>><br>
>> 2017/02/23 09:59:53 kid1| Set Current Directory to /var/spool/squid<br>
>> 2017/02/23 09:59:53 kid1| Starting Squid Cache version 3.5.12 for<br>
>> x86_64-pc-linux-gnu...<br>
>> 2017/02/23 09:59:53 kid1| Service Name: squid<br>
>> 2017/02/23 09:59:53 kid1| Process ID 26236<br>
>> 2017/02/23 09:59:53 kid1| Process Roles: worker<br>
>> 2017/02/23 09:59:53 kid1| With 65535 file descriptors available<br>
>> 2017/02/23 09:59:53 kid1| Initializing IP Cache...<br>
>> 2017/02/23 09:59:53.756 kid1| 78,2| dns_internal.cc(1525) dnsInit:<br>
>> idnsInit: attempt open DNS socket to: [::]<br>
>> 2017/02/23 09:59:53.756 kid1| 78,2| dns_internal.cc(1534) dnsInit:<br>
>> idnsInit: attempt open DNS socket to: 0.0.0.0<br>
>> 2017/02/23 09:59:53.756 kid1| DNS Socket created at [::], FD 6<br>
>> 2017/02/23 09:59:53.756 kid1| DNS Socket created at 0.0.0.0, FD 7<br>
>> 2017/02/23 09:59:53.756 kid1| Adding nameserver 172.31.0.2 from /etc/resolv.conf<br>
>> 2017/02/23 09:59:53.756 kid1| 78,3| dns_internal.cc(321)<br>
>> idnsAddNameserver: idnsAddNameserver: Added nameserver #0<br>
>> (<a href="http://172.31.0.2:53" rel="noreferrer" target="_blank">172.31.0.2:53</a>)<br>
>> 2017/02/23 09:59:53.756 kid1| Adding domain<br>
>> ap-south-1.compute.internal from /etc/resolv.conf<br>
>> 2017/02/23 09:59:53.756 kid1| 78,3| dns_internal.cc(350)<br>
>> idnsAddPathComponent: idnsAddPathComponent: Added domain #0:<br>
>> ap-south-1.compute.internal<br>
>> 2017/02/23 09:59:53.756 kid1| helperOpenServers: Starting 5/32<br>
>> 'ssl_crtd' processes<br>
>> 2017/02/23 09:59:53.775 kid1| 46,2| Format.cc(64) parse: got<br>
>> definition '%>a/%>A %un %>rm myip=%la myport=%lp'<br>
>> 2017/02/23 09:59:53.775 kid1| 46,5| Token.cc(380) parse: scan for<br>
>> possible Misc token<br>
>> 2017/02/23 09:59:53.775 kid1| 46,5| Token.cc(384) parse: scan for<br>
>> possible 2C token<br>
>> 2017/02/23 09:59:53.775 kid1| 46,5| Token.cc(389) parse: scan for<br>
>> possible 1C token<br>
>> 2017/02/23 09:59:53.775 kid1| 46,5| Token.cc(380) parse: scan for<br>
>> possible Misc token<br>
>> 2017/02/23 09:59:53.775 kid1| 46,5| Token.cc(384) parse: scan for<br>
>> possible 2C token<br>
>> 2017/02/23 09:59:53.775 kid1| 46,5| Token.cc(389) parse: scan for<br>
>> possible 1C token<br>
>> 2017/02/23 09:59:53.775 kid1| 46,5| Token.cc(380) parse: scan for<br>
>> possible Misc token<br>
>> 2017/02/23 09:59:53.775 kid1| 46,5| Token.cc(384) parse: scan for<br>
>> possible 2C token<br>
>> 2017/02/23 09:59:53.775 kid1| 46,5| Token.cc(380) parse: scan for<br>
>> possible Misc token<br>
>> 2017/02/23 09:59:53.775 kid1| 46,5| Token.cc(384) parse: scan for<br>
>> possible 2C token<br>
>> 2017/02/23 09:59:53.775 kid1| 46,5| Token.cc(380) parse: scan for<br>
>> possible Misc token<br>
>> 2017/02/23 09:59:53.775 kid1| 46,5| Token.cc(384) parse: scan for<br>
>> possible 2C token<br>
>> 2017/02/23 09:59:53.775 kid1| 46,5| Token.cc(380) parse: scan for<br>
>> possible Misc token<br>
>> 2017/02/23 09:59:53.775 kid1| 46,5| Token.cc(384) parse: scan for<br>
>> possible 2C token<br>
>> 2017/02/23 09:59:53.775 kid1| 46,2| Format.cc(64) parse: got<br>
>> definition '%>a/%>A %un %>rm myip=%la myport=%lp'<br>
>> 2017/02/23 09:59:53.775 kid1| 46,5| Token.cc(380) parse: scan for<br>
>> possible Misc token<br>
>> 2017/02/23 09:59:53.775 kid1| 46,5| Token.cc(384) parse: scan for<br>
