[squid-users] Behind enemy lines (squid behind proxy)
doc.holliday at usa.com
doc.holliday at usa.com
Thu Nov 6 01:43:12 UTC 2014
[plain text version; sorry for the inconvenience]
I've searched through the internets and tried various things... to no avail. Hopefully someone here can point me in the right direction.
I am sitting behind a proxy, which accepts http/https. Everything else is blocked. If I instruct my browser to use this proxy,
everything works dandy. Both http and https.
The problem is, I have a few apps that don't have an option to set proxy. So, my idea was to set up squid on the local machine
that would transparently redirect http/https to the proxy. Eg something like this:
[ local_box: app (http or https) ---> squid ] -----> [ the_proxy ] -----> ... -----> [ internets ]
I have no control of the proxy, nor do I know what goes on after it.
I have the following iptables rules:
*nat
:PREROUTING ACCEPT [1:89]
:INPUT ACCEPT [1:89]
:OUTPUT ACCEPT [549:34321]
:POSTROUTING ACCEPT [624:38821]
-A OUTPUT -p tcp -m tcp --dport 80 -j REDIRECT --to-ports 3129
-A OUTPUT -p tcp -m tcp --dport 443 -j REDIRECT --to-ports 3130
COMMIT
And my squid.conf is mostly garden variety:
acl localnet src 10.0.0.0/8 # RFC1918 possible internal network
acl localnet src 172.16.0.0/12 # RFC1918 possible internal network
acl localnet src 192.168.0.0/16 # RFC1918 possible internal network
acl SSL_ports port 443
acl Safe_ports port 80 # http
acl Safe_ports port 21 # ftp
acl Safe_ports port 443 # https
acl Safe_ports port 70 # gopher
acl Safe_ports port 210 # wais
acl Safe_ports port 1025-65535 # unregistered ports
acl Safe_ports port 280 # http-mgmt
acl Safe_ports port 488 # gss-http
acl Safe_ports port 591 # filemaker
acl Safe_ports port 777 # multiling http
acl Safe_ports port 901 # SWAT
acl CONNECT method CONNECT
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
http_access allow localhost manager
http_access deny manager
http_access allow localnet
http_access allow localhost
http_access deny all
coredump_dir /var/cache/squid
refresh_pattern ^ftp: 1440 20% 10080
refresh_pattern ^gopher: 1440 0% 1440
refresh_pattern -i (/cgi-bin/|\?) 0 0% 0
refresh_pattern . 0 20% 4320
cache deny all
cache_peer proxy parent 3128 0 no-query no-digest default
never_direct allow all
http_port 3128
http_port 3129 intercept
https_port 3130 intercept ssl-bump generate-host-certificates=on cert=/etc/ssl/squid/cert.pem key=/etc/ssl/squid/key.pem
I've generated the certs and ran ssl_crtd to init ssl db dirs.
To verify squid is working, I've changed my browser proxy settings to 127.0.0.1:3128 for http and https.
Everything works like a charm.
This is where the "fun" begins:
==========
Without the proxy settings http also works just fine -- in both the browser and wget command. Https on the other hand is fubar.
In the browser I get "Unsupported Request Method and Protocol" error (after accepting the "invalid" certificate).
With wget I get:
local_box [~] wget https://google.com --no-check-certificate
--2014-11-05 20:21:12-- https://google.com/[https://google.com/]
Resolving google.com... 74.125.196.138, 74.125.196.139, 74.125.196.101, ...
Connecting to google.com|74.125.196.138|:443... connected.
WARNING: cannot verify google.com's certificate, issued by ‘/C=AU/ST=Some-State/O=Internet Widgits Pty Ltd’:
Self-signed certificate encountered.
WARNING: certificate common name ‘’ doesn't match requested host name ‘google.com’.
HTTP request sent, awaiting response... 501 Not Implemented
2014-11-05 20:21:12 ERROR 501: Not Implemented.
access.log says:
1415236731.852 19 10.0.0.13 TCP_MISS/501 4255 GET https://www.google.com/[https://www.google.com/] - FIRSTUP_PARENT/10.64.252.14 text/html
==========
If I add 'ssl_bump server-first all' to squid.conf. Whenever I try to pull up an https page, it barfs with:
2014/11/05 20:22:28| assertion failed: forward.cc:785: "peer->use_ssl"
Aborted
==========
If I change it to 'ssl_bump client-first all', I get "Unable to forward this request at this time" in the browser.
And wget says:
local_box [~] wget https://google.com[https://google.com] --no-check-certificate
--2014-11-05 20:26:53-- https://google.com/[https://google.com/]
Resolving google.com... 74.125.196.101, 74.125.196.100, 74.125.196.139, ...
Connecting to google.com|74.125.196.101|:443... connected.
WARNING: cannot verify google.com's certificate, issued by ‘/C=AU/ST=Some-State/O=Internet Widgits Pty Ltd’:
Self-signed certificate encountered.
WARNING: certificate common name ‘74.125.196.101’ doesn't match requested host name ‘google.com’.
HTTP request sent, awaiting response... 503 Service Unavailable
2014-11-05 20:26:53 ERROR 503: Service Unavailable.
access.log says:
1415237271.133 0 10.0.0.13 TCP_MISS/503 3840 GET https://google.com/[https://google.com/] - FIRSTUP_PARENT/10.64.252.14 text/html
==========
And so after endless searching and searching and trying various things I came here. Could please help me figure out why it is not working?
Thank you.
-D
More information about the squid-users
mailing list