Dear Linuxer,

I have an Ubuntu server (8.10) and a Squid (2.7) installed in it. A pc, as a client, is connected to that server. The browser in the client is set to use proxy in the server for all port (checked "use this proxy for all protocol"). I found that the client can browse a lot internet pages perfectly, including the https page, such as gmail and yahoomail.

Then I try to make the squid as a transparent proxy. I put an ip rule at the server as follow:
iptables -t nat -A PREROUTING -i eth1 -p tcp -m tcp –dport 80 -j REDIRECT -–to-ports 3128
iptables -t nat -A PREROUTING -i eth0 -p tcp -m tcp –dport 80 -j DNAT --to-destination 192.168.0.1:3128

Then I cleared the proxy from the browser in the client to test the transparent. It works, but for http site only. It does not work for https page, such as gmail and yahoomail.

In this situation, I believe that the squid server is already working well, but there must be something with the iptables-things. I want to fix it so the client can access the https page as well in transparent mode. Is there anyone can help me?

thanks in advance.

Well you're not directing port 443 are you? http = 80, https = 443. That said, you can't transparently proxy 443, and if you could it'd be of no use to you at all, as you could do nothing more with it that iptables would afford you, i.e. IP address filtering. This is because the proxy will only see a request for an SSL connection with the end server, not a request for a web page. When HTTPS is explicitly proxied, it will send an HTTP CONNECT request to the proxy asking to be connected to the end server, which is very different to the way the connection looks without a proxy, whereby it's a purely generic SSL connection that needs to be fully established before it starts talking HTTP inside the SSL tunnel.

Transparent proxying sucks. It *seems* like a good idea, and at some point everyone, including me, thinks it's awesome due to the lack of client configuration and such, but it's not, it's really not. Use squid as a real, non-transparent, proxy and you'll soon be glad you did. Things like proxy.pac or wpad.dat auto configuration files (or AD group policy if applicable) help the client side administration massively.

I have tried to redirect 443 port, but it does not work either. I redirected 443 port to 3128, and client browser displayed an error (ssl_error_rx_record_to_long).

You are right, I think I need to find another way. What about passing the 443 port directly to the end server. would it be working?

Thanks for the information.

it would, but then why bother with any form of proxy at all? just remove the box completely.

It still useful to proxy ssl connections. You may apply some bandwidth control functionality, or access lists ...

I also have problem with this transparent type. I can apply some rules such as allowing a range of ip adds to access website while I can not apply some another rules such as controlling the bandwidth, denying some ip adds. But it's surprising that all rules can be applied by manually modifying the web proxy server by a web browser such as firefox... I can not understand this making me get mad . Please help me

please don't drag up new threads, if you have a new question, post a new thread.

I'm sorry about that .