Hey Guys,
I have been trying to run squid as a transparent proxy without
configuring the client browser. This means that the traffic will NOT
have CONNECT tunnelling involved. I have setup two linux machines, one
acting as the gateway for the other. On the 2nd machine i have squid
running and i have configured the ip-tables on that machine to
re-direct all port 80(http) traffic to port 3128 and all port
443(https) traffic to port 3129. Things are working fine for me on
HTTP only pages with no issues. My primary intention is to just act as
a proxy and if that is achieved then may be bump into the ssl
connections.
The problem is that all HTTPS pages are getting stuck in a redirect
loop to themselves. I used Mozilla Browser with http live headers
add-on to see that i was getting 302 Moved Temporarily response for
https pages. And the new location being pointed to in these response
was the same url again hence the infinite loop. I could also see
squid's access log to see that the same url was being fetched in a
loop, ending with the browser giving me the error.
Here is my squid conf related to ports:
http_port 192.168.8.40:3128 transparent ssl-bump
cert=/home/talha/squid/www.sample.com.pem
key=/home/talha/squid/www.sample.com.pem
https_port 192.168.8.40:3129 transparent ssl-bump
cert=/home/talha/squid/www.sample.com.pem
key=/home/talha/squid/www.sample.com.pem
My client machine conf:
Default route points to the machine running squid
Squid machine conf:
The concerned ip-tables entries ar: There are some other entries
aswell but i dont think they have any issue. I can paste them if
anyone asks
*nat
-A PREROUTING -p tcp -m tcp --dport 80 -j REDIRECT --to-ports 3128
-A PREROUTING -p tcp -m tcp --dport 443 -j REDIRECT --to-ports 3129
*filter
-A INPUT -p tcp -m tcp --dport 3128 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 3129 -j ACCEPT
Here is the output from the conversation between the browser and
origin-sever: Note that the Location in the response again points to
same URL which causes the loop. Also in response header see the VIA
field which says squid.
GET /ServiceLogin?service=mail&passive=true&rm=false&continue=http://mail.google.com/mail/&scc=1<mpl=default<mplcache=2
HTTP/1.1^M
Host: accounts.google.com^M
User-Agent: Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.2.10)
Gecko/20101005 Fedora/3.6.10-1.fc14 Firefox/3.6.10^M
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8^M
Accept-Language: en-us,en;q=0.5^M
Accept-Encoding: gzip,deflate^M
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7^M
Keep-Alive: 115^M
Connection: keep-alive^M
Referer: http://mail.google.com/^M
Cookie: PREF=ID=3c4702b684dfe11e:U=48b0a97895a0e7b3:FF=0:TM=1319019207:LM=1333617885:GM=1:S=j5JagRwK8dLDYf6y;
NID=58=tKRL8nnjrH0BHfUGTyDysha5ioO4_7PqqCWqSnEbGcH9lZdjS9t0l-0fgzsPMRdeRAP1sh2jZj5JNeujrbJgSQhoZGynwYq4sGfGkFn2wjsBoU6hn1lSciDz2jX49qx7atVcgcflKFM;
GAPS=1:p5qNZW-jRyUKeah8d1gHf_cRIxmy3g:_lt0kdMmaXcFkJPF;
__utma=72592003.1110318804.1333617845.1334223605.1334227469.4;
__utmz=72592003.1333617845.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none);
GALX=vArt1GzoL68; __utmc=72592003; GoogleAccountsLocale_session=en;
GMAIL_RTT=407^M
^M
HTTP/1.0 302 Moved Temporarily^M
Content-Type: text/html; charset=UTF-8^M
Location: https://accounts.google.com/ServiceLogin?service=mail&passive=true&rm=false&continue=http://mail.google.com/mail/&scc=1<mpl=default<mplcache=2
Content-Encoding: gzip^M
Date: Fri, 13 Apr 2012 06:56:22 GMT^M
Expires: Fri, 13 Apr 2012 06:56:22 GMT^M
Cache-Control: private, max-age=0^M
X-Content-Type-Options: nosniff^M
X-XSS-Protection: 1; mode=block^M
Content-Length: 254^M
Server: GSE^M
X-Cache: MISS from localhost.localdomain^M
Via: 1.0 localhost.localdomain (squid/3.1.19-20120225-r10430)^M
Connection: keep-alive^M
-- Regards, -Ahmed Talha KhanReceived on Fri Apr 13 2012 - 07:08:00 MDT
This archive was generated by hypermail 2.2.0 : Fri Apr 13 2012 - 12:00:04 MDT