Razvan Grigore wrote:
Hello,
I'm using squid 2.6.STABLE6 on CentOS. I succesfully configured squid
both as a transparent proxy and normal proxy that's working fine on
http and https in normal mode, but on transparent mode https is a
challenge.
http_port 3128
http_port 3129 transparent
i'm redirecting with iptables like this:
iptables -t nat -A PREROUTING -i eth0 -p tcp -d ! 10.0.0.0/8 --dport
80 -m mark --mark 0x0 -j REDIRECT --to-port 3129
I have 2 types of clients, that are accessing internet through squid
or directly.
How can i bypass squid for https traffic ONLY for squid users?
What do you mean by this?
1) explicitly configured proxy clients should have no problems with HTTPS.
2) transparently redirecting encrypted traffic to squid 2.6 will fail
since squid is expecting HTTP, not binary encryption.
I tried like this:
iptables -t nat -A PREROUTING -i eth0 -p tcp -d ! 10.0.0.0/8 --dport
443 -m mark --mark 0x0 -j REDIRECT --to-port 3129
but it gives:
2008/03/22 16:54:41| parseHttpRequest: Requestheader contains NULL characters
2008/03/22 16:54:41| parseHttpRequest: Unsupported method ''
2008/03/22 16:54:41| clientReadRequest: FD 19 (10.x.x.3:1104) Invalid Request
I think that i can make iptables rules for every ip in squid for
allowing direct https, but i want to avoid this.
2.6 has no capability for transparent HTTPS. If you continue with that
version of squid you will have to unblock the HTTP outbound traffic.
Configured clients will use the proxy even if its open, others will get
working HTTPS direct traffic.
is squid 3 capable through ssl bump for allowing https traffic without
braking the certificate? or at least without notiffing the user.
Yes Squid 3-HEAD (3.1 alpha) can cope with this. You will need to build
it yourself from sources, but give it try.
http://www.squid-cache.org/Versions/v3/HEAD/
Thank you!
Thank you.
Amos
--
Please use Squid 2.6STABLE17+ or 3.0STABLE1+
There are serious security advisories out on all earlier releases.
