On 5/10/2016 4:42 a.m., Shark wrote: > Sorry for my bad english, > > I want to make a anonymous https & http proxy that pass through any > requests without decrypting or change them, > only change ip address from client ip to my server ip address and define ip > address of my websites that i want to access them from my client in > /etc/hosts, > so i try to install squid on my server and i have good experience when i > set proxy in client with server ip and port 3128 and i can access http & > https behind this proxy,
By configuring your client with details about the proxy you have configured a forward (aka explicit) proxy. That is the best type to have when you can. Because it lets you use the full capabilities of proxying in HTTP. However, it also means that the clients do not use DNS nor /etc/hosts file. The proxy is what does DNS lookups about where to send the traffic the client(s) ask it to fetch. > but when i try to using /etc/hosts i cannot access to https websites. HTTPS is designed to prevent people playing around with the traffic. The 'S' means *secure(d)* - for a good reason. > i try > to install squid lot of time with any install instructions that i found > from googling. > I have server with CentOS 7 with one valid internet ip address. > > For more explain of what i want to do, i need my squid to work like this ip > 173.161.0.227 > When i add *173.161.0.227 www.iplocation.net <http://www.iplocation.net>* to > my client /etc/hosts > I can browse https://www.iplocation.net that tell me my client ip address > is 173.161.0.227 > I want do my proxy server same as 173.161.0.227 > From what you have said so far it is clear the domain names you plan to use this for are owned by somebody who is not you. > *My problem is now with below config is:* > > when i define *216.55.x.x www.iplocation.net <http://www.iplocation.net>* to > /etc/hosts in my client i cannot access to https://www.iplocation.net and > hang on connecting and then give me timeout error, > I`m appreciate for help me to resolve this problem. > I ask it before in > http://serverfault.com/questions/805413/squid-with-iptables-bypass-https > but i cannot resolve it When you are not the owner of that domain name; .. That means you do not own the secret encryption key that HTTPS associates with that domain name. That means you cannot setup your proxy to perform encryption/decryption of traffic when acting as a web server for it. The only options you have for HTTPS are: 1) to use the proxy as a proper forward/explicit proxy the normal way HTTP does that. Or 2) to forget the idea of setting your own IP as web server and use MITM interception of the clients normal port 443 traffic with SSL-Bump feature enabled in your Squid. > > *My Iptables config is:* > > iptables -t nat -A PREROUTING -p tcp --dport 443 -j REDIRECT --to-port 3130 > That is okay. It is the (2) option mentioned above. Be aware that it is incompatible with the idea of setting /etc/hosts IP address for the domain as a way to get it to the proxy. This iptables rules is the way to catch client traffic already on its way to the *real* domain server(s) and send it through the proxy instead. It is a bit nasty to work with, but still way better than MITM through /etc/hosts entries. > *My squid config is:* > <snip> > > http_port 3128 Okay. This port will accept traffic from the above option (1) setups. > http_port 80 No. > http_port 0.0.0.0:3129 ssl-bump cert=/etc/squid/ssl_cert/myCA.pem > generate-host-certificates=on dynamic_cert_mem_cache_size=4MB > https_port 0.0.0.0:3130 ssl-bump intercept > cert=/etc/squid/ssl_cert/myCA.pem generate-host-certificates=on > dynamic_cert_mem_cache_size=4MB > Okay. These ports will accept traffic for the above option (2) setups. > sslproxy_cert_error allow all > sslproxy_flags DONT_VERIFY_PEER > Those are wrong for any installation. Even testing ones. You need to see the errors to even start to find solutions. Amos _______________________________________________ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
