On 27/02/2014 10:22 p.m., Jerry OELoo wrote:
> Sorry for spam,
> It looks like I am wrong, after netstat, I find there is no any
> program listen on 80 and 443 port, I think this is the reason that
> there is no any traffic redirect by iptables from 80/443 to 3128/3130.
> after I change client chrome's proxy port from 80 to 3128, it can
> access internet.
>
> So back to my question. Client A and Server B in the same LAN, and B
> has squid ssl bump feature on, Now, I want to Client A access HTTPS
> via B as proxy, and I want to use ssl bump to read/modify HTTPS
> package from Client A.
> Below are my testing result,
>
> 1) Client A, Chrome browser HTTPS proxy seting both point to Server B
> IP with port 3128, It's work, Client A can access HTTPS successfully.
> 2) Client A, Chrome browser HTTPS proxy direct point to Sever B IP
> with port 3130, It's NOT work, Client A could not access HTTPS
> As Amos's suggestion, I should redirect packets from port 443 to squid
> port 3130 (iptables .....).It means Squid ssl bump could not support
> that client A directly connect to server B 3130 port with HTTPS
> request?
Correct. Keep the squid port receiving NAT'ed connections separate from
the Squid port receiving direct / expicit connections.
This is easy, just give Squid another http_port line.
BTW: I recommend using 3128 as the port for normal/explicit proxy usage.
The NAT receiving port is only necesarily used by the Squid box kernel,
so it can be 100% private - right down to the point of firewalling it in
"iptables -t mangle -p tcp --dport XX -j REJECT" against external
packets arriving straight there.
> I should add another application that listen for HTTPS 443
> port on Server B, and add iptables to redirect 443 traffic to 3130
> port for squid ssl bump do further analysis? Is this the correct way?
> if is, I should use which HTTPS server?
see my other email. :-)
Amos
Received on Thu Feb 27 2014 - 10:06:32 MST
This archive was generated by hypermail 2.2.0 : Fri Feb 28 2014 - 12:00:06 MST