[squid-users] ERR_ACCESS_DENIED when using transparent https proxy
Amos Jeffries
squid3 at treenet.co.nz
Sat Jun 30 09:03:51 UTC 2018
On 30/06/18 16:54, CZ Huang wrote:
> I used the following command to send requests (see details below) but got
> "HTTP/1.1 403 Forbidden".
>
> curl https://www.online.citi.com -x https://10.192.197.200:3130 --verbose
> --proxy-insecure
>
> I understand the error was caused by "CONNECT 10.192.197.200:3130 HTTP/1.1".
> But curl did not send it so where did it come from?
It came from your machines NAT system, in combination with SSL-Bump.
>
> If I change "https_port 10.192.197.200:3130 ssl-bump intercept" to
> "https_port 10.192.197.200:3130" in the config file, then there is no error
> (proxy does not take part in the 2nd SSL handshake anymore).
>
> Please help me fix the errors. Thanks!
>
The error is that you told Squid to contact the system NAT tables to
find out where the client connection was going (the "intercept" option
on http_port) without having configured any NAT rules, AND when testing
explicit-proxy message syntax with curl.
<http://www.squid-cache.org/Doc/config/http_port/>
"
Modes:
intercept Support for IP-Layer NAT interception delivering
traffic to this Squid port.
"
You do not use NAT, so "intercept" is absolutely the wrong thing to be
configuring. That is why removing it "fixed" the problem.
If you intend the proxy to be an explicit/forward proxy, then removal of
the "intercept" option is your full solution.
If you intend the proxy to be intercepting traffic, then you need to
start there and get the NAT intercept part working _first_. Things that
work for explicit/forward proxy don't work with intercept, and the
reverse. So its just a waste of effort testing irrelevant traffic "modes".
Amos
More information about the squid-users
mailing list