[squid-users] problem in configuring squid
Amos Jeffries
squid3 at treenet.co.nz
Wed Oct 5 01:02:59 UTC 2016
On 5/10/2016 4:42 a.m., Shark wrote:
> Sorry for my bad english,
>
> I want to make a anonymous https & http proxy that pass through any
> requests without decrypting or change them,
> only change ip address from client ip to my server ip address and define ip
> address of my websites that i want to access them from my client in
> /etc/hosts,
> so i try to install squid on my server and i have good experience when i
> set proxy in client with server ip and port 3128 and i can access http &
> https behind this proxy,
By configuring your client with details about the proxy you have
configured a forward (aka explicit) proxy.
That is the best type to have when you can. Because it lets you use the
full capabilities of proxying in HTTP.
However, it also means that the clients do not use DNS nor /etc/hosts
file. The proxy is what does DNS lookups about where to send the traffic
the client(s) ask it to fetch.
> but when i try to using /etc/hosts i cannot access to https websites.
HTTPS is designed to prevent people playing around with the traffic. The
'S' means *secure(d)* - for a good reason.
> i try
> to install squid lot of time with any install instructions that i found
> from googling.
> I have server with CentOS 7 with one valid internet ip address.
>
> For more explain of what i want to do, i need my squid to work like this ip
> 173.161.0.227
> When i add *173.161.0.227 www.iplocation.net <http://www.iplocation.net>* to
> my client /etc/hosts
> I can browse https://www.iplocation.net that tell me my client ip address
> is 173.161.0.227
> I want do my proxy server same as 173.161.0.227
>
>From what you have said so far it is clear the domain names you plan to
use this for are owned by somebody who is not you.
> *My problem is now with below config is:*
>
> when i define *216.55.x.x www.iplocation.net <http://www.iplocation.net>* to
> /etc/hosts in my client i cannot access to https://www.iplocation.net and
> hang on connecting and then give me timeout error,
> I`m appreciate for help me to resolve this problem.
> I ask it before in
> http://serverfault.com/questions/805413/squid-with-iptables-bypass-https
> but i cannot resolve it
When you are not the owner of that domain name; ..
That means you do not own the secret encryption key that HTTPS
associates with that domain name.
That means you cannot setup your proxy to perform encryption/decryption
of traffic when acting as a web server for it.
The only options you have for HTTPS are:
1) to use the proxy as a proper forward/explicit proxy the normal way
HTTP does that.
Or
2) to forget the idea of setting your own IP as web server and use MITM
interception of the clients normal port 443 traffic with SSL-Bump
feature enabled in your Squid.
>
> *My Iptables config is:*
>
> iptables -t nat -A PREROUTING -p tcp --dport 443 -j REDIRECT --to-port 3130
>
That is okay. It is the (2) option mentioned above.
Be aware that it is incompatible with the idea of setting /etc/hosts IP
address for the domain as a way to get it to the proxy.
This iptables rules is the way to catch client traffic already on its
way to the *real* domain server(s) and send it through the proxy instead.
It is a bit nasty to work with, but still way better than MITM through
/etc/hosts entries.
> *My squid config is:*
>
<snip>
>
> http_port 3128
Okay. This port will accept traffic from the above option (1) setups.
> http_port 80
No.
> http_port 0.0.0.0:3129 ssl-bump cert=/etc/squid/ssl_cert/myCA.pem
> generate-host-certificates=on dynamic_cert_mem_cache_size=4MB
> https_port 0.0.0.0:3130 ssl-bump intercept
> cert=/etc/squid/ssl_cert/myCA.pem generate-host-certificates=on
> dynamic_cert_mem_cache_size=4MB
>
Okay. These ports will accept traffic for the above option (2) setups.
> sslproxy_cert_error allow all
> sslproxy_flags DONT_VERIFY_PEER
>
Those are wrong for any installation. Even testing ones. You need to see
the errors to even start to find solutions.
Amos
More information about the squid-users
mailing list