[squid-users] Transparent HTTPS Squid proxy does not work!

Mon Oct 16 18:51:46 UTC 2023

Let me try one more time.

Here is my system configuration:

{HW-Box} --> Local Server{ (eth0[port 444]) -----+

   |
          +-----------------------------------------------------+
          |
          |
          +-----> ([3129] Transparent Squid proxy) ---> (eth1[port443]) }--+

                                  |

 +------------------------------------------------------- ---+
                                     |
                                     +->--{ INTERNET Server }

The setup and the problem:
   - The HW box tries to establish an HTTPS transparent connection with a
server located within Internet.

   - It uses the Local Server and send its request via eth0 interface.

   - The request is Pre-routed from eth0, port 443, to the Transparent
Squid proxy (v3.5.25), listening at port 3129.

   - For testing purposes, the Squid proxy is configured to pass only the
HTTPS traffic transparently via the eth1 interface, using sing the
`tcp_outgoing_address <ip_addr>` directive.  Please see the squid-ota.conf
file content below.

   - While testing, I am monitoring the eth1 output via tcpdump and I get
the following:

     # tcpdump -i eth1 port 443 -n -X -q -w tcp_dump_24
       tcpdump: listening on eth1, link-type EN10MB (Ethernet), capture
size 262144 bytes
       0 packets captured
       1 packet received by filter
       0 packets dropped by kernel
       3 packets dropped by interface

   - But nothing is detected!?

   - From the above it appears that there is no eth1 output at port 443?

I have included the printouts of the `iptables -nvL` and `iptables -nvL -t
nat` commands.

Can someone tell me what I have done wrong here and perhaps suggest a
solution?

Cheers,
Bud

=========================
Squid configuration file:

# 1) Visible hostname
visible_hostname ctct-r2

# 2) Initialize SSL database first
sslcrtd_program /usr/libexec/ssl_crtd -s /var/lib/ssl_db -M 4MB

# 3) Listen to incoming HTTP traffic
http_port 3128

# 4) Block all HTTP traffic
http_access deny all

# 5) Listen for incoming HTTPS traffic and intercept it
https_port 3129 intercept ssl-bump cert=/etc/squid/ssl_cert/myCA.pem
generate-host-certificates=on dynamic_cert_mem_cache_size=4MB

# 6) Pass the SSL (HTTPS) traffic trasparently throught
ssl_bump splice all

# Do not use caching
# cache_dir ufs /var/volatile/log/squid/logs 100 16 256

# 7) Send out all HTTPS traffic to destination server via given IP address
tcp_outgoing_address 10.3.19.92

===============================================
# iptables -nvL

Chain INPUT (policy DROP 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source
destination
 8827  680K ACCEPT     all  --  *      *       0.0.0.0/0
0.0.0.0/0            ctstate RELATED,ESTABLISHED
    7   438 ACCEPT     icmp --  *      *       0.0.0.0/0
0.0.0.0/0            icmptype 8 ctstate NEW
    2   138 ACCEPT     all  --  lo     *       0.0.0.0/0
0.0.0.0/0
    0     0 DROP       all  --  *      *       0.0.0.0/0
0.0.0.0/0            ctstate INVALID
1218K  299M APP_RULES  all  --  *      *       0.0.0.0/0
0.0.0.0/0            ctstate NEW
1218K  299M OS_RULES   all  --  *      *       0.0.0.0/0
0.0.0.0/0            ctstate NEW
  134 28053 REJECT     udp  --  *      *       0.0.0.0/0
0.0.0.0/0            reject-with icmp-port-unreachable
14014  841K REJECT     tcp  --  *      *       0.0.0.0/0
0.0.0.0/0            reject-with tcp-reset
    0     0 REJECT     all  --  *      *       0.0.0.0/0
0.0.0.0/0            reject-with icmp-proto-unreachable

Chain FORWARD (policy DROP 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source
destination
    0     0 ACCEPT     all  --  *      *       0.0.0.0/0
0.0.0.0/0            ctstate RELATED,ESTABLISHED
    0     0 ACCEPT     all  --  wlan1  wlan1   0.0.0.0/0
0.0.0.0/0
    9   559 REJECT     all  --  *      *       0.0.0.0/0
0.0.0.0/0            reject-with icmp-host-unreachable

Chain OUTPUT (policy ACCEPT 39073 packets, 2757K bytes)
 pkts bytes target     prot opt in     out     source
destination
  125 11932 ACCEPT     all  --  *      *       10.3.19.92
0.0.0.0/0

