[squid-users] questions setting up transparent proxy
John Ratliff
john at bluemarble.net
Thu Jan 4 14:34:36 UTC 2018
On 1/3/2018 9:05 PM, Amos Jeffries wrote:
> On 04/01/18 14:09, John Ratliff wrote:
>> On 1/3/2018 3:26 PM, Antony Stone wrote:
>>> On Wednesday 03 January 2018 at 21:06:42, John Ratliff wrote:
>>>
>>>> When I try to setup squid as a transparent proxy, I never get any
>>>> response from Squid.
>>>
>>>> When I try a wget request from a server that is being redirected
>>>
>>> How (and more importantly, where) are you doing the redirect?
>>>
>>>> Both machines are behind the same firewall. I used
>>>> iptables -t nat -A PREROUTING -p tcp --dport 80 -j DNAT --to
>>>> 10.77.9.120:3128
>>>
>>> If that firewall is not on the machine running Squid, then that's
>>> your problem.
>>>
>>>> Traffic flows to the server running squid. I can verify this with
>>>> tcpdump. The packets are making it from wget to the server. I just
>>>> don't
>>>> know what happens after that.
>>>
>>> https://wiki.squid-cache.org/ConfigExamples/Intercept/LinuxRedirect
>>>
>>> "NOTE: This configuration is given for use *on the squid box*. This
>>> is required
>>> to perform intercept accurately and securely. To intercept from a
>>> gateway
>>> machine and direct traffic at a *separate squid box* use policy
>>> routing."
>>>
>>>
https://wiki.squid-cache.org/ConfigExamples/Intercept/IptablesPolicyRoute
>>>
>>>
>>>
>>> Antony.
>>>
>>
>> Thanks. I put squid on the firewall itself. It works for http, but not
>> for https. I get errors with curl and wget.
>>
>> $ curl https://debian.org
>> curl: (35) error:140770FC:SSL routines:SSL23_GET_SERVER_HELLO:unknown
>> protocol
>>
>> $ wget https://debian.org
>> --2018-01-03 20:02:45-- https://debian.org/
>> Resolving debian.org (debian.org)... 5.153.231.4, 128.31.0.62,
>> 130.89.148.14, ...
>> Connecting to debian.org (debian.org)|5.153.231.4|:443... connected.
>> GnuTLS: An unexpected TLS packet was received.
>> Unable to establish SSL connection.
>>
>> I made some config changes:
>>
>> http_port 3128 intercept
>> http_port 3129 intercept ssl-bump generate-host-certificates=on
>> cert=/etc/squid/squid.pem
>
> That should be:
>
> https_port 3129 intercept ssl-bump generate-host-certificates=on \
> cert=/etc/squid/squid.pem
>
> Note the 's' in https_port.
Thanks. This was the issue.
>
>
>>
>> sslcrtd_program /usr/lib/squid/ssl_crtd -s /var/lib/ssl_db -M 4MB
>>
>> ssl_bump bump all
I changed it to peek and splice.
>
>
> This instructs Squid to bump before even receiving the client TLS
> handshake - ie. generate a server certificate with zero details to work
> with about what the client wants.
> That leads to a LOT of problems and security issues. Please do not do
that.
>
> See <https://wiki.squid-cache.org/Features/SslPeekAndSplice> for better
> config examples.
>
>
>>
>> Here are my PREROUTING nat table rules.
>>
>> REDIRECT tcp -- 10.77.9.0/24 anywhere tcp dpt:http redir ports 3128
>> REDIRECT tcp -- 10.77.9.0/24 anywhere tcp dpt:https redir ports 3129
>>
>> And in the INPUT chain of the filter table:
>>
>> ACCEPT tcp -- 10.77.9.0/24 anywhere tcp dpt:3128
>> ACCEPT tcp -- 10.77.9.0/24 anywhere tcp dpt:3129
>>
>> The server I am on has IP 10.77.9.102.
>>
>
>
> You appear to be missing the MASQUERADE rule to send packets back to the
> client.
I have SNAT rules instead. There are many IPs on this firewall.
>
> Also the mangle table (*not* filter) rules are important to block
> external traffic directly to those Squid ports without interfering with
> the NAT operations.
I didn't post these rules, but I made them. Thanks.
Thanks.
More information about the squid-users
mailing list