Re: [squid-users] WCCP transparent proxy from Amos Jeffries on 2011-10-12 (squid-users)

From: Amos Jeffries <squid3_at_treenet.co.nz>
Date: Thu, 13 Oct 2011 00:59:55 +1300

On 12/10/11 22:19, nipun_mlist Assam wrote:
> On Wed, Oct 12, 2011 at 11:05 AM, Amos Jeffries<squid3_at_treenet.co.nz> wrote:
>> On 12/10/11 17:33, nipun_mlist Assam wrote:
>>>
>>> This may be relevant to this question.
>>> While trying to use squid for transparent proxy (tproxy ) on linux
>>> (kerne 2.6.39 with centos 6.0), I noticed the following
>>>
>>> 1. Client IP spoofing doesn't work (but for our work, this requirement
>>> was a must).
>>
>> In what way?
>
> The root web server was seeing the IP of the squid box, not of the
> client machine for all http requests. I.e. the web server will see
> that the HTTP requests are coming from the squid box. Our requirement
> is that, both the web servers and client machines should not be aware
> of a squid proxy sitting in between and hence they should not see the
> IP of squid box in HTTP related traffics.
>
> squid.conf is as shown below (I am pasting only http_port related lines):
>
> .
> .
> http_port 85 tproxy
> http_port 86 ssl-bump cert=/extra/squid/etc/Centos6.0.pem tproxy
> generate-host-certificates=on dynamic_cert_mem_cache_size=4MB
> .
> .
>
>
> IPTABLES was configured as shown below (port 80 traffics are forwarded
> to port 85 where squid "expects" HTTP traffic, and port 443 traffic
> are forwarded to port 86 where "HTTPS" traffic are expected):
>
> iptables -t mangle -N DIVERT
> iptables -t mangle -A PREROUTING -p tcp -m socket -j DIVERT
> iptables -t mangle -A DIVERT -j MARK --set-mark 1
> iptables -t mangle -A DIVERT -j ACCEPT
> ip rule add fwmark 1 lookup 100
> ip route add local 0.0.0.0/0 dev lo table 100
> iptables -t mangle -A PREROUTING -p tcp --dport 80 -j TPROXY
> --tproxy-mark 0x1/0x1 --on-port 85
> iptables -t mangle -A PREROUTING -p tcp --dport 443 -j TPROXY
> --tproxy-mark 0x1/0x1 --on-port 86
>
>
>
>>
>>> 2. Squid with tproxy doesn't work with HTTPS traffic.
>>
>> In what way?
>>
>> HTTP:
>> http_port 1 tproxy ...
>>
>> HTTPS:
>> https_port 2 tproxy ...
>>
>>>
>
> We cannot use https_port here. Because, we are seeing the traffic from
> squid to the root webserver goes as http traffic after that.

That is the bug then. Outgoing traffic needs to check the request->flags
to identify tproxy or intercepted. Also checking request->protocol for
PROTO_HTTPS requests to re-encrypt.

Amos

-- 
Please be using
   Current Stable Squid 2.7.STABLE9 or 3.1.15
   Beta testers wanted for 3.2.0.12

Received on Wed Oct 12 2011 - 12:00:01 MDT

This archive was generated by hypermail 2.2.0 : Wed Oct 12 2011 - 12:00:02 MDT