I believe I have solved the forwarding loop issue by adding a preceding rule to -j ACCEPT all traffic originating from the docker network. Now I still have the SSL_ERROR_RX_RECORD_TOO_LONG issue, which seems to be unrelated. I will set logging to debug and do a wireshark session to see what might be going on.
Get BlueMail for Android On Feb 23, 2021, 8:14 PM, at 8:14 PM, Justin Michael Schwartzbeck <justinms...@gmail.com> wrote: >Hi all, > >For some years I have used squid 3.5 with SSL bump and transparent >proxy >locally on my laptop. I have been using the following in my squid.conf: > > >ssl_bump server-first all >http_port 3128 >http_port 3129 intercept >http_port 3130 ssl-bump intercept generate-host-certificates=on >dynamic_cert_mem_cache_size=4MB cert=/etc/squid/ssl/bluestar.crt >key=/etc/squid/ssl/bluestar.pem > > >So if I want to manually set the proxy on the client side, I use port >3128, >but by default all http/https traffic is redirected to port 3129 and >3130, >respectively. Here are my iptables rules: > > >iptables -t nat -A OUTPUT -p tcp -m tcp --dport 80 -m owner --uid-owner >root -j RETURN >iptables -t nat -A OUTPUT -p tcp -m tcp --dport 80 -m owner --uid-owner >dockeruser -j RETURN >iptables -t nat -A OUTPUT -p tcp -m tcp --dport 80 -j REDIRECT >--to-ports >3129 >iptables -t nat -A OUTPUT -p tcp -m tcp --dport 443 -m owner >--uid-owner >root -j RETURN >iptables -t nat -A OUTPUT -p tcp -m tcp --dport 443 -m owner >--uid-owner >dockeruser -j RETURN >iptables -t nat -A OUTPUT -p tcp -m tcp --dport 443 -j REDIRECT >--to-ports >3130 > > >dockeruser is the user that starts the docker container, and proxy is >the >actual squid user. I didn't know which one I needed a rule for, so I >just >chose both. > >As I said before, this worked great when I was running squid 3.5 on >bare >metal. Now I am running squid 4 in a docker container. I am seeing the >following error many times in the squid logs when I try to use the >transparent proxy: > > >2021/02/24 01:45:17| WARNING: Forwarding loop detected for: > >GET /success.txt HTTP/1.1 > >User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 >Firefox/78.0 > >Accept: */* > >Accept-Language: en-US,en;q=0.5 > >Accept-Encoding: identity,gzip,deflate > >Pragma: no-cache > >Via: 1.1 19deb96addda (squid/4.11) > >X-Forwarded-For: 172.18.0.1 > >Cache-Control: no-cache > >Host: detectportal.firefox.com > > >And from firefox I see this: > >WARNING: Forwarding loop detected for > >SSL_ERROR_RX_RECORD_TOO_LONG > > >I feel like I am very close, but I'm not sure what I am missing. Does >someone else know of a better way to do this? I had assumed that since >I >publish the ports, I should be able to redirect to them the same way I >would if squid were running locally. > > >I would appreciate any help in figuring this out. > >Thanks, > >-Justin
_______________________________________________ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
