[squid-users] IPTABLES - Can't redirect HTTPS traffic to external Squid

NgTech LTD ngtech1ltd at gmail.com
Tue Jul 30 12:54:05 UTC 2024 

Hey,

The dnat rule should be done on the squid itsef.
You will need to re-route the relevant traffic over the ipsec tunnel to the
squid ip.
It's possible to do that over ipip or gre tunnels.

Eliezer

בתאריך יום ג׳, 30 ביולי 2024, 15:41, מאת Bolinhas André ‏<
andre.bolinhas at articatech.com>:

> I have a external proxy server connected by VPN (IPSEC) to my main branch,
> and i'm trying to redirect all users HTTP / HTTPS traffic to this proxy.
> Scenario Users -> Gateway (Main Branch) -> IPSEC -> Squid Proxy
> (transparent mode)
>
> In my Gateway (Main Branch) I have this test iptables rule, that is
> forwarding all the TPC / UDP traffic to the Proxy server.
>
> iptables -t nat -I PREROUTING -s 192.168.60.90 -p tcp -j DNAT --to-destination 172.31.0.1
> iptables -t nat -I PREROUTING -s 192.168.60.90 -p udp -j DNAT --to-destination 172.31.0.1
>
> In Squidd Proxy server I have the followed rules
>
> iptables -t nat -I PREROUTING -s 192.168.60.90/32 -p tcp -m tcp --dport 443 -m comment --comment ArticaSquidTransparent -j REDIRECT --to-ports 8081
> iptables -t nat -I PREROUTING -s 192.168.60.90/32 -p tcp -m tcp --dport 80 -m comment --comment ArticaSquidTransparent -j REDIRECT --to-ports 8080
>
> Everything is working correctly, HTTP traffic is ok, DNS are also working,
> the only exeption is the HTTPS traffic, I can see the HTTPS traffic inside
> the squid access.log but on client side I got a timeout
>
> 1722265740.867      1 192.168.60.90 TCP_TUNNEL/200 0 CONNECT cnn.com:443 - HIER_DIRECT/51.210.183.2:443 - mac="00:00:00:00:00:00" webfilterpolicy:%200%0D%0A exterr="-|-"
>
> Anyone can help me to understant if I'm missing so iptable rule to handle
> the HTTPS traffic?
>
> Sent from Nine <http://www.9folders.com/>
> _______________________________________________
> squid-users mailing list
> squid-users at lists.squid-cache.org
> https://lists.squid-cache.org/listinfo/squid-users
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.squid-cache.org/pipermail/squid-users/attachments/20240730/57e07057/attachment.htm>

More information about the squid-users mailing list