Chain APP_RULES (1 references)
 pkts bytes target     prot opt in     out     source
destination
    0     0 ACCEPT     tcp  --  eth1   *       0.0.0.0/0
0.0.0.0/0            tcp dpt:20
    0     0 ACCEPT     tcp  --  eth1   *       0.0.0.0/0
0.0.0.0/0            tcp dpt:21
    0     0 ACCEPT     tcp  --  eth1   *       0.0.0.0/0
0.0.0.0/0            tcp dpt:80

Chain DEV_RULES (2 references)
 pkts bytes target     prot opt in     out     source
destination
    5   300 ACCEPT     tcp  --  *      *       0.0.0.0/0
0.0.0.0/0            tcp dpt:22
    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0
0.0.0.0/0            tcp dpt:1534
    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0
0.0.0.0/0            tcp dpt:2345
    0     0 ACCEPT     udp  --  *      *       0.0.0.0/0
0.0.0.0/0            udp dpt:1534
    0     0 ACCEPT     udp  --  *      *       0.0.0.0/0
0.0.0.0/0            udp dpt:2345

Chain EXTERNAL_RULES (2 references)
 pkts bytes target     prot opt in     out     source
destination
1190K  298M DROP       all  --  *      *       0.0.0.0/0
0.0.0.0/0

Chain INTERNAL_RULES (2 references)
 pkts bytes target     prot opt in     out     source
destination
13930  794K ACCEPT     udp  --  *      *       0.0.0.0/0
0.0.0.0/0            udp dpt:53
    8  2540 ACCEPT     udp  --  *      *       0.0.0.0/0
0.0.0.0/0            udp dpt:67
    1   328 ACCEPT     udp  --  *      *       0.0.0.0/0
0.0.0.0/0            udp dpt:68
    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0
0.0.0.0/0            tcp dpt:80

Chain OS_RULES (1 references)
 pkts bytes target     prot opt in     out     source
destination
28092 1666K DEV_RULES  all  --  eth0   *       0.0.0.0/0
0.0.0.0/0
    0     0 DEV_RULES  all  --  wlan1  *       0.0.0.0/0
0.0.0.0/0
28087 1666K INTERNAL_RULES  all  --  eth0   *       0.0.0.0/0
0.0.0.0/0
    0     0 INTERNAL_RULES  all  --  wlan1  *       0.0.0.0/0
0.0.0.0/0
1190K  298M EXTERNAL_RULES  all  --  eth1   *       0.0.0.0/0
0.0.0.0/0
    0     0 EXTERNAL_RULES  all  --  wlan0  *       0.0.0.0/0
0.0.0.0/0

=====================================================
iptables -nvL -t nat

Chain PREROUTING (policy ACCEPT 1234K packets, 306M bytes)
 pkts bytes target     prot opt in     out     source
destination
   96  5760 REDIRECT   tcp  --  eth0   *       0.0.0.0/0
0.0.0.0/0            tcp dpt:443 redir ports 3129
13943  837K REDIRECT   tcp  --  eth0   *       0.0.0.0/0
0.0.0.0/0            tcp dpt:80 redir ports 3128

Chain INPUT (policy ACCEPT 13972 packets, 798K bytes)
 pkts bytes target     prot opt in     out     source
destination

Chain OUTPUT (policy ACCEPT 62 packets, 4650 bytes)
 pkts bytes target     prot opt in     out     source
destination

Chain POSTROUTING (policy ACCEPT 14103 packets, 566K bytes)
 pkts bytes target     prot opt in     out     source
destination
    0     0 MASQUERADE  all  --  *      eth1    192.168.168.0/24
0.0.0.0/0
    0     0 MASQUERADE  all  --  *      eth1    192.168.192.0/24
0.0.0.0/0
    0     0 MASQUERADE  all  --  *      wlan0   192.168.168.0/24
0.0.0.0/0
    0     0 MASQUERADE  all  --  *      wlan0   192.168.192.0/24
0.0.0.0/0
==================================================

-- 
Budimir Miljković BSc E | He
Senior Development Engineer
Civil Construction Field Systems
Trimble

11-17 Birmingham Drive, Christchurch, Canterbury, 8024
New Zealand
+64 3 963-5550 Direct
+64 21 419-024 Mobile

www.trimble.com

This email may contain confidential information that is intended only for
the listed recipient(s) of this email. Any unauthorized review, use,
disclosure or distribution is prohibited. If you believe you have received
this email in error, please immediately delete this email and any
attachments, and inform me via reply email.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.squid-cache.org/pipermail/squid-users/attachments/20231017/f15c4145/attachment.htm>