Re: [squid-users] transparent proxy bypass https traffic from Amos Jeffries on 2008-03-22 (squid-users)

From: Amos Jeffries <squid3@dont-contact.us>
Date: Sun, 23 Mar 2008 10:42:38 +1300

Razvan Grigore wrote:
> Hello,
>
> I'm using squid 2.6.STABLE6 on CentOS. I succesfully configured squid
> both as a transparent proxy and normal proxy that's working fine on
> http and https in normal mode, but on transparent mode https is a
> challenge.
>
> http_port 3128
> http_port 3129 transparent
>
> i'm redirecting with iptables like this:
>
> iptables -t nat -A PREROUTING -i eth0 -p tcp -d ! 10.0.0.0/8 --dport
> 80 -m mark --mark 0x0 -j REDIRECT --to-port 3129
>
> I have 2 types of clients, that are accessing internet through squid
> or directly.
>
> How can i bypass squid for https traffic ONLY for squid users?

What do you mean by this?
1) explicitly configured proxy clients should have no problems with HTTPS.
2) transparently redirecting encrypted traffic to squid 2.6 will fail
since squid is expecting HTTP, not binary encryption.

>
> I tried like this:
>
> iptables -t nat -A PREROUTING -i eth0 -p tcp -d ! 10.0.0.0/8 --dport
> 443 -m mark --mark 0x0 -j REDIRECT --to-port 3129
>
> but it gives:
>
> 2008/03/22 16:54:41| parseHttpRequest: Requestheader contains NULL characters
> 2008/03/22 16:54:41| parseHttpRequest: Unsupported method ''
> 2008/03/22 16:54:41| clientReadRequest: FD 19 (10.x.x.3:1104) Invalid Request
>
> I think that i can make iptables rules for every ip in squid for
> allowing direct https, but i want to avoid this.

2.6 has no capability for transparent HTTPS. If you continue with that
version of squid you will have to unblock the HTTP outbound traffic.
Configured clients will use the proxy even if its open, others will get
working HTTPS direct traffic.

>
> is squid 3 capable through ssl bump for allowing https traffic without
> braking the certificate? or at least without notiffing the user.

Yes Squid 3-HEAD (3.1 alpha) can cope with this. You will need to build
it yourself from sources, but give it try.

http://www.squid-cache.org/Versions/v3/HEAD/

> Thank you!

Thank you.

Amos

-- 
Please use Squid 2.6STABLE17+ or 3.0STABLE1+
There are serious security advisories out on all earlier releases.

Received on Sat Mar 22 2008 - 15:41:42 MDT

This archive was generated by hypermail pre-2.1.9 : Tue Apr 01 2008 - 13:00:05 MDT