Re: [squid-users] Is "https_port" required for transparent (reverse) proxying?

From: Tim Neto <tneto@dont-contact.us>
Date: Thu, 01 Dec 2005 10:56:29 -0500

Hello Matus,

Okay, so the terminology is no longer "transparent" and instead I should
use "intercepting".

Here is what I have:

      -------------- -----------------
                      ---------------------
     | Client | Internet | Firewall host |
Internal Network | Secure Web |
     | Computer | <--------------->| with IPtables
|<----------------------->| Server (https) |
     | | | and Squid
| | port 80 and 443 |
      -------------- -----------------
                      ---------------------

The trouble we are having is Squid is not passing the https traffic through.

Sanitized squid.conf file.
================================================================================
#
# ----------------------------------------------------------------------
http_port 209.202.99.178:80
http_port 192.168.2.40:8080
https_port 209.202.99.178:443 cert=/etc/squid/KCL.pem

# ----------------------------------------------------------------------
# Visible and servers unique hostname.
visible_hostname proxy1.komatsu.ca
unique_hostname proxy1.komatsu.ca

# ----------------------------------------------------------------------
hierarchy_stoplist cgi-bin ?
acl QUERY urlpath_regex cgi-bin \?
no_cache deny QUERY

cache_effective_user squid
cache_dir ufs /usr/spool/squid 100 16 256
cache_access_log /usr/log/squid/access.log
cache_log /usr/log/squid/cache.log
cache_store_log /usr/log/squid/store.log
logfile_rotate 4

cache_mgr WebMaster@komatsu.ca
#
cachemgr_passwd <blah> 5min
cachemgr_passwd <blah> 60min
cachemgr_passwd <blah> asndb
cachemgr_passwd <blah> authenticator
cachemgr_passwd <blah> cbdata
cachemgr_passwd <blah> client_list
cachemgr_passwd <blah> comm_incoming
cachemgr_passwd <blah> config *
cachemgr_passwd <blah> counters
cachemgr_passwd <blah> delay
cachemgr_passwd <blah> digest_stats
cachemgr_passwd <blah> dns
cachemgr_passwd <blah> events
cachemgr_passwd <blah> filedescriptors
cachemgr_passwd <blah> fqdncache
cachemgr_passwd <blah> histograms
cachemgr_passwd <blah> http_headers
cachemgr_passwd <blah> info
cachemgr_passwd <blah> io
cachemgr_passwd <blah> ipcache
cachemgr_passwd <blah> mem
cachemgr_passwd <blah> menu
cachemgr_passwd <blah> netdb
cachemgr_passwd <blah> non_peers
cachemgr_passwd <blah> objects
cachemgr_passwd <blah> pconn
cachemgr_passwd <blah> peer_select
cachemgr_passwd <blah> redirector
cachemgr_passwd <blah> refresh
cachemgr_passwd <blah> server_list
cachemgr_passwd <blah> shutdown *
cachemgr_passwd <blah> store_digest
cachemgr_passwd <blah> storedir
cachemgr_passwd <blah> utilization
cachemgr_passwd <blah> via_headers
cachemgr_passwd <blah> vm_objects
# ----------------------------------------------------------------------
# Use the external DNS servers.
dns_nameservers 192.168.2.41 192.168.2.42 209.202.99.178 209.202.99.179
# ----------------------------------------------------------------------
# ----------------------------------------------------------------------
auth_param basic program /usr/lib/squid/squid_ldap_auth -h ldap_host -p
port -P -b o=organization -f "(|(uid=%s)(mail=%s))"

auth_param basic children 20
auth_param basic realm Squid proxy-caching web server
auth_param basic credentialsttl 5 minute

external_acl_type ldap_group %LOGIN /usr/lib/squid/squid_ldap_group -h
ldap_host -p port -P -b o=organization -F "(|(uid=%s)(mail=%s))" -f
"(&(cn=%g)(uniquemember=%u)(objectClass=groupOfUniqueNames))"

refresh_pattern ^ftp: 1440 20% 10080
refresh_pattern ^gopher: 1440 0% 1440
refresh_pattern . 0 20% 4320

