Re: [squid-users] IPTABLES - Can't redirect HTTPS traffic to external Squid

Tue, 30 Jul 2024 05:54:28 -0700 

Hey,

The dnat rule should be done on the squid itsef.
You will need to re-route the relevant traffic over the ipsec tunnel to the
squid ip.
It's possible to do that over ipip or gre tunnels.

Eliezer

בתאריך יום ג׳, 30 ביולי 2024, 15:41, מאת Bolinhas André ‏<
andre.bolin...@articatech.com>:

> I have a external proxy server connected by VPN (IPSEC) to my main branch,
> and i'm trying to redirect all users HTTP / HTTPS traffic to this proxy.
> Scenario Users -> Gateway (Main Branch) -> IPSEC -> Squid Proxy
> (transparent mode)
>
> In my Gateway (Main Branch) I have this test iptables rule, that is
> forwarding all the TPC / UDP traffic to the Proxy server.
>
> iptables -t nat -I PREROUTING -s 192.168.60.90 -p tcp -j DNAT 
> --to-destination 172.31.0.1
> iptables -t nat -I PREROUTING -s 192.168.60.90 -p udp -j DNAT 
> --to-destination 172.31.0.1
>
> In Squidd Proxy server I have the followed rules
>
> iptables -t nat -I PREROUTING -s 192.168.60.90/32 -p tcp -m tcp --dport 443 
> -m comment --comment ArticaSquidTransparent -j REDIRECT --to-ports 8081
> iptables -t nat -I PREROUTING -s 192.168.60.90/32 -p tcp -m tcp --dport 80 -m 
> comment --comment ArticaSquidTransparent -j REDIRECT --to-ports 8080
>
> Everything is working correctly, HTTP traffic is ok, DNS are also working,
> the only exeption is the HTTPS traffic, I can see the HTTPS traffic inside
> the squid access.log but on client side I got a timeout
>
> 1722265740.867      1 192.168.60.90 TCP_TUNNEL/200 0 CONNECT cnn.com:443 - 
> HIER_DIRECT/51.210.183.2:443 - mac="00:00:00:00:00:00" 
> webfilterpolicy:%200%0D%0A exterr="-|-"
>
> Anyone can help me to understant if I'm missing so iptable rule to handle
> the HTTPS traffic?
>
> Sent from Nine <http://www.9folders.com/>
> _______________________________________________
> squid-users mailing list
> squid-users@lists.squid-cache.org
> https://lists.squid-cache.org/listinfo/squid-users
>

_______________________________________________
squid-users mailing list
squid-users@lists.squid-cache.org
https://lists.squid-cache.org/listinfo/squid-users

Reply via email to