[squid-users] Fwd: Squid does not pass HTTPS traffic transparently
Bud Miljkovic
bud_miljkovic at trimble.com
Mon Oct 16 03:41:30 UTC 2023
Resending it without an image
On Mon, Oct 16, 2023 at 1:59 PM Bud Miljkovic <bud_miljkovic at trimble.com>
wrote:
> Here is my system configuration
>
-
> The setup and the problem
>
> - The HW box tries to establish an HTTPS transparent connection with a
> server located within Internet.
> - It uses the Local Server and send its request via eth0 interface.
> - The request is Pre-routed from eth0, port 443, to the Transparent
> Squid proxy (v3.5.25), listening at port 3129.
> - For testing purposes, the Squid proxy is configured to pass only the
> HTTPStraffic transparently via the eth1 interface, using sing the
> `tcp_outgoing_address <ip_addr>` directive. Please see the attached
> squid-ota.conf file.
> - While testing, I am monitoring the eth1 output via tcpdump and I get
> the following:
> # tcpdump -i eth1 port 443 -n -X -q
> tcpdump: verbose output suppressed, use -v or -vv for full protocol
> decode
> listening on eth1, link-type EN10MB (Ethernet), capture size 262144
> bytes
> - But nothing is detected!?
> - From the above it appears that there is no an eth1 output at port
> 443?
>
> I have attached the printouts of the `iptables -nvL` and `iptables -nvL -t
> nat`
> commands.
>
> Can someone check ut what I have done here and perhaps suggest what could
> be
> wrong in here.
>
> Cheers,
> Bud
> --
> Budimir Miljković BSc E | He
> Senior Development Engineer
> Civil Construction Field Systems
> Trimble
>
> 11-17 Birmingham Drive, Christchurch, Canterbury, 8024
> New Zealand
> +64 3 963-5550 Direct
> +64 21 419-024 Mobile
>
> www.trimble.com
>
> This email may contain confidential information that is intended only for
> the listed recipient(s) of this email. Any unauthorized review, use,
> disclosure or distribution is prohibited. If you believe you have received
> this email in error, please immediately delete this email and any
> attachments, and inform me via reply email.
>
--
Budimir Miljković BSc E | He
Senior Development Engineer
Civil Construction Field Systems
Trimble
11-17 Birmingham Drive, Christchurch, Canterbury, 8024
New Zealand
+64 3 963-5550 Direct
+64 21 419-024 Mobile
www.trimble.com
This email may contain confidential information that is intended only for
the listed recipient(s) of this email. Any unauthorized review, use,
disclosure or distribution is prohibited. If you believe you have received
this email in error, please immediately delete this email and any
attachments, and inform me via reply email.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.squid-cache.org/pipermail/squid-users/attachments/20231016/b3de9138/attachment.htm>
-------------- next part --------------
Chain INPUT (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
8827 680K ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 ctstate RELATED,ESTABLISHED
7 438 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 icmptype 8 ctstate NEW
2 138 ACCEPT all -- lo * 0.0.0.0/0 0.0.0.0/0
0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0 ctstate INVALID
1218K 299M APP_RULES all -- * * 0.0.0.0/0 0.0.0.0/0 ctstate NEW
1218K 299M OS_RULES all -- * * 0.0.0.0/0 0.0.0.0/0 ctstate NEW
134 28053 REJECT udp -- * * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-port-unreachable
14014 841K REJECT tcp -- * * 0.0.0.0/0 0.0.0.0/0 reject-with tcp-reset
0 0 REJECT all -- * * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-proto-unreachable
Chain FORWARD (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 ctstate RELATED,ESTABLISHED
0 0 ACCEPT all -- wlan1 wlan1 0.0.0.0/0 0.0.0.0/0
9 559 REJECT all -- * * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-unreachable
Chain OUTPUT (policy ACCEPT 39073 packets, 2757K bytes)
pkts bytes target prot opt in out source destination
125 11932 ACCEPT all -- * * 10.3.19.92 0.0.0.0/0
Chain APP_RULES (1 references)
pkts bytes target prot opt in out source destination
0 0 ACCEPT tcp -- eth1 * 0.0.0.0/0 0.0.0.0/0 tcp dpt:20
0 0 ACCEPT tcp -- eth1 * 0.0.0.0/0 0.0.0.0/0 tcp dpt:21
0 0 ACCEPT tcp -- eth1 * 0.0.0.0/0 0.0.0.0/0 tcp dpt:80
Chain DEV_RULES (2 references)
pkts bytes target prot opt in out source destination
5 300 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:22
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:1534
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:2345
0 0 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:1534
0 0 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:2345
Chain EXTERNAL_RULES (2 references)
pkts bytes target prot opt in out source destination
1190K 298M DROP all -- * * 0.0.0.0/0 0.0.0.0/0
Chain INTERNAL_RULES (2 references)
pkts bytes target prot opt in out source destination
13930 794K ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:53
8 2540 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:67
1 328 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:68
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:80
Chain OS_RULES (1 references)
pkts bytes target prot opt in out source destination
28092 1666K DEV_RULES all -- eth0 * 0.0.0.0/0 0.0.0.0/0
0 0 DEV_RULES all -- wlan1 * 0.0.0.0/0 0.0.0.0/0
28087 1666K INTERNAL_RULES all -- eth0 * 0.0.0.0/0 0.0.0.0/0
0 0 INTERNAL_RULES all -- wlan1 * 0.0.0.0/0 0.0.0.0/0
1190K 298M EXTERNAL_RULES all -- eth1 * 0.0.0.0/0 0.0.0.0/0
0 0 EXTERNAL_RULES all -- wlan0 * 0.0.0.0/0 0.0.0.0/0
-------------- next part --------------
Chain PREROUTING (policy ACCEPT 1234K packets, 306M bytes)
pkts bytes target prot opt in out source destination
96 5760 REDIRECT tcp -- eth0 * 0.0.0.0/0 0.0.0.0/0 tcp dpt:443 redir ports 3129
13943 837K REDIRECT tcp -- eth0 * 0.0.0.0/0 0.0.0.0/0 tcp dpt:80 redir ports 3128
Chain INPUT (policy ACCEPT 13972 packets, 798K bytes)
pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 62 packets, 4650 bytes)
pkts bytes target prot opt in out source destination
Chain POSTROUTING (policy ACCEPT 14103 packets, 566K bytes)
pkts bytes target prot opt in out source destination
0 0 MASQUERADE all -- * eth1 192.168.168.0/24 0.0.0.0/0
0 0 MASQUERADE all -- * eth1 192.168.192.0/24 0.0.0.0/0
0 0 MASQUERADE all -- * wlan0 192.168.168.0/24 0.0.0.0/0
0 0 MASQUERADE all -- * wlan0 192.168.192.0/24 0.0.0.0/0
More information about the squid-users
mailing list