LinuxQuestions.org
Review your favorite Linux distribution.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Newbie
User Name
Password
Linux - Newbie This Linux forum is for members that are new to Linux.
Just starting out and have a question? If it is not in the man pages or the how-to's this is the place!

Notices


Reply
  Search this Thread
Old 12-19-2012, 07:24 AM   #1
erion
LQ Newbie
 
Registered: Dec 2012
Posts: 4

Rep: Reputation: Disabled
can't access https but http works fine through route-map ->squid proxy


Hi everyone!

the problem regarding the squid proxy is:

I have configured a squid proxy as non-transparent on ubuntu. Everything works great when I set proxy on browser. But when I set through the route-map in cisco router http works but https doesn't.

in chrome browser display this error:
Error 107 (net::ERR_SSL_PROTOCOL_ERROR): SSL protocol error.

and in access.log display this:
NONE/400 4021 NONE error:invalid-request - NONE/- text/html

I have added these rules in iptables:
-A PREROUTING -p tcp -m tcp --dport 80 -j REDIRECT --to-ports 3128
-A PREROUTING -p tcp -m tcp --dport 443 -j REDIRECT --to-ports 3128

thank you
 
Old 12-19-2012, 07:39 AM   #2
acid_kewpie
Moderator
 
Registered: Jun 2001
Location: UK
Distribution: Gentoo, RHEL, Fedora, Centos
Posts: 43,417

Rep: Reputation: 1974Reputation: 1974Reputation: 1974Reputation: 1974Reputation: 1974Reputation: 1974Reputation: 1974Reputation: 1974Reputation: 1974Reputation: 1974Reputation: 1974
you can't proxy SSL traffic like that. You're taking a client that expects to perform an SSL handshake and smooshing it head first into a server that is expecting an HTTP request. That won't work.

Stop trying to transparently proxy web traffic. is it NOT the magical wonder solution you hope it is. Configure your clients to explicitly use the proxy and you'll then find HTTPS proxying very simple.
 
Old 12-19-2012, 08:01 AM   #3
erion
LQ Newbie
 
Registered: Dec 2012
Posts: 4

Original Poster
Rep: Reputation: Disabled
I thought to use route-map because there are 200 pc and can't set manually on each of them and if there is any problem with proxy can't unset also manually in browser. Where is the difference when we set in browser and when we set via route-map?

is there any other possibility to do it?

because which I want to do is, to prevent some https and http sites and to allow some others.

thanks
 
Old 12-19-2012, 08:06 AM   #4
acid_kewpie
Moderator
 
Registered: Jun 2001
Location: UK
Distribution: Gentoo, RHEL, Fedora, Centos
Posts: 43,417

Rep: Reputation: 1974Reputation: 1974Reputation: 1974Reputation: 1974Reputation: 1974Reputation: 1974Reputation: 1974Reputation: 1974Reputation: 1974Reputation: 1974Reputation: 1974
of course you can manually set it. it's possible.

What you can also do is use a proxy.pac file held on a central server and deployed by dns or dhcp to make all browsers automatically pick it up. that's a handy way to not actually have todeploy files to all the PCs. You could just send an email to everyone to say "make sure your browser is set to auto discover proxy details" or even "tell your browser to use http://localserver/proxy.pac"

I don't understand why route-map (as in the ios feature??) would have any interaction with SSL / Non-SSL requests, that's just IP level packet redirection.

use a proxy explicitly. it's then very simple.
 
Old 12-19-2012, 08:58 AM   #5
erion
LQ Newbie
 
Registered: Dec 2012
Posts: 4

Original Poster
Rep: Reputation: Disabled
in route-map I have redirected ports 80 and 443 in this way:

ip access-list extended PROXY
deny tcp host x.x.x.x any
permit tcp any any eq www
permit tcp any any eq 443

route-map redirect-http permit 10
match ip address PROXY
set ip next-hop x.x.x.x

where x.x.x.x is proxy IP.

And in proxy server I added 2 rules:
-A PREROUTING -p tcp -m tcp --dport 80 -j REDIRECT --to-ports 3128
-A PREROUTING -p tcp -m tcp --dport 443 -j REDIRECT --to-ports 3128
 
Old 12-19-2012, 09:39 AM   #6
acid_kewpie
Moderator
 
Registered: Jun 2001
Location: UK
Distribution: Gentoo, RHEL, Fedora, Centos
Posts: 43,417

Rep: Reputation: 1974Reputation: 1974Reputation: 1974Reputation: 1974Reputation: 1974Reputation: 1974Reputation: 1974Reputation: 1974Reputation: 1974Reputation: 1974Reputation: 1974
Good for you..? It's still not possible, config or no config.
 
Old 12-19-2012, 12:46 PM   #7
erion
LQ Newbie
 
Registered: Dec 2012
Posts: 4

Original Poster
Rep: Reputation: Disabled
No, for https doesn't work, for http it's ok
 
Old 12-19-2012, 12:57 PM   #8
acid_kewpie
Moderator
 
Registered: Jun 2001
Location: UK
Distribution: Gentoo, RHEL, Fedora, Centos
Posts: 43,417

Rep: Reputation: 1974Reputation: 1974Reputation: 1974Reputation: 1974Reputation: 1974Reputation: 1974Reputation: 1974Reputation: 1974Reputation: 1974Reputation: 1974Reputation: 1974
yes, and i've told you three times now that's because it's not possible. you can't establish an SSL session with a server that does not support it.

Last edited by acid_kewpie; 12-19-2012 at 01:00 PM.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
[SOLVED] server offers PHP file for download on HTTP but is fine on HTTPS. Spuddy Linux - Server 9 03-08-2011 11:10 AM
BigBlueButton, from http to https reverse proxy Steviepower Linux - Security 3 12-09-2010 08:58 AM
Squid configuration question. Client => HTTPS => proxy => HTTP => webserver newhere Fedora 5 02-21-2009 02:33 PM
Squid reverse proxy problem (HTTPS to HTTP) RussP Linux - Networking 1 10-02-2008 02:20 PM
https works, but not http squeaks_27 Linux - Networking 1 05-31-2005 09:41 PM


All times are GMT -5. The time now is 10:25 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration