RE: [squid-users] Squid3-Debian Lenny Transparent proxy not working with HTTPS

From: John Czerwinski <JohnCzerwinski_at_air-watch.com>
Date: Wed, 11 Nov 2009 11:11:54 -0500

Also, if I setup a browser to use the proxy server directly (non-transparent) it works just fine.

My iptables looks like:

Iptables -A INPUT -I gre1 -j ACCEPT
Iptables -t nat -A PREROUTING -I gre1 -d 0/0 -p tcp --dport 80 -j DNAT --to-destination 10.50.40.100:3128

GRE tunnel is:
Auto gre1
Iface gre1 inet static
        Address 127.0.0.2
        Netmask 255.255.255.255
        Pre-up ip tunnel add gre1 mode gre remote 10.50.1.1 local 10.50.40.100 dev eth0
        Post-down ip tunnel del gre1

On the cisco router

ip wccp web-cache
ip cef

interface Loopback0
 ip address 10.50.1.1 255.255.255.0


interface GigabitEthernet0/0.100
encapsulation dot1Q 10
 ip address 10.50.100.1 255.255.255.0
 ip wccp web-cache redirect out
 ip wccp web-cache redirect in




-----Original Message-----
From: John Czerwinski [mailto:JohnCzerwinski_at_air-watch.com]
Sent: Wednesday, November 11, 2009 10:03 AM
To: Amos Jeffries
Cc: squid-users_at_squid-cache.org
Subject: RE: [squid-users] Squid3-Debian Lenny Transparent proxy not working with HTTPS

Amos,
Thank you for the reply.

On your comment:

Open port 443 on the firewall to let HTTPS out.

Do you mean the iptables firewall on my Squid server? I already have 443 open on the perimeter firewall, and it does work if I turn-off wccp on the Cisco Router. My setup is:
<INTERNET>
|
<Cisco ASA>
|
<Cisco 2821>
|
<USER NETWORK>

Thanks,
John

-----Original Message-----
From: Amos Jeffries [mailto:squid3_at_treenet.co.nz]
Sent: Tuesday, November 10, 2009 5:33 PM
To: squid-users_at_squid-cache.org
Subject: Re: [squid-users] Squid3-Debian Lenny Transparent proxy not working with HTTPS

On Tue, 10 Nov 2009 10:21:04 -0500, "John Czerwinski"
<JohnCzerwinski_at_air-watch.com> wrote:
> I have configured a Squid3 proxy server on Debian using WCCP to a Cisco
> 2821 router (via GRE tunnel). Regular HTTP traffic works just fine.
> Anytime I try to connect to HTTPS, it times out.

Open port 443 on the firewall to let HTTPS out.

HTTPS cannot be intercepted. It was created as a security protocol
explicitly to prevent interception attacks on network traffic (aka WCCP,
NAT interception, wire tapping, etc).

>
> I've compiled Squid with --enable-ssl.

This merely lets Squid use SSL operations when clients explicitly
configured to use the proxy request it to make https:// connections. It
also enables TLS in some auth helpers. It's of very little use in a purely
intercepting proxy.

>
> The squid configuration is as follows:
>
>
> ####################################################################
> # Squid3 Configuration
> #
> #
> #
> # Cisco Router at 10.50.40.1
> # GRE tunnel to Ciso Router at 10.50.1.1
> #
> # Local Squid3 server
> # name: wwifi-atl-squid1
> # IP: 10.50.40.100
> # WCCPv2 (Transparent mode)
> #
> ####################################################################
> visible_hostname wwifi-atl-squid1
> # cache_effective_user squid squid
> http_port 10.50.40.100:3128 transparent

Not a good idea. It's better security to have the port number being
something random that only you, Squid and the Squid box firewall know.

The private port may also be firewalled in the mangle table INPUT chain to
prevent people connecting directly to it from outside.


> acl QUERY urlpath_regex cgi-bin \?
> cache deny QUERY

Drop the above.

> acl apache rep_header Server ^Apache
> refresh_pattern ^ftp: 1440 20% 10080
> refresh_pattern ^gopher: 1440 0% 1440

Add here:
 refresh_pattern -i (/cgi-bin/|\?) 0 0% 0

> refresh_pattern . 0 20% 4320
>
>
>
>
>
> # Access Control List Definitions
> acl localnet src 10.50.10.0/24 10.50.20.0/24 10.50.30.0/24 10.50.40.0/24
> 10.50.100.0/24 10.50.201.0/24
>
> acl manager proto cache_object
> acl localhost src 127.0.0.1/255.255.255.255
> acl to_localhost dst 127.0.0.0/8

Add here:
  acl to_localhost dst 0.0.0.0/8

> acl SSL_ports port 443 563 # https, snews
> acl SSL_ports port 873 # rsync
> acl Safe_ports port 80 # http
> acl Safe_ports port 21 # ftp
> acl Safe_ports port 443 563 # https, snews
> acl Safe_ports port 70 # gopher
> acl Safe_ports port 210 # wais
> acl Safe_ports port 1025-65535 # unregistered ports
> acl Safe_ports port 280 # http-mgmt
> acl Safe_ports port 488 # gss-http
> acl Safe_ports port 591 # filemaker
> acl Safe_ports port 777 # multiling http
> acl Safe_ports port 631 # cups
> acl Safe_ports port 873 # rsync
> acl Safe_ports port 901 # SWAT
> acl purge method PURGE

Unless you are actually using PURGE its best not to define it. Simply
doing the above turns on all the PURGE handling components and makes Squid
hold extra cache indexes etc, wasting a lot of memory.

> acl CONNECT method CONNECT
>
> # http allows/denies
> always_direct allow all
> http_access allow manager localhost
> http_access deny manager
> http_access deny !Safe_ports
> http_access deny CONNECT !SSL_ports
> http_access allow localhost
> http_access allow localnet
> http_reply_access allow all
> icp_access allow all
>

Amos
Received on Wed Nov 11 2009 - 16:11:58 MST

This archive was generated by hypermail 2.2.0 : Wed Nov 11 2009 - 12:00:03 MST