[squid-users] R: R: Problem with Squid 3.4 and transparent SSL proxy

Job Job at colliniconsulting.it
Wed Nov 12 08:55:47 UTC 2014


Thank you Amos, for everything.

I route with REDIRECT all outgoing connection to port tcp/443 from my LAN:

iptables -t nat -A PREROUTING -p tcp --dport 443 -j REDIRECT --to-port 3130

in squid, i have these configurations:

http_port 3128
http_port 3129 intercept
https_port 3130 intercept ssl-bump connection-auth=off generate-host-certificates=on dynamic_cert_mem_cache_size=16MB cert=/etc/squid/ssl/squid.pem key=/etc/squid/ssl/squid.key cipher=ECDHE-RSA-RC4-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-AES128-SHA:DHE-RSA-CAMELLIA128-SHA:AES128-SHA:RC4-SHA:HIGH:!aNULL:!MD5:!ADH

Do you think my iptables rule is wrong?

Thank you!
Francesco


________________________________________
Da: Amos Jeffries [squid3 at treenet.co.nz]
Inviato: mercoledì 12 novembre 2014 4.25
A: Job; squid-users at lists.squid-cache.org
Oggetto: Re: R: [squid-users] Problem with Squid 3.4 and transparent SSL proxy

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 12/11/2014 5:40 a.m., Job wrote:
>> That means in your case avoid directly connecting to the
>> intercepting port. Connect to port 80/443 on some Internet server
>> instead and see
> if> the packets are properly delivered through Squid.
>> Also, avoid telnet for the 443 tests. Use an HTTPS client.
>
> Hello Amos and thank you, first of all.
>
> I started squid in debug mode and now i see it:
>
> 2014/11/11 17:40:17| ERROR: NF getsockopt(ORIGINAL_DST) failed on
> local=192.168.10.254:3130 remote=192.168.10.109:52024 FD 12
> flags=33: (92) Protocol not available
>

That means that the NAT system has no record of the transaction being
intercepted.

The kind of error which shows up when you deliver traffic directly
from client 192.168.10.109 to an "http_port 3130 intercept" port on
Squid without going through NAT on the Squid box.


> 192.168.10.254 is lan-firewall gateway 192.168.10.109 is the
> workstation where i am trying to surfing on 443 port
>
> When redirecting the 443 port to squid https_port, errors appears.

Details are critical. Please feel free to flood us with details. Some
of them will be important and we dont know which until we have them.
It is very hard to help an any useful way without lots of details
about what you are doing *exactly*, whats happening *exactly*, and
whats wrong with the happening.

Amos

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.22 (MingW32)

iQEcBAEBAgAGBQJUYtM0AAoJELJo5wb/XPRjHzsH/ip3kd7kv8PSgBBAtiVVZ3ws
8ACmAd3upZs4gZy0WRDRGRiL3uQtnWW7DBte7qWOWWMqdmos+5YNG9WH8hFZ+ZzY
awCG6EvtCjVAzuWGRMMe5FkX4fa8yhutoNFZbOYT33CKfWDQTw5tbljR8PH5PIXc
9h0p8MBqPMZyTJUv13szaGzZENZl88xZ3Chg/OMd7DHdEhTi+Ko8qC2n9mTnhFpg
mnChkgG+Y4XRGKTLECTJGOk7OoxFknPmAWpuPZwAcgQXtr1r3rwnCDjfnp9rSWr/
Gz9wQ4Yt2qcB7rIkDtfbnAjLWOtyn2b958sM0h9xdHFY7legYLNDwN/RkbZ/hEA=
=pNAq
-----END PGP SIGNATURE-----


More information about the squid-users mailing list