Re: [squid-users] HTTP/HTTPS transparent proxy doesn't work

From: Mike <mcsnv96_at_afo.net>
Date: Wed, 13 Aug 2014 12:39:09 -0500

On 8/12/2014 11:33 PM, agent_js03 wrote:
> Hello,
>
> I am having trouble with my squid setup. Here is exactly what I am trying to
> do: I am setting up a VPN server and I want all VPN traffic to be
> transparently proxied by squid with ssl bumping enabled. Right now when I
> try to do this I get an access denied page from the client.
>
> Here are lines from my squid.conf:
>
> =================================================
> acl localnet src 192.168.1.0/24 # local network
> acl localnet src 192.168.3.0/24 # vpn network
> http_access allow localnet
> http_access allow localhost
> http_access deny all
> http_port 192.168.1.145:3127 intercept
> http_port 192.168.1.145:3128 intercept ssl-bump
> generate-host-certificates=on dynamic_cert_mem_cache_size=4MB
> key=/etc/squid3/ssl/private.pem cert=/etc/squid3/ssl/public.pem
> always_direct allow all
> ssl_bump allow all
> sslproxy_cert_error allow all
> sslproxy_flags DONT_VERIFY_PEER
> sslcrtd_program /usr/lib/squid3/ssl_crtd -s /var/lib/ssl_db -M 4MB
> sslcrtd_children 5
>
> =================================================
>
> Here are my iptables rules:
>
> =================================================
> sysctl -w net.ipv4.ip_forward=1
> iptables -F
> iptables -t nat -F
>
> # transparent proxy for vpn
> iptables -t nat -A PREROUTING -i ppp+ -p tcp --dport 80 -j DNAT
> --to-destination 192.168.1.145:3127
> iptables -t nat -A PREROUTING -i ppp+ -p tcp --dport 443 -j DNAT
> --to-destination 192.168.1.145:3128
>
> iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
>
> iptables --table nat --append POSTROUTING --out-interface ppp+ -j MASQUERADE
> iptables -I INPUT -s 192.168.3.0/24 -i ppp+ -j ACCEPT
> iptables --append FORWARD --in-interface eth0 -j ACCEPT
>
> =================================================
>
>
> When I connect to VPN and try to browse the web I get the following error in
> /etc/squid3/cache.log on the vpn server:
>
> 2014/08/12 21:21:02 kid1| ERROR: No forward-proxy ports configured.
> 2014/08/12 21:21:02 kid1| WARNING: Forwarding loop detected for:
> GET /Artwork/SN.png HTTP/1.1
> Host: www.squid-cache.org
> User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:30.0) Gecko/20100101
> Firefox/30.0
> Accept: image/png,image/*;q=0.8,*/*;q=0.5
> Accept-Language: en-US,en;q=0.5
> Accept-Encoding: gzip, deflate
> Referer: http://www.google.com/
> Via: 1.1 localhost (squid/3.2.11)
> X-Forwarded-For: 127.0.0.1
> Cache-Control: max-age=259200
> Connection: keep-alive
>
>
> 2014/08/12 21:21:02 kid1| ERROR: No forward-proxy ports configured.
>
>
>
> I am wondering about this erro "No forward-proxy ports configured." What do
> I need to change about my squid.conf that would allow me to do transparent
> proxying?
>
> Thanks in advance.
>
>
>
> --
> View this message in context: http://squid-web-proxy-cache.1019090.n4.nabble.com/HTTP-HTTPS-transparent-proxy-doesn-t-work-tp4667193.html
> Sent from the Squid - Users mailing list archive at Nabble.com.
>
I have found some systems do not like its IP mixed with the port
(generally Red Hat, CentOS or derivatives)....

 From my squid setups:

http_port 3128
# above port is what will be used for all proxy settings on client browser
http_port 3129 intercept
https_port 3130 intercept ssl-bump connection-auth=off
generate-host-certificates=on dynamic_cert_mem_cache_size=16MB
cert=/etc/squid/ssl/squid.pem key=/etc/squid/ssl/squid.key
cipher=ECDHE-RSA-RC4-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-AES128-SHA:DHE-RSA-CAMELLIA128-SHA:AES128-SHA:RC4-SHA:HIGH:!aNULL:!MD5:!ADH
sslcrtd_program /usr/lib64/squid/ssl_crtd -s /var/lib/squid_ssl_db -M 16MB
sslcrtd_children 50 startup=5 idle=1
ssl_bump server-first all
ssl_bump none localhost

This allows 3128 to see all GET requests from the clients, and then if
it is standard http, the http_port 3129 intercepts it, and if it is a
secure https request, then it is intercepted by 3130. Squid sees
incoming proxy connections anyways using the sysem IP already, so the
IP:port is redundant and can cause some issues.
This also means you would only need one iptables entry for 3128 and none
for 3129 or 3130 since squid would automatically intercept based on
insecure or secure site GET request. Other iptables rules may be needed
since it is VPN based requests, which can vary depending on the type of
VPN setup.

*Internet Protocol Security (IPSec)* uses IP protocol 50 for
Encapsulated Security Protocol (ESP), IP protocol 51 for Authentication
Header (AH), and UDP port 500 for IKE Phase 1 negotiation and Phase 2
negotiations. UDP ports 500 and 4500 are used, if NAT-T is used for IKE
Phase 1 negotiation and Phase 2 negotiations

*Secure Sockets Layer (SSL)* uses TCP port 443 and works by using a
private key to encrypt data that is transferred over the SSL connection.
SSL also uses 465 Secure SMTP, 993 Secure IMAP, and 995 Secure POP.

*Layer Two Tunneling Protocol (L2TP)* uses TCP port 1701 and is an
extension of the Point-to-Point Tunneling Protocol. L2TP is often used
with IPSec to establish a Virtual Private Network (VPN).

*Point-to-Point Tunneling Protocol (PPTP)* uses TCP port 1723 and IP
port 47 Generic Routing Encapsulation (GRE). PPTP provides a low-cost,
private connection to a corporate network through the Internet. PPTP
works well for people who work from home or travel and need to access
their corporate networks. It is often used to access a Microsoft Remote
Access Server (RAS).

Mike
Received on Wed Aug 13 2014 - 17:39:13 MDT

This archive was generated by hypermail 2.2.0 : Wed Aug 13 2014 - 12:00:05 MDT