Re: [squid-users] https could not access with ssl bump in squid 3.4

From: Jerry OELoo <oyljerry_at_gmail.com>
Date: Thu, 27 Feb 2014 16:56:40 +0800

HI All:
Now I have added below rule for iptabales, and config client A's
browser proxy, it could not connect to server B anyway. Please kindly
help it. Thanks!

1) Add rule to redirect all data from 80 -> 3128, 443 -> 3130
iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 80 -j REDIRECT
--to-port 3128
iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 443 -j REDIRECT
--to-port 3130

2) Change browser proxy setting (If I understand correct, I should
change proxy port as server B has redirect)
HTTP Proxy, 10.64.12.101, port 80
HTTPS Proxy, 10.64.12.101, port 443

 Base on above change, client A could not access internet no matter
http or https, and from access.log in squid, it seems there is no any
log. What's wrong, I am confused, Thanks!

On Thu, Feb 27, 2014 at 3:11 PM, Jerry OELoo <oyljerry_at_gmail.com> wrote:
> Hi Amos:
> After reading your comments, Below are my questions in detail, Thanks a lot.
> 1) Squid SSL Bump must use in NAT network? as my environment, A and B
> in the same LAN, Can B use Squid SSL Bump to capture all A's https
> traffic?
> 2) As mentioned in original mail, PC A and PC B are in same LAN, there
> is no NAT network, and PC B (installed squid) which only has 1 network
> interface eth0, As you suggested, I checked iptables, however, I do
> not know how to redirect port 443 traffic to 3130 port as PC A and PC
> B is not NAT.
>
>
> On Wed, Feb 26, 2014 at 6:00 PM, Amos Jeffries <squid3_at_treenet.co.nz> wrote:
>> On 26/02/2014 8:06 p.m., Jerry OELoo wrote:
>>> Hi Amos:
>>> Thanks for your quick feedback.
>>> 1) I do not much understand your said about connect to host
>>> 10.64.12.100, I just find it in B (10.64.12.101) squid cache.log,
>>>
>>
>> It is the reason your ssl-bump is not working. The SSL connection is not
>> actually going to any relevant web server, but being connected back to
>> the client IP.
>>
>> The ORIGINAL_DST indicates that it was the IP address details for server
>> taken from the TCP packets on the client->server connection which was
>> intercepted into Squid.
>>
>> These connections show up as client IP being server if you have one of
>> these happening:
>>
>> * Linux TPROXY mechanism used to intercept, but "intercept" flag used on
>> the port.
>>
>> * client making explicitly configured (PAC file, environment variable or
>> browser config settings) connections directly to the proxy port.
>>
>>
>>> 2) I do not add any other setting in squid.conf about interception.
>>>
>>
>>
>> I mean do you have iptables settings using DNAT, REDIRECT or TPROXY
>> targets to point the port 443 traffic at the Squid https_port ?
>>
>>
>>
>>> 3) As you mentioned, https_port requires NAT interception, so in my
>>> scenario, A, B are in the same LAN, and I want to A use B as HTTPS
>>> proxy, and I want to use SSL bump to monitor A's HTTPS content. so is
>>> there any way that can meet it?
>>
>> Yes. What you have shodul be enough for the Squid setup. However
>> interceptio is done in teh networking layers...
>>
>> 1) you must first *route* the port 443 packets through the Squid box.
>>
>> 2) you must TPROXY/DNAT/REDIRECT *intercept* the packets into teh Squid
>> listenign port.
>>
>> 3) catch the packets in Squid and ssl-bump.
>>
>>
>> You have show that you are doing (3). The problem is happening somewhere
>> at (1) or (2).
>>
>> Amos
>>
>
>
>
> --
> Rejoice,I Desire!

-- 
Rejoice,I Desire!
Received on Thu Feb 27 2014 - 08:56:50 MST

This archive was generated by hypermail 2.2.0 : Thu Feb 27 2014 - 12:00:07 MST