>> possible 2C token<br>
>> 2017/02/23 09:59:53.775 kid1| 46,5| Token.cc(389) parse: scan for<br>
>> possible 1C token<br>
>> 2017/02/23 09:59:53.775 kid1| 46,5| Token.cc(380) parse: scan for<br>
>> possible Misc token<br>
>> 2017/02/23 09:59:53.775 kid1| 46,5| Token.cc(384) parse: scan for<br>
>> possible 2C token<br>
>> 2017/02/23 09:59:53.775 kid1| 46,5| Token.cc(389) parse: scan for<br>
>> possible 1C token<br>
>> 2017/02/23 09:59:53.775 kid1| 46,5| Token.cc(380) parse: scan for<br>
>> possible Misc token<br>
>> 2017/02/23 09:59:53.775 kid1| 46,5| Token.cc(384) parse: scan for<br>
>> possible 2C token<br>
>> 2017/02/23 09:59:53.775 kid1| 46,5| Token.cc(380) parse: scan for<br>
>> possible Misc token<br>
>> 2017/02/23 09:59:53.775 kid1| 46,5| Token.cc(384) parse: scan for<br>
>> possible 2C token<br>
>> 2017/02/23 09:59:53.775 kid1| 46,5| Token.cc(380) parse: scan for<br>
>> possible Misc token<br>
>> 2017/02/23 09:59:53.775 kid1| 46,5| Token.cc(384) parse: scan for<br>
>> possible 2C token<br>
>> 2017/02/23 09:59:53.775 kid1| 46,5| Token.cc(380) parse: scan for<br>
>> possible Misc token<br>
>> 2017/02/23 09:59:53.775 kid1| 46,5| Token.cc(384) parse: scan for<br>
>> possible 2C token<br>
>> 2017/02/23 09:59:53.775 kid1| Logfile: opening log<br>
>> daemon:/var/log/squid/access.<wbr>log<br>
>> 2017/02/23 09:59:53.775 kid1| Logfile Daemon: opening log<br>
>> /var/log/squid/access.log<br>
>> 2017/02/23 09:59:53.779 kid1| 23,5| url.cc(43) urlInitialize:<br>
>> urlInitialize: Initializing...<br>
>> 2017/02/23 09:59:53.779 kid1| Local cache digest enabled;<br>
>> rebuild/rewrite every 3600/3600 sec<br>
>> 2017/02/23 09:59:53.779 kid1| Store logging disabled<br>
>> 2017/02/23 09:59:53.779 kid1| Swap maxSize 0 + 262144 KB, estimated<br>
>> 20164 objects<br>
>> 2017/02/23 09:59:53.779 kid1| Target number of buckets: 1008<br>
>> 2017/02/23 09:59:53.779 kid1| Using 8192 Store buckets<br>
>> 2017/02/23 09:59:53.779 kid1| Max Mem size: 262144 KB<br>
>> 2017/02/23 09:59:53.779 kid1| Max Swap size: 0 KB<br>
>> 2017/02/23 09:59:53.779 kid1| Using Least Load store dir selection<br>
>> 2017/02/23 09:59:53.779 kid1| Set Current Directory to /var/spool/squid<br>
>> 2017/02/23 09:59:53.785 kid1| 23,3| url.cc(357) urlParse: urlParse:<br>
>> Split URL '<a href="http://ip-172-31-25-235:3128/squid-internal-static/icons/silk/image.png" rel="noreferrer" target="_blank">http://ip-172-31-25-235:3128/<wbr>squid-internal-static/icons/<wbr>silk/image.png</a>'<br>
>> into proto='http', host='ip-172-31-25-235', port='3128',<br>
>> path='/squid-internal-static/<wbr>icons/silk/image.png'<br>
>> 2017/02/23 09:59:53.785 kid1| 23,3| url.cc(357) urlParse: urlParse:<br>
>> Split URL '<a href="http://ip-172-31-25-235:3128/squid-internal-static/icons/silk/page_white_text.png" rel="noreferrer" target="_blank">http://ip-172-31-25-235:3128/<wbr>squid-internal-static/icons/<wbr>silk/page_white_text.png</a>'<br>
>> into proto='http', host='ip-172-31-25-235', port='3128',<br>
>> path='/squid-internal-static/<wbr>icons/silk/page_white_text.<wbr>png'<br>
>><br>
>> ****several urlParse logs like above. Removing them to shorten the<br>
>> email. Further logs below...****<br>
>><br>
>> 2017/02/23 09:59:53.815 kid1| Finished loading MIME types and icons.<br>
>> 2017/02/23 09:59:53.815 kid1| HTCP Disabled.<br>
>> 2017/02/23 09:59:53.815 kid1| Pinger socket opened on FD 25<br>
