Re: [squid-users] squid 3.3.5 http and https transparent proxy from Nuno Fernandes on 2013-06-07 (squid-users)

From: Nuno Fernandes <npf-mlists_at_eurotux.com>
Date: Fri, 07 Jun 2013 17:07:03 +0100

> On 8/06/2013 2:39 a.m., MyName IsLive wrote:
> > Look i just need a server to set it as gateway on all my clients ALL their traffic passing from my server and me can log all the traffic all http, https traffics.
> >
> > i already paste all my config i did all changes npf-mlists_at_eurotux.com said, but that is the log file!
> > i can visit http sites but as i said http://yahoo.com is ok i can visit but when im clicking on other link from inside yahoo.com website i cannot visit "Internet explorer cannot display the webpage" same with chrome and Firefox!
> >
> > for https i tries with https://facebook.com not working means this:
> >
> >>> 1370611784.763 2407 192.168.4.99 TCP_MISS/200 1376 GET http://www.facebook.com/ - HIER_DIRECT/31.13.86.8 text/html
> >>> 1370611784.790 0 192.168.4.99 NONE/400 3972 NONE error:invalid-request - HIER_NONE/- text/html
> >>> 1370611801.238 0 192.168.4.99 NONE/400 3972 NONE error:invalid-request - HIER_NONE/- text/html
> > i compiled from source code and this is parameter that i passed to configure:
> > ./configure --enable-ssl --enable-ssl-crtd --enable-linux-netfilter --enable-ltdl-convenienc
> >
> > if you need more information that i missed please let me know :)
>
> His instructions were not quite correct. You require intercept flag on
> *both* Squid receiving ports to de-NAT the TCP layer and parse the HTTP
> origin server message syntax which is used on port 80 and 443. You
> require ssl-bump flag and the related ssl settings on the https_port to
> enable proper security handling of intercepted port 443 traffic. The
> ssl-bump settings usage on the http_port along with intercept is
> optional, but rarely useful as CONNECT messages on port 80 are undefined.

Yes.. Amos is correct. My mistake.

When i said:

>>>>> Change
>>>>>
>>>>> http_port 3128 intercept ssl-bump generate-host-certificates=on dynamic_cert_mem_cache_size=4MB cert=/usr/local/squid/ssl_cert/myCA.pem
>>>>>
>>>>> to
>>>>>
>>>>> http_port 3128 intercept
>>>>> https_port 3127 ssl-bump generate-host-certificates=on dynamic_cert_mem_cache_size=4MB cert=/usr/local/squid/ssl_cert/myCA.pem
>>>>>

Should be:

Change
http_port 3128 intercept ssl-bump generate-host-certificates=on dynamic_cert_mem_cache_size=4MB cert=/usr/local/squid/ssl_cert/myCA.pem

http_port 3128 intercept
https_port 3127 intercept ssl-bump generate-host-certificates=on dynamic_cert_mem_cache_size=4MB cert=/usr/local/squid/ssl_cert/myCA.pem

Best regards,
Nuno Fernandes
Received on Fri Jun 07 2013 - 16:06:31 MDT

This archive was generated by hypermail 2.2.0 : Mon Jun 10 2013 - 12:00:11 MDT