# ----------------------------------------------------------------------
# Default Squid ACL's
acl all src 0.0.0.0/0.0.0.0
acl manager proto cache_object
acl localhost src 127.0.0.1/255.255.255.255
acl to_localhost dst 127.0.0.0/8
acl SSL_ports port 443 563
acl Safe_ports port 21
acl Safe_ports port 70
acl Safe_ports port 80
acl Safe_ports port 81
acl Safe_ports port 82
acl Safe_ports port 86
acl Safe_ports port 88
acl Safe_ports port 89
acl Safe_ports port 210
acl Safe_ports port 280
acl Safe_ports port 488
acl Safe_ports port 443 563
acl Safe_ports port 591
acl Safe_ports port 777
acl Safe_ports port 1025-65535
acl CONNECT method CONNECT

# ----------------------------------------------------------------------
# KCL Defined ACL's and http_access definitions.
acl kcl_users proxy_auth REQUIRED
acl kcl_networks src 192.168.2.0/24
acl dmz_networks src 209.202.99.176/28

acl portals_url url_regex https://portal.komatsu.ca
acl portals_networks src 0.0.0.0/0

acl portal_url url_regex http://portal.komatsu.ca
acl portal_networks src 0.0.0.0/0

# LDAP group acl definitions.
#
# Proxy
acl proxy_groups external ldap_group proxy

http_access allow manager localhost
http_access allow manager kcl_networks
http_access deny manager
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports

#
# ----------------------------------------------------------------------
# A problem has occurred with Microsoft's HotMail service. It seems
# MS did an update recently to IE and hotmail is no longer proxyable
# without the following controls. This is information from the
# Squid user's mailing list.
# Tim Neto 23 December 2004
#
acl hotmail_domains dstdomain .hotmail.msn.com
acl ie6 browser MSIE[[:space:]]6
header_access Accept-Encoding deny ie6 hotmail_domains

# ----------------------------------------------------------------------
# Note: KCL deny rules must exist before any allow rules.
#
acl no_errorguard_com dstdomain .errorguard.com
acl no_kazaa dstdomain .kazaa.com
acl no_kilopics dstdomain .kilopics.com
acl no_lingerie-mania dstdomain .lingerie-mania.com
acl no_lun_com dstdomain .lun.com
acl no_miniclip dstdomain .miniclip.com
acl no_puretracks dstdomain .puretracks.com
acl no_uproar dstdomain .uproar.com

http_access deny no_errorguard_com
http_access deny no_kazaa
http_access deny no_kilopics
http_access deny no_lingerie-mania
http_access deny no_lun_com
http_access deny no_miniclip
http_access deny no_puretracks
http_access deny no_uproar

# ----------------------------------------------------------------------
# Allow all proxy users to all web addresses.
#
http_access allow kcl_networks proxy_groups

# ----------------------------------------------------------------------
# Allow access from the Internet for portal
#
http_access allow portals_url portals_networks
http_access allow portal_url portal_networks

# ----------------------------------------------------------------------
http_access allow localhost
http_access deny all
http_reply_access allow all
icp_access allow all

# ----------------------------------------------------------------------
httpd_accel_host virtual
httpd_accel_port 0
httpd_accel_single_host off
httpd_accel_with_proxy on
httpd_accel_uses_host_header on

# ----------------------------------------------------------------------
coredump_dir /usr/spool/squid
================================================================================