>> 2017/02/23 09:59:53.815 kid1| Squid plugin modules loaded: 0<br>
>> 2017/02/23 09:59:53.815 kid1| Adaptation support is off.<br>
>> 2017/02/23 09:59:53.815 kid1| Accepting SSL bumped HTTP Socket<br>
>> connections at local=[::]:3128 remote=[::] FD 22 flags=9<br>
>> 2017/02/23 09:59:53.815 kid1| Accepting NAT intercepted SSL bumped<br>
>> HTTPS Socket connections at local=[::]:3129 remote=[::] FD 23 flags=41<br>
>> 2017/02/23 09:59:53| pinger: Initialising ICMP pinger ...<br>
>> 2017/02/23 09:59:53| pinger: ICMP socket opened.<br>
>> 2017/02/23 09:59:53| pinger: ICMPv6 socket opened<br>
>> 2017/02/23 09:59:54 kid1| storeLateRelease: released 0 objects<br>
>><br>
>><br>
>><br>
>> I tested this setup by providing proxy details to Firefox. Firefox was<br>
>> able to show HTTP websites but when I tried to open an HTTPS website I<br>
>> got following error:<br>
>><br>
>> 2017/02/23 11:00:50 kid1| ERROR: NF getsockopt(ORIGINAL_DST) failed on<br>
>> local=<a href="http://172.31.25.235:3129" rel="noreferrer" target="_blank">172.31.25.235:3129</a> remote=<a href="http://182.72.78.122:50655" rel="noreferrer" target="_blank">182.72.78.122:50655</a> FD 7 flags=33:<br>
>> (92) Protocol not available<br>
>> 2017/02/23 11:00:50 kid1| ERROR: NAT/TPROXY lookup failed to locate<br>
>> original IPs on local=<a href="http://172.31.25.235:3129" rel="noreferrer" target="_blank">172.31.25.235:3129</a> remote=<a href="http://182.72.78.122:50655" rel="noreferrer" target="_blank">182.72.78.122:50655</a> FD<br>
>> 7 flags=33<br>
>> 2017/02/23 11:00:50 kid1| ERROR: NF getsockopt(ORIGINAL_DST) failed on<br>
>> local=<a href="http://172.31.25.235:3129" rel="noreferrer" target="_blank">172.31.25.235:3129</a> remote=<a href="http://182.72.78.122:50656" rel="noreferrer" target="_blank">182.72.78.122:50656</a> FD 7 flags=33:<br>
>> (92) Protocol not available<br>
>> 2017/02/23 11:00:50 kid1| ERROR: NAT/TPROXY lookup failed to locate<br>
>> original IPs on local=<a href="http://172.31.25.235:3129" rel="noreferrer" target="_blank">172.31.25.235:3129</a> remote=<a href="http://182.72.78.122:50656" rel="noreferrer" target="_blank">182.72.78.122:50656</a> FD<br>
>> 7 flags=33<br>
>> 2017/02/23 11:00:50 kid1| ERROR: NF getsockopt(ORIGINAL_DST) failed on<br>
>> local=<a href="http://172.31.25.235:3129" rel="noreferrer" target="_blank">172.31.25.235:3129</a> remote=<a href="http://182.72.78.122:50657" rel="noreferrer" target="_blank">182.72.78.122:50657</a> FD 7 flags=33:<br>
>> (92) Protocol not available<br>
>> 2017/02/23 11:00:50 kid1| ERROR: NAT/TPROXY lookup failed to locate<br>
>> original IPs on local=<a href="http://172.31.25.235:3129" rel="noreferrer" target="_blank">172.31.25.235:3129</a> remote=<a href="http://182.72.78.122:50657" rel="noreferrer" target="_blank">182.72.78.122:50657</a> FD<br>
>> 7 flags=33<br>
>><br>
>> I googled this error and found this mail thread which had similar problems:<br>
>> <a href="http://squid-web-proxy-cache.1019090.n4.nabble.com/NAT-TPROXY-lookup-failed-to-locate-original-IPs-td4675464.html" rel="noreferrer" target="_blank">http://squid-web-proxy-cache.<wbr>1019090.n4.nabble.com/NAT-<wbr>TPROXY-lookup-failed-to-<wbr>locate-original-IPs-td4675464.<wbr>html</a><br>
>><br>
>> I found this link from the above thread. I modified the steps for<br>
>> HTTPS from the below link:<br>
