Re: [squid-users] squid 3.3.5 http and https transparent proxy

From: Amos Jeffries <squid3_at_treenet.co.nz>
Date: Sat, 08 Jun 2013 03:21:19 +1200

On 8/06/2013 2:39 a.m., MyName IsLive wrote:
> Look i just need a server to set it as gateway on all my clients ALL their traffic passing from my server and me can log all the traffic all http, https traffics.
>
> i already paste all my config i did all changes npf-mlists_at_eurotux.com said, but that is the log file!
> i can visit http sites but as i said http://yahoo.com is ok i can visit but when im clicking on other link from inside yahoo.com website i cannot visit "Internet explorer cannot display the webpage" same with chrome and Firefox!
>
> for https i tries with https://facebook.com not working means this:
>
>>> 1370611784.763 2407 192.168.4.99 TCP_MISS/200 1376 GET http://www.facebook.com/ - HIER_DIRECT/31.13.86.8 text/html
>>> 1370611784.790 0 192.168.4.99 NONE/400 3972 NONE error:invalid-request - HIER_NONE/- text/html
>>> 1370611801.238 0 192.168.4.99 NONE/400 3972 NONE error:invalid-request - HIER_NONE/- text/html
> i compiled from source code and this is parameter that i passed to configure:
> ./configure --enable-ssl --enable-ssl-crtd --enable-linux-netfilter --enable-ltdl-convenienc
>
> if you need more information that i missed please let me know :)

His instructions were not quite correct. You require intercept flag on
*both* Squid receiving ports to de-NAT the TCP layer and parse the HTTP
origin server message syntax which is used on port 80 and 443. You
require ssl-bump flag and the related ssl settings on the https_port to
enable proper security handling of intercepted port 443 traffic. The
ssl-bump settings usage on the http_port along with intercept is
optional, but rarely useful as CONNECT messages on port 80 are undefined.

The error:invalid-request are intercepted traffic arriving at one or
other of the ports and being detected as non-HTTP. This *usually* (but
not always) means HTTPS / port 443 data has arrived at an http_port, or
has not been decrypted properly, or is not actually HTTPS at all but one
of the other protocols using port 443.

It may appear simple but there is a large amount of complexity going on
in the background for both Squid and the operating system network stack.
Your iptables rules and your Squid settings need to line up properly or
you will get any one of a large number of problems occuring, and
intercepted traffic is the hardest traffic to debug.

Also, you *cannot* test by sending requests directly to the proxy
interception port. You must test by passing traffic as a client would.
Nothing else will give you accurate results.

