Re: [squid-users] Transparent proxy with HTTPS on freebsd

From: Amos Jeffries <squid3_at_treenet.co.nz>
Date: Sat, 2 May 2009 16:59:38 +1200 (NZST)

> Deal All,
>
> So champs now the interesting part starts. ok
>
> A few days ago we had proxy configured in the following way.
>
> DR Site
> \ int: bge0 int:
> bge1
> internal net------------lan switch--------\Squid on
> BSD-------------external firewall--------public net
> IP=X
> \ IP=Y
> \
>
> Branches
>
> 1. Above diagram shows that our internal net & and DR site is
> connected to squid on interface bge0 and uses transparent proxy
> whereas branches come to bge1 and uses manual proxy to get access to
> internet.
>
> 2. in above configuration http and https was working perfectly fine.
>
> after that in our company major changes were made in network and in
> result our proxy working scenario also changed as below.
>
> DR
> site
> |
> int: bge0 | int:
> bge1
> internal net------------lan switch--------Squid on
> BSD|-------------external firewall--------public net
> IP=X
> \ IP=Y
> \
>
> Branches
>
> 1. By network guys DR site traffic forcibly shifted to bge1, and
> resultantly internet access at DR site stopped functioning.
>
> 2. my colleague who was previously looking proxy changed following
> rule in ipfw file as below (as per his statement), and after that
> internet access for http started working but https traffic stopped
> working at both sides where transparent proxy was working i-e at DR
> site and internal net, however https still work at branches.
>
> RULE: ipfw add divert natd all from any to any via bge1
>
> CHANGED TO:
>
> RULE: ipfw add divert natd all from internal net/24 to any via bge1
>
> 3. my network colleague told me that proxy is adding it's address as
> source address to http packets but not to https, and passes https
> packets with source address of internal net, which is ultimately
> blocked at perimeter firewall.
>
> now pls note that i have freshly started working on squid couple of
> months has only passed.
>
> so when https didn't run, i gone through documentation, forums etc
> (one example is of your previous answers) and found that https would
> not work on squid on transprent configuration & Got SURPRISED that how
> it was working previously then. anyways now when i say this to my head
> that squid on transparent proxy mode wont work for https he is not
> ready to accept.
>
> I argued with network colleagues that there must be some other
> setttings had been done for https but the do not agree and say that we
> had checked every thing and no such settings was there proxy was doing
> all functionality,
>
>
> Repeating Problem: Currently proxy adds it address as source to http
> traffic but not https, in https case it simple forwards packets with
> soruce address of internal net. and perimeter firewall allows proxy ip
> traffic and drops internal net addresses, resultantly https does not
> work.
>
> So this is the whole story and i have got really stuck, what should i
> do.!!!!

Please note:
 HTTPS forwarding sounds like it is being done by the OS routing on the
proxy box. Not by the proxy software itself.

 Also using the WPAD solution I already proposed will make the clients go
through the proxy software. With same effects and controls as HTTP
traffic.

The other proper solution is for the main firewall to be updated to allow
the appropriate internal IPs to use HTTPS port 443 outbound.

One hack, which itself will break eventually and meanwhile has hole of its
own ... is to configure the proxy box firewall with those same IPs which
should be allowed HTTPS and source-NAT them to the proxy Box IP. Be
careful you only allow the acceptable IPs through this NAT though.

Amos
Received on Sat May 02 2009 - 04:59:53 MDT

This archive was generated by hypermail 2.2.0 : Sat May 02 2009 - 12:00:01 MDT