>> <a href="http://wiki.squid-cache.org/ConfigExamples/Intercept/LinuxDnat" rel="noreferrer" target="_blank">http://wiki.squid-cache.org/<wbr>ConfigExamples/Intercept/<wbr>LinuxDnat</a><br>
>><br>
>> Now my sysctl.conf is:<br>
>><br>
>> net.ipv4.conf.all.rp_filter=0<br>
>> net.ipv4.ip_forward = 1<br>
>> net.ipv4.conf.default.rp_<wbr>filter = 0<br>
>> net.ipv4.conf.default.accept_<wbr>source_route = 0<br>
>><br>
>> My iptables -t nat -L result:<br>
>><br>
>> Chain PREROUTING (policy ACCEPT)<br>
>> target prot opt source destination<br>
>> ACCEPT tcp -- <a href="http://ec2-35-154-101-8.ap-south-1.compute.amazonaws.com" rel="noreferrer" target="_blank">ec2-35-154-101-8.ap-south-1.<wbr>compute.amazonaws.com</a><br>
>> anywhere tcp dpt:https<br>
>> DNAT tcp -- anywhere anywhere tcp<br>
>> dpt:https to:<a href="http://35.154.101.8:3129" rel="noreferrer" target="_blank">35.154.101.8:3129</a><br>
>><br>
>> Chain INPUT (policy ACCEPT)<br>
>> target prot opt source destination<br>
>><br>
>> Chain OUTPUT (policy ACCEPT)<br>
>> target prot opt source destination<br>
>><br>
>> Chain POSTROUTING (policy ACCEPT)<br>
>> target prot opt source destination<br>
>> MASQUERADE all -- anywhere anywhere<br>
>><br>
>><br>
>> Once this was done, I tried to hit HTTPS website from Firefox and now<br>
>> I get connection timeout error. Nothing shows in syslog, access.log or<br>
>> cache.log. Could you please help me resolve this.<br>
>><br>
>> Thanks,<br>
>> Michael<br>
>> ______________________________<wbr>_________________<br>
>> squid-users mailing list<br>
>> <a href="mailto:squid-users@lists.squid-cache.org">squid-users@lists.squid-cache.<wbr>org</a><br>
>> <a href="http://lists.squid-cache.org/listinfo/squid-users" rel="noreferrer" target="_blank">http://lists.squid-cache.org/<wbr>listinfo/squid-users</a><br>
>><br>
><br>
><br>
> Thanks for replying Eliezer. Following are the outputs you asked:<br>
><br>
> 1. iptables-save:<br>
><br>
> # Generated by iptables-save v1.6.0 on Sun Feb 26 06:28:46 2017<br>
> *filter<br>
> :INPUT ACCEPT [171:12090]<br>
> :FORWARD ACCEPT [0:0]<br>
> :OUTPUT ACCEPT [106:15187]<br>
> COMMIT<br>
> # Completed on Sun Feb 26 06:28:46 2017<br>
> # Generated by iptables-save v1.6.0 on Sun Feb 26 06:28:46 2017<br>
> *mangle<br>
> :PREROUTING ACCEPT [89003:74850371]<br>
> :INPUT ACCEPT [88973:74849159]<br>
> :FORWARD ACCEPT [30:1212]<br>
> :OUTPUT ACCEPT [76710:51478183]<br>
> :POSTROUTING ACCEPT [76740:51479395]<br>
> -A PREROUTING -p tcp -m tcp --dport 3129 -j DROP<br>
> COMMIT<br>
> # Completed on Sun Feb 26 06:28:46 2017<br>
> # Generated by iptables-save v1.6.0 on Sun Feb 26 06:28:46 2017<br>
> *nat<br>
> :PREROUTING ACCEPT [7766:436942]<br>
> :INPUT ACCEPT [7766:436942]<br>
> :OUTPUT ACCEPT [952:102330]<br>
> :POSTROUTING ACCEPT [0:0]<br>
> -A PREROUTING -s <a href="http://35.154.101.8/32" rel="noreferrer" target="_blank">35.154.101.8/32</a> -p tcp -m tcp --dport 443 -j ACCEPT<br>
> -A PREROUTING -p tcp -m tcp --dport 443 -j DNAT --to-destination<br>
> <a href="http://35.154.101.8:3129" rel="noreferrer" target="_blank">35.154.101.8:3129</a><br>
> -A POSTROUTING -j MASQUERADE<br>
> COMMIT<br>
> # Completed on Sun Feb 26 06:28:46 2017<br>
><br>
> 2. Also pasting sudo iptables -L -nv:<br>
><br>
> Chain INPUT (policy ACCEPT 216 packets, 16058 bytes)<br>
> pkts bytes target prot opt in out source<br>
