[squid-users] Squid 4.6 Transparent HTTP & HTTPS Proxy
Foreword I'm by no means an expert so please bear with me... I have seen many questions about this but they are all for Squid 3 and none of the configurations work for Squid 4. I have also tried using (with adjustment for Squid 4) answers from questions on here and serverfault, etc but without success. What I'm trying to do I'm trying to create a transparent (requires no client configuration) Squid proxy for HTTP and HTTPS. In short, I want to whitelist specific domains on both HTTP and HTTPS. Details - Building / Running in AWS - Ubuntu 18.04 - Instance has Source/Destination check disabled - Private subnets route table points 0.0.0.0/0 to EC2 Instance - Squid 4.6 compiled with SSL support options: Current Configuration iptables Results Using the proxy via a host in the private subnet for HTTP: Using the proxy via a host in the private subnet for HTTPS: Happy to share more information / configuration if I've missed something important. If anyone can help shed some light on what I'm doing wrong, (or share a working configuration to put me out of my misery!), it would be much appreciated thanks! -- Sent from: http://squid-web-proxy-cache.1019090.n4.nabble.com/Squid-Users-f1019091.html ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
Re: [squid-users] Squid 4.6 Transparent HTTP & HTTPS Proxy
Thanks for the reply and apologies my post didn't include the HTML fragments: Configuration: ./configure \ --enable-ssl \ --enable-ssl-crtd \ --with-openssl \ --disable-arch-native \ --prefix=/usr \ --localstatedir=/var \ --sysconfdir=/etc/squid \ --libexecdir=/usr/lib/squid \ --datadir=/usr/share/squid \ --with-default-user=proxy \ --with-logdir=/var/log/squid \ --with-pidfile=/var/run/squid.pid Squid configuration: visible_hostname squid http_port 3128 acl whitelist dstdomain .example.com http_access allow whitelist https_port 3129 cert=/etc/squid/squid.pem options=NO_SSLv2,NO_SSLv3,NO_TLSv1,NO_TLSv1_1,NO_TICKET cipher=HIGH:MEDIUM:!RC4:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!SRP:!DSS ssl-bump intercept acl SSL_port port 443 http_access allow SSL_port acl CONNECT method CONNECT acl step1 at_step SslBump1 acl step2 at_step SslBump2 acl step3 at_step SslBump3 ssl_bump peek step1 all ssl_bump peek step2 whitelist ssl_bump splice step3 whitelist ssl_bump terminate step2 all http_access deny all coredump_dir /var/cache/squid/ iptables: iptables -t nat -I PREROUTING -p tcp --dport 80 -j REDIRECT --to-port 3128 iptables -t nat -I PREROUTING -p tcp --dport 443 -j REDIRECT --to-port 3129 Access log: 1551954200.914 54 10.0.1.166 NONE_ABORTED/200 0 CONNECT 93.184.216.34:443 - HIER_NONE/- - 1551954214.370 0 10.0.1.166 NONE/400 3810 GET / - HIER_NONE/- text/html 1551954217.223 0 10.0.1.166 NONE/400 3810 GET / - HIER_NONE/- text/html 1551954256.558 0 10.0.1.166 NONE/400 3810 GET / - HIER_NONE/- text/html 1551954261.638 0 10.0.1.166 NONE/400 3810 GET / - HIER_NONE/- text/html 1551954273.516215 10.0.1.166 NONE_ABORTED/200 0 CONNECT 93.184.216.34:443 - HIER_NONE/- - 1551954391.304 1 185.59.221.44 NONE_ABORTED/200 0 CONNECT 10.0.0.151:443 - HIER_NONE/- - 1551954395.346 0 185.59.221.44 NONE_ABORTED/200 0 CONNECT 10.0.0.151:443 - HIER_NONE/- - 1551954398.938 0 185.59.221.44 NONE_ABORTED/200 0 CONNECT 10.0.0.151:443 - HIER_NONE/- - Thanks again, David -- Sent from: http://squid-web-proxy-cache.1019090.n4.nabble.com/Squid-Users-f1019091.html ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
Re: [squid-users] Squid 4.6 Transparent HTTP & HTTPS Proxy
Thanks for your analysis Amos. As you can tell I'm still figuring this stuff out. HTTPS is working now but HTTP is not, not sure what I'm doing wrong. I tried my best to understand your comments and now have the following config: squid.conf visible_hostname squid acl localnet src 10.0.0.0/8 acl SSL_ports port 443 acl Safe_ports port 80 acl Safe_ports port 443 http_access deny !Safe_ports http_access allow localhost manager http_access deny manager acl whitelist dstdomain .example.com http_access allow whitelist http_access allow localnet http_access allow localhost http_access deny all http_port 3128 https_port 3129 intercept ssl-bump cert=/etc/squid/squid.pem ssl_bump peek all acl tls_whitelist ssl::server_name .example.com ssl_bump splice tls_whitelist ssl_bump terminate all coredump_dir /var/cache/squid Thanks and let me know if i have misunderstood your amendments. Thanks again, David -- Sent from: http://squid-web-proxy-cache.1019090.n4.nabble.com/Squid-Users-f1019091.html ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
Re: [squid-users] Squid 4.6 Transparent HTTP & HTTPS Proxy
>if you intercept/redirect http to port 3128, it must be configured as "intercept" too. Spot on cheers! -- Sent from: http://squid-web-proxy-cache.1019090.n4.nabble.com/Squid-Users-f1019091.html ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
