Linux - NetworkingThis forum is for any issue related to networks or networking.
Routing, network cards, OSI, etc. Anything is fair game.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
I have an Ubuntu server (8.10) and a Squid (2.7) installed in it. A pc, as a client, is connected to that server. The browser in the client is set to use proxy in the server for all port (checked "use this proxy for all protocol"). I found that the client can browse a lot internet pages perfectly, including the https page, such as gmail and yahoomail.
Then I try to make the squid as a transparent proxy. I put an ip rule at the server as follow:
iptables -t nat -A PREROUTING -i eth1 -p tcp -m tcp –dport 80 -j REDIRECT -–to-ports 3128
iptables -t nat -A PREROUTING -i eth0 -p tcp -m tcp –dport 80 -j DNAT --to-destination 192.168.0.1:3128
Then I cleared the proxy from the browser in the client to test the transparent. It works, but for http site only. It does not work for https page, such as gmail and yahoomail.
In this situation, I believe that the squid server is already working well, but there must be something with the iptables-things. I want to fix it so the client can access the https page as well in transparent mode. Is there anyone can help me?
Well you're not directing port 443 are you? http = 80, https = 443. That said, you can't transparently proxy 443, and if you could it'd be of no use to you at all, as you could do nothing more with it that iptables would afford you, i.e. IP address filtering. This is because the proxy will only see a request for an SSL connection with the end server, not a request for a web page. When HTTPS is explicitly proxied, it will send an HTTP CONNECT request to the proxy asking to be connected to the end server, which is very different to the way the connection looks without a proxy, whereby it's a purely generic SSL connection that needs to be fully established before it starts talking HTTP inside the SSL tunnel.
Transparent proxying sucks. It *seems* like a good idea, and at some point everyone, including me, thinks it's awesome due to the lack of client configuration and such, but it's not, it's really not. Use squid as a real, non-transparent, proxy and you'll soon be glad you did. Things like proxy.pac or wpad.dat auto configuration files (or AD group policy if applicable) help the client side administration massively.
I have tried to redirect 443 port, but it does not work either. I redirected 443 port to 3128, and client browser displayed an error (ssl_error_rx_record_to_long).
You are right, I think I need to find another way. What about passing the 443 port directly to the end server. would it be working?
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.