> destination<br>
><br>
> Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)<br>
> pkts bytes target prot opt in out source<br>
> destination<br>
><br>
> Chain OUTPUT (policy ACCEPT 161 packets, 24629 bytes)<br>
> pkts bytes target prot opt in out source destination<br>
><br>
><br>
><br>
>> And then clear out where is this proxy sittings and the network structure.<br>
>> It's not clear if the squid box is the router or a machine somewhere on AWS.<br>
><br>
> [Michael] This proxy is installed on an AWS instance.<br>
><br>
>> If you wish to pass traffic from a local router to a one on AWS you will need to create a tunnel like using OpenVPN or a similar solution and to use some routing rules to pass the traffic from the local LAN to AWS without removing the original destination address.<br>
>><br>
><br>
> [Michael] Does this mean, to make ssl-bump work, I will have to setup<br>
> a VPN server and configure the VPN clients to use this proxy via VPN<br>
> server?<br>
><br>
><br>
> Thanks,<br>
> Michael.<br>
><br>
> ______________________________<wbr>_________________<br>
> squid-users mailing list<br>
> <a href="mailto:squid-users@lists.squid-cache.org">squid-users@lists.squid-cache.<wbr>org</a><br>
> <a href="http://lists.squid-cache.org/listinfo/squid-users" rel="noreferrer" target="_blank">http://lists.squid-cache.org/<wbr>listinfo/squid-users</a><br>
><br>
<br>
<br>
<br>
</div></div>Thanks for replying Eliezer. Your advice is much appreciated.<br>
<span class=""><br>
> The details you attached explained pretty well the cause for the issues you have described.<br>
> What you will need to do in order to make this setup to work can be done in more then one way.<br>
> For a sysadmin the simplest way is to create a VPN or some kind of a tunnel between the AWS instance to the local router.<br>
> I am almost sure that you can use haproxy to do a local tproxy or interception that will forward the traffic to the remote squid with the PROXY protocol keeping original source and original destination visible to the remote squid.<br>
><br>
> The choice will depend on both:<br>
> - your skills and will to dig some time about couple subjects<br>
> - The availability of static IP addresses(both local and AWS).<br>
> - The OS on both sides<br>
<br>
</span>[Michael] Actually, my original setup involves a VPN server. I wasn't<br>
using it because I wanted to setup ssl-bump with simplest possible<br>
settings. My actual setup involves:<br>
<br>
1. strongSwan IPSec VPN server<br>
2. Squid Proxy server<br>
3. Clients will be IPSec VPN clients. I can specify the IP address and<br>
port of HTTPS Proxy server in IPSec VPN client itself.<br>
<br>
In the above setup described, will I have to do something extra to<br>
make ssl-bump work?<br>
<div class="HOEnZb"><div class="h5"><br>
Thanks,<br>
Michael.<br></div></div></blockquote><div></div></div><div class="gmail_extra"><br></div><div class="gmail_extra"><br></div>What is the benefit of ssl-bump in this scenario?</div><div class="gmail_extra"><br clear="all"><div><br></div>-- <br><div class="gmail_signature" data-smartmail="gmail_signature"><div dir="ltr"><div>Best regards,<br>Odhiambo WASHINGTON,<br>Nairobi,KE<br>+254 7 3200 0004/+254 7 2274 3223<br>"<span style="font-size:12.8px">Oh, the cruft.</span><span style="font-size:12.8px">"</span></div></div></div>
</div></div>