The iptables definitions are:
================================================================================
# Firewall configuration written by redhat-config-securitylevel
# Manual customization of this file is not recommended.
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:RH-Firewall-1-INPUT - [0:0]
-A INPUT -j RH-Firewall-1-INPUT
-A FORWARD -j RH-Firewall-1-INPUT
-A RH-Firewall-1-INPUT -p icmp --icmp-type any -j ACCEPT
-A RH-Firewall-1-INPUT -p tcp -m tcp --dport 21 --syn -j ACCEPT
-A RH-Firewall-1-INPUT -p tcp -m tcp -d 192.168.2.4 --dport 23 --syn -j
ACCEPT
-A RH-Firewall-1-INPUT -p tcp -m tcp --dport 80 --syn -j ACCEPT
-A RH-Firewall-1-INPUT -p tcp -m tcp --dport 443 --syn -j ACCEPT
#
# Block all X11 and VNC packets on the external interface.
#
-A RH-Firewall-1-INPUT -p tcp -m tcp -d 209.202.99.178 --dport 5800:6100
--syn -j REJECT
-A RH-Firewall-1-INPUT -p tcp -m tcp -d 209.202.99.178 --dport 8003
--syn -j ACCEPT
-A RH-Firewall-1-INPUT -i lo -j ACCEPT
-A RH-Firewall-1-INPUT -i eth1 -j ACCEPT
-A RH-Firewall-1-INPUT -i eth2 -j ACCEPT
-A RH-Firewall-1-INPUT -p udp -m udp -s 192.168.2.42 --sport 53 -d 0/0
-j ACCEPT
-A RH-Firewall-1-INPUT -p udp -m udp -s 209.202.99.178 --sport 53 -d 0/0
-j ACCEPT
-A RH-Firewall-1-INPUT -p udp -m udp -s 209.202.99.179 --sport 53 -d 0/0
-j ACCEPT
-A RH-Firewall-1-INPUT -p tcp -m tcp --syn -j REJECT
-A RH-Firewall-1-INPUT -p udp -m udp -j REJECT
-A RH-Firewall-1-INPUT -j REJECT --reject-with icmp-host-prohibited
COMMIT
#
#
# The Mangle table. For reverse routes the packets are accepted in the
# FORWARD chain for replying packets on the internal NIC only.
#
*mangle
:PREROUTING ACCEPT [0:0]
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
-A FORWARD -s 192.168.2.229 -d 192.168.2.4 -i eth2 -o eth1 -p tcp
--dport 8080 -j ACCEPT
:OUTPUT ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
COMMIT
#
#
# Here is the "magic" table. All SNAT rules here only work with the
# POSTROUTING chain. The DNAT rules work best in the PREROUTING chain,
# but according to the "bible" the rules can be defined in the OUTPUT
# chain too.
#
*nat
:PREROUTING ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
# -------------------
-A PREROUTING -i eth1 -s ! 209.202.99.178 -p tcp --dport 443 -j DNAT
--to 192.168.2.4:8080
# -------------------
-A POSTROUTING -o eth1 -s 192.168.2.229 -d 192.168.2.4 -j SNAT --to
127.0.0.1
# -------------------
COMMIT
#
================================================================================

So the question remains, how do I pass HTTPS traffic from the open
Internet to my internal web server using Squid 2.5STABLE11?

Thanks.

Tim

-----------------------------------------------------------
Timothy E. Neto
 Computer Systems Engineer Komatsu Canada Limited
 Ph#: 905-625-6292 x265 1725B Sismet Road
 Fax: 905-625-6348 Mississauga, Canada
 E-Mail: tneto@komatsu.ca L4W 1P9
-----------------------------------------------------------

Matus UHLAR - fantomas wrote:

>On 30.11 17:47, Tim Neto wrote:
>
>
>>The remark about "This is really only useful for situations where you
>>are running squid in accelerator mode and you want to do the SSL work at
>>the accelerator level." makes me question whether I need an "https_port"
>>directive.
>>
>>So do I need "https_port" for transparent (reverse) proxying in 2.5
>>STABLE 11?
>>
>>
>
>No.
>
>At first, there is no need for "transparent" reverse proxying, alghough it
>is possible to do.
>
>At second, there is no need for proxying https, unless you can't directly
>reach https server from client.
>
>The meaning of reverse HTTPS proxy is to alow https connections to HTTP
>servers that do not support it, or to speed up http servers byu moving SSL
>functionalitty off them.
>
>If you want "transparent" proxy, which we call intercepting (because the
>word "transparent" means something completely different from HTTP's point of
>view), you do not need to set https port.
>
>
>
Received on Thu Dec 01 2005 - 08:56:01 MST

This archive was generated by hypermail pre-2.1.9 : Sat Dec 31 2005 - 12:00:02 MST