Re: [squid-users] HTTPS traffic in normal transparent proxy

From: Henrik Nordstrom <henrik_at_henriknordstrom.net>
Date: Wed, 15 Oct 2008 20:42:26 +0200

On ons, 2008-10-15 at 10:23 -0400, viveksnv_at_aol.in wrote:
> My configuration is...
>
> http_port 0.0.0.0:3128 transparent
>
> https_port 0.0.0.0:3129 transparent
> cert=/usr/local/squid-test/CA/servercert.pem
> key=/usr/local/squid-test/CA/serverkey.pem
>
> Iptable rules are:
>
> iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 80 -j REDIRECT
> --to-port 3128
> iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 443 -j REDIRECT
> --to-port 3129
>
> In cache.log
>
> Accepting transparently proxied HTTP connections at 0.0.0.0, port 3128,
> FD 12.
> Accepting HTTPS connections at 0.0.0.0, port 3129, FD 13
>
> In access.log while accessing https://gmail.com
>
> TCP_MISS/200 2213 CONNECT gmail.com:443

This is not a transparently intercepted https request. This browser is
configured to use the proxy.

The https_port method will only work for transparently intercepted
requests, not when the browser is configured to use the proxy.

For this to work when the browser is configured to use the proxy you
need the sslbump feature available in the upcoming 3.1 release.

> But problem is now gmail not blocked...
>
> In http://gmail.com requests...it's blocked..

CONNECT requests is subject to the same http_access rules as http
access. If GET http://gmail.com is blocked but CONNECT gmail.com:443 is
not then check your access rules. A guess without seeing your ruleset is
that you are using url_regex instead of dstdomain type acls..

Regards
Henrik

Received on Wed Oct 15 2008 - 18:42:31 MDT

This archive was generated by hypermail 2.2.0 : Thu Oct 16 2008 - 12:00:04 MDT