Re: [Shorewall-users] mangle TPROXY

Mon, 05 Oct 2020 22:09:16 -0700 

On Mon, Oct 5, 2020 at 11:46 AM Witold Tosta <witold.to...@gmail.com> wrote:
>
> You cannot use TPROXY for a transparent proxy for HTTPS.

So this manual regarding TPROXY is only valid for HTTP, not HTTPS?
https://shorewall.org/Shorewall_Squid_Usage.html#TPROXY

I don't know the internals and limitations of TPROXY.

You seem to be setting your system up as in
https://shorewall.org/Shorewall_Squid_Usage.html#Firewall, right?
If so, that guide states that "HTTPS (normally TCP port 443) cannot be
proxied transparently" and only gives a config example with port 80.

In any case, I'm now using a combination of TPROXY for HTTP and
redirect interceptions for HTTPS as follows, and both types of traffic
seem to be proxied without errors.

squid:

http_port 3129 tproxy
https_port 3130 intercept ssl-bump generate-host-certificates=on
dynamic_cert_mem_cache_size=16MB cert=/etc/ssl/squid/proxyserver.pem

mangle:

DIVERT          $IF_WAN                         $PROXY_SOURCE_WAN
 tcp     -       80
TPROXY(3129)    ${IF_LAN}:$PROXY_SOURCE_WAN     $PROXY_DESTINATION_WAN
         tcp     80
TPROXY(3129)    ${IF_LAN}.1:$PROXY_SOURCE_WAN   $PROXY_DESTINATION_WAN
         tcp     80
TPROXY(3129)    ${IF_LAN}.12:$PROXY_SOURCE_WAN  $PROXY_DESTINATION_WAN
         tcp     80
TPROXY(3129)    ${IF_LAN}.13:$PROXY_SOURCE_WAN  $PROXY_DESTINATION_WAN
         tcp     80
TPROXY(3129)    ${IF_LAN}.14:$PROXY_SOURCE_WAN  $PROXY_DESTINATION_WAN
         tcp     80
TPROXY(3129)    ${IF_LAN}.15:$PROXY_SOURCE_WAN  $PROXY_DESTINATION_WAN
         tcp     80
TPROXY(3129)    ${IF_LAN}.16:$PROXY_SOURCE_WAN  $PROXY_DESTINATION_WAN
         tcp     80
TPROXY(3129)    ${IF_LAN}.17:$PROXY_SOURCE_WAN  $PROXY_DESTINATION_WAN
         tcp     80

rules:

REDIRECT       lan:$PROXY_SOURCE_WAN   3130    tcp     443,8886
-       !$PROXY_EXCLUSION_WAN
REDIRECT       lan1:$PROXY_SOURCE_WAN  3130    tcp     443,8886
-       !$PROXY_EXCLUSION_WAN
REDIRECT       lan12:$PROXY_SOURCE_WAN 3130    tcp     443,8886
-       !$PROXY_EXCLUSION_WAN
REDIRECT       lan13:$PROXY_SOURCE_WAN 3130    tcp     443,8886
-       !$PROXY_EXCLUSION_WAN
REDIRECT       lan14:$PROXY_SOURCE_WAN 3130    tcp     443,8886
-       !$PROXY_EXCLUSION_WAN
REDIRECT       lan15:$PROXY_SOURCE_WAN 3130    tcp     443,8886
-       !$PROXY_EXCLUSION_WAN
REDIRECT       lan16:$PROXY_SOURCE_WAN 3130    tcp     443,8886
-       !$PROXY_EXCLUSION_WAN
REDIRECT       lan17:$PROXY_SOURCE_WAN 3130    tcp     443,8886
-       !$PROXY_EXCLUSION_WAN
REDIRECT       lan18:$PROXY_SOURCE_WAN 3130    tcp     443,8886
-       !$PROXY_EXCLUSION_WAN

Thanks,

Vieri


_______________________________________________
Shorewall-users mailing list
Shorewall-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/shorewall-users

Reply via email to