Amos

>
>
> thank you very much
>
>
> ----------------------------------------
>> From: squid3_at_treenet.co.nz
>>
>> Overview of what you are needing:
>>
>> * For all Squid ports receiving traffic via rules in iptables "nat"
>> table, you require "intercept" flag.
>> * For ports expecting to need decryption of SSL/TLS you need ssl-bump
>>
>> Squid-3.3 can intercept both port 80 and 443. Although there are
>> limitations on port 43 interception which can easily be described as
>> "not working" if you don't understand what the interception is actually
>> doing.
>>
>> ... so please describe in details what you mean by "dont work".
>>
>> Amos
>>
>>
>> On 8/06/2013 1:41 a.m., MyName IsLive wrote:
>>> Hi,
>>> this is the log after i run those iptables rule and those changes in squid.conf:
>>>
>>> 1370611784.763 2407 192.168.4.99 TCP_MISS/200 1376 GET http://www.facebook.com/ - HIER_DIRECT/31.13.86.8 text/html
>>> 1370611784.790 0 192.168.4.99 NONE/400 3972 NONE error:invalid-request - HIER_NONE/- text/html
>>> 1370611801.238 0 192.168.4.99 NONE/400 3972 NONE error:invalid-request - HIER_NONE/- text/html
>>>
>>> i just add https_port 3127 "intercept" ....
>>>
>>> and for normal http connection i dont have a stable connection randomly works or not work!!
>>>
>>> 1370611744.028 2358 192.168.4.99 TCP_MISS/304 395 GET http://l2.yimg.com/nn/lib/metro/p2.gif - HIER_DIRECT/66.196.65.188 -
>>> 1370611744.034 2361 192.168.4.99 TCP_MISS/200 1555 GET http://l2.yimg.com/dh/ap/default/130507/twitter-sprite_desktop.png - HIER_DIRECT/66.196.65.188 image/png
>>> 1370611744.684 2432 192.168.4.99 TCP_MISS/200 1560 GET http://ad.yieldmanager.com/imp? - HIER_DIRECT/217.163.21.41 application/x-javascript
>>>
>>> 1370611755.711 2419 192.168.4.99 TCP_MISS/301 573 GEThttp://hsrd.yahoo.com/_ylt=AtxMHaLUD5AnwWofb8kKFvabvZx4;_ylu=X3oDMTJycjUzcHE1BGNwb3MDMARnA2lkLTMzMjYxMDYEaW50bAN1cwRsdHh0A01lbCBCcm9va3MEcG9zAzIEc2VjA3RjLXRzBHNsawN0aXRsZQR0ZXN0AzkwMAR3b2UDMTI3MjM4NjQ-/RV=1/RE=1371821336/RH=aHNyZC55YWhvby5jb20-/RO=2/RU=aHR0cDovL3NlYXJjaC55YWhvby5jb20vc2VhcmNoP2NzPWJ6JnA9TWVsJTIwQnJvb2tzJmZyPWZwLXR0cy05MDAmZnIyPXBz/RS=%5EADAIOfP8qyIhCUF7TQ9B0kysUTI99I-- HIER_DIRECT/98.139.180.157 text/html
>>>
>>>
>>> thanks you
>>>
>>>> ----------------------------------------
>>>>> From: npf-mlists_at_eurotux.com
>>>>> To: squid-users_at_squid-cache.org
>>>>> Date: Fri, 7 Jun 2013 11:53:34 +0100
>>>>> Subject: Re: [squid-users] squid 3.3.5 http and https transparent proxy
>>>>>
>>>>>
>>>>>
>>>>>> in /etc/sysctl.conf ipforwading is enabled.
>>>>>>
>>>>>> and for iptables:
>>>>>> iptables -t nat -A PREROUTING -i eth1 -p tcp -m tcp --dport 80 -j REDIRECT --to-ports 3128
>>>>>> iptables -t nat -A PREROUTING -i eth0 -p tcp -m tcp --dport 80 -j DNAT --to-destination 192.168.4.96:3128
>>>>>> i added these two rules work well for http, i tried many rules for https non them works!
>>>>>>
>>>>>> Please check squid configuration if its okay please give me the firewall rule
>>>>>>
>>>>>>
>>>>>> thank you very much
>>>>>
>>>>> Hello,
>>>>>
>>>>> Change
>>>>>
>>>>> http_port 3128 intercept ssl-bump generate-host-certificates=on dynamic_cert_mem_cache_size=4MB cert=/usr/local/squid/ssl_cert/myCA.pem
>>>>>
>>>>> to
>>>>>
>>>>> http_port 3128 intercept
>>>>> https_port 3127 ssl-bump generate-host-certificates=on dynamic_cert_mem_cache_size=4MB cert=/usr/local/squid/ssl_cert/myCA.pem
>>>>>
>>>>> And add do:
>>>>>
>>>>> iptables -t nat -A PREROUTING -i eth1 -p tcp -m tcp --dport 80 -j REDIRECT --to-ports 3128
>>>>> iptables -t nat -A PREROUTING -i eth0 -p tcp -m tcp --dport 80 -j DNAT --to-destination 192.168.4.96:3128
>>>>>
>>>>> iptables -t nat -A PREROUTING -i eth1 -p tcp -m tcp --dport 443 -j REDIRECT --to-ports 3127
>>>>> iptables -t nat -A PREROUTING -i eth0 -p tcp -m tcp --dport 443 -j DNAT --to-destination 192.168.4.96:3127
>>>>> iptables -I INPUT -p tcp -m tcp --dport 3127 -j ACCEPT
>>>>>
>>>>> Does it work after that?
>>>>>
>>>>> ./npf
>>
Received on Fri Jun 07 2013 - 15:21:27 MDT

This archive was generated by hypermail 2.2.0 : Fri Jun 07 2013 - 12:00:06 MDT