[squid-users] Transparent Mode w/ Peek and Splice trouble

Amos Jeffries squid3 at treenet.co.nz
Wed May 18 16:46:04 UTC 2016


On 19/05/2016 2:14 a.m., se at kpa.gr wrote:
> Hello!
> 
> I am currently setting up a squid server, which should serve as a
> transparent proxy in our network.
> 
> We mainly need it to do the following:
> Allow and Block Domains on HTTP and HTTPS protocol (withOUT bumping the
> traffic). We only want to allow domain names on the SSL port, no URLs.
> 
> It actually works fine for HTTP, but I can't configure the "peek and
> splice" method for the HTTPS traffic.
> 
> I have come to a point, where HTTP access is being filtered exactly as I
> wanted to, but following odd error occures when visiting HTTPS sites:
> 
> When using "https_port 10.0.0.222:3130 cert=/root/cert.pem
> key=/root/key.pem ssl-bump intercept"
> I get an Access Denied Error for any Website I try to access, which
> occured while "trying to retrieve the URL: 10.0.0.222:3130"!
> 

It appears you are not doing NAT on the Squid machine. That is mandatory
for interception.


> If I configure the https_port option with "accel vhost allow-direct"
> like the http_port, the allowed Pages work fine but with squid's
> certificate.

'accel' mode is very much *not* transparent, nor equivalent to intercept
mode.

Using 'accel' mode tells Squid *it* is supposed to be the public origin
server for the received web request. The behaviour differences are not
very visible in plain-text HTTP - though there are some. In TLS the
differences are very much visible in the way the certificates are used.
Which you are now seeing.

> 
> Somewhere the Squid seems to redirect his actual https traffic back to
> itself when using the "intercept" option and that is why I cannot use
> the splice method.

'intercept' mode tells Squid to lookup the NAT details and obey the
requirements of acting "transparent" with regards to traffic delivery.
Delivering it to the same place it was originally going to when it
entered the machine.

If you are doing NAT external to the Squid machine it is your NAT setup
which is causing the problem. Not Squid.


Your message reads to me like Squid is behaving correctly for the modes
of operation you configured it to follow.

You need to fix the NAT setup. Route or tunnel the trafic to the Squid
machine and do the NAT there. Then intercept and SSL-Bump will start
working, for both http_port and https_port.

Amos



More information about the squid-users mailing list