Re: [squid-users] Re: HTTP/HTTPS transparent proxy doesn't work from Eliezer Croitoru on 2014-08-16 (squid-users)

From: Eliezer Croitoru <eliezer_at_ngtech.co.il>
Date: Sun, 17 Aug 2014 00:35:03 +0300

Hey,

What is the full ICAP server request and response?
You need to use a 302 redirect for what you want to work.

Eliezer

On 08/15/2014 02:32 PM, agent_js03 wrote:
> I upgraded to squid 3.3.8 with the same config and iptables and everything
> now works. I guess intercept just doesn't work with squid 3.2. However now I
> am having a different issue. I am running a content filter that interfaces
> with squid through ICAP. I have a blockpage running on the same box at
> 192.168.1.145:8089 (192.168.1.145 is the IP of the proxy server). If I try
> to access blocked content from my client, then the ICAP will do a reqmod and
> change the url to:
> http://192.168.1.145:8089/blockpage.php?arg1=val1&arg2=val2
> etc. This worked flawlessly when I had my browser configured to point
> directly to the proxy server. But now I am using transparent proxying I have
> different behavior: if I access blocked content, on the client side I get a
> "connection reset by peer" error (104) and on the server in the access.log I
> get a TCP_MISS/502 line. I am wondering why this would be any different with
> transparent proxying. Based on my configuration, do you think this is a
> problem with my access control in squid.conf or is it a problem with
> iptables? Here is my configuration again:
>
> *squid.conf*
> acl localnet src 192.168.1.0/24 # local network
> acl localnet src 192.168.3.0/24 # vpn network
> http_access allow localnet
> http_access allow localhost
> http_access none all
> http_port 3128
> http_port 3129 intercept
> http_port 3130 intercept ssl-bump generate-host-certificates=on
> dynamic_cert_mem_cache_size=4MB key=/etc/squid3/ssl/private.pem
> cert=/etc/squid3/ssl/public.pem
> always_direct allow all
> ssl_bump server-first all
> sslproxy_cert_error allow all
> sslproxy_flags DONT_VERIFY_PEER
> sslcrtd_program /usr/lib/squid3/ssl_crtd -s /var/lib/ssl_db -M 4MB
> sslcrtd_children 5
>
> *iptables*
> sysctl -w net.ipv4.ip_forward=1
> iptables -F
> iptables -t nat -F
>
> # transparent proxy for vpn
> iptables -t nat -A PREROUTING -i ppp+ -p tcp --dport 80 -j REDIRECT
> --to-ports 192.168.1.145:3128
> iptables -t nat -A PREROUTING -i ppp+ -p tcp --dport 443 -j REDIRECT
> --to-ports 3128
>
> iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
>
> iptables --table nat --append POSTROUTING --out-interface ppp+ -j MASQUERADE
> iptables -I INPUT -s 192.168.3.0/24 -i ppp+ -j ACCEPT
> iptables --append FORWARD --in-interface eth0 -j ACCEPT
>
>
> Thanks for all the help.
>
>
>
> --
> View this message in context:http://squid-web-proxy-cache.1019090.n4.nabble.com/HTTP-HTTPS-transparent-proxy-doesn-t-work-tp4667193p4667229.html
> Sent from the Squid - Users mailing list archive at Nabble.com.
>
Received on Sat Aug 16 2014 - 21:35:13 MDT

This archive was generated by hypermail 2.2.0 : Tue Aug 19 2014 - 12:00:05 MDT