LinuxQuestions.org
Go Job Hunting at the LQ Job Marketplace
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Networking
User Name
Password
Linux - Networking This forum is for any issue related to networks or networking.
Routing, network cards, OSI, etc. Anything is fair game.

Notices



Reply
 
Search this Thread
Old 06-30-2009, 04:04 AM   #1
pnguwe
LQ Newbie
 
Registered: Jun 2009
Posts: 2

Rep: Reputation: 0
transparent proxy squid: problem with the HTTPS


Dear Linuxer,

I have an Ubuntu server (8.10) and a Squid (2.7) installed in it. A pc, as a client, is connected to that server. The browser in the client is set to use proxy in the server for all port (checked "use this proxy for all protocol"). I found that the client can browse a lot internet pages perfectly, including the https page, such as gmail and yahoomail.

Then I try to make the squid as a transparent proxy. I put an ip rule at the server as follow:
iptables -t nat -A PREROUTING -i eth1 -p tcp -m tcp –dport 80 -j REDIRECT -–to-ports 3128
iptables -t nat -A PREROUTING -i eth0 -p tcp -m tcp –dport 80 -j DNAT --to-destination 192.168.0.1:3128

Then I cleared the proxy from the browser in the client to test the transparent. It works, but for http site only. It does not work for https page, such as gmail and yahoomail.

In this situation, I believe that the squid server is already working well, but there must be something with the iptables-things. I want to fix it so the client can access the https page as well in transparent mode. Is there anyone can help me?

thanks in advance.
 
Old 06-30-2009, 04:43 AM   #2
acid_kewpie
Moderator
 
Registered: Jun 2001
Location: UK
Distribution: Gentoo, RHEL, Fedora, Centos
Posts: 43,415

Rep: Reputation: 1968Reputation: 1968Reputation: 1968Reputation: 1968Reputation: 1968Reputation: 1968Reputation: 1968Reputation: 1968Reputation: 1968Reputation: 1968Reputation: 1968
Well you're not directing port 443 are you? http = 80, https = 443. That said, you can't transparently proxy 443, and if you could it'd be of no use to you at all, as you could do nothing more with it that iptables would afford you, i.e. IP address filtering. This is because the proxy will only see a request for an SSL connection with the end server, not a request for a web page. When HTTPS is explicitly proxied, it will send an HTTP CONNECT request to the proxy asking to be connected to the end server, which is very different to the way the connection looks without a proxy, whereby it's a purely generic SSL connection that needs to be fully established before it starts talking HTTP inside the SSL tunnel.

Transparent proxying sucks. It *seems* like a good idea, and at some point everyone, including me, thinks it's awesome due to the lack of client configuration and such, but it's not, it's really not. Use squid as a real, non-transparent, proxy and you'll soon be glad you did. Things like proxy.pac or wpad.dat auto configuration files (or AD group policy if applicable) help the client side administration massively.
 
Old 06-30-2009, 05:15 AM   #3
pnguwe
LQ Newbie
 
Registered: Jun 2009
Posts: 2

Original Poster
Rep: Reputation: 0
I have tried to redirect 443 port, but it does not work either. I redirected 443 port to 3128, and client browser displayed an error (ssl_error_rx_record_to_long).

You are right, I think I need to find another way. What about passing the 443 port directly to the end server. would it be working?

Thanks for the information.
 
Old 06-30-2009, 11:27 AM   #4
acid_kewpie
Moderator
 
Registered: Jun 2001
Location: UK
Distribution: Gentoo, RHEL, Fedora, Centos
Posts: 43,415

Rep: Reputation: 1968Reputation: 1968Reputation: 1968Reputation: 1968Reputation: 1968Reputation: 1968Reputation: 1968Reputation: 1968Reputation: 1968Reputation: 1968Reputation: 1968
it would, but then why bother with any form of proxy at all? just remove the box completely.
 
Old 11-04-2009, 01:09 PM   #5
russlan74
LQ Newbie
 
Registered: Nov 2009
Posts: 1

Rep: Reputation: 0
Quote:
Originally Posted by acid_kewpie View Post
it would, but then why bother with any form of proxy at all? just remove the box completely.
It still useful to proxy ssl connections. You may apply some bandwidth control functionality, or access lists ...
 
Old 11-22-2011, 07:48 AM   #6
hainguyenle89
LQ Newbie
 
Registered: Nov 2011
Posts: 4

Rep: Reputation: Disabled
another problem

I also have problem with this transparent type. I can apply some rules such as allowing a range of ip adds to access website while I can not apply some another rules such as controlling the bandwidth, denying some ip adds. But it's surprising that all rules can be applied by manually modifying the web proxy server by a web browser such as firefox... I can not understand this making me get mad . Please help me
 
Old 11-22-2011, 08:17 AM   #7
acid_kewpie
Moderator
 
Registered: Jun 2001
Location: UK
Distribution: Gentoo, RHEL, Fedora, Centos
Posts: 43,415

Rep: Reputation: 1968Reputation: 1968Reputation: 1968Reputation: 1968Reputation: 1968Reputation: 1968Reputation: 1968Reputation: 1968Reputation: 1968Reputation: 1968Reputation: 1968
please don't drag up new threads, if you have a new question, post a new thread.
 
Old 11-22-2011, 09:00 AM   #8
hainguyenle89
LQ Newbie
 
Registered: Nov 2011
Posts: 4

Rep: Reputation: Disabled
I'm sorry about that .
 
  


Reply

Tags
https, proxy, squid, transparent, ubuntu


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
https in transparent proxy DeepY0X Linux - Networking 14 03-09-2009 02:49 PM
Squid reverse proxy problem (HTTPS to HTTP) RussP Linux - Networking 1 10-02-2008 02:20 PM
SQUID Transparent proxy problem. sparc86 *BSD 1 04-10-2008 04:29 PM
transparent proxy with squid problem philipph Linux - Networking 5 04-19-2004 10:03 AM
Squid proxy and https roba Linux - Software 2 08-14-2002 05:15 AM


All times are GMT -5. The time now is 02:05 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration