LinuxQuestions.org
Visit Jeremy's Blog.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Newbie
User Name
Password
Linux - Newbie This Linux forum is for members that are new to Linux.
Just starting out and have a question? If it is not in the man pages or the how-to's this is the place!

Notices

Reply
 
Search this Thread
Old 03-11-2012, 12:14 AM   #1
roopakl
Member
 
Registered: Sep 2011
Posts: 92

Rep: Reputation: Disabled
Should/Shoudn't proxy https while transparent proxy


Hi..LinuxGuru,
I am working as Linux Administrator and have to setup squid proxy server in our office. So I googled and could successfully configured the transparent squid3 proxy with this help in personal(home) PC and tested with another PC by connecting cross cable and found everything(http, https, ftp and mail clients) are working fine without browser settings.
But If I do
tail -f /var/log/squid3/access.log
I am getting logs about only http sites but not for https. But if I do browser settings in the client PC then I can see as CONNECT 443 request.
So I just want to clarify these
should I proxy https while transparent proxy setup?
or
should I not proxy https while transparent proxy setup?

Since port 443 is secure, I don't want to proxy https and would like to forward all of 443 request to internet directly. So please help me how can I do with iptables to forward all 443 request that is coming from LAN PCs to internet directly.

Here is my setup.
Code:
proxy server: Ubuntu-11.10(DNS, DHCP and squid3)
internet eth1
IP      192.168.1.2/24
Gateway 192.168.1.1

cat /etc/resolv.conf
search ourinternaldomain.com
nameserver 192.168.0.1

/etc/bind/named.conf.options file is having 192.168.1.1 in the forwarders section

LAN eth0
192.168.0.1/24


Client
IP      192.168.0.100/24
Gateway 192.168.0.1
DNS     192.168.0.1
IPTables rules
Code:
#iptables -L
Chain INPUT (policy DROP)
target     prot opt source               destination         
ACCEPT     all  --  anywhere             anywhere            
ACCEPT     all  --  anywhere             anywhere            state RELATED,ESTABLISHED 
ACCEPT     all  --  anywhere             anywhere            
LOG        all  --  anywhere             anywhere            LOG level warning 
DROP       all  --  anywhere             anywhere            

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination         
ACCEPT     all  --  anywhere             anywhere            

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination         
ACCEPT     all  --  anywhere             anywhere            
ACCEPT     all  --  anywhere             anywhere  

#iptables -L -t nat
Chain PREROUTING (policy ACCEPT)
target     prot opt source               destination         
DNAT       tcp  --  anywhere             anywhere            tcp dpt:www to:192.168.0.1:3128 
REDIRECT   tcp  --  anywhere             anywhere            tcp dpt:www redir ports 3128 

Chain INPUT (policy ACCEPT)
target     prot opt source               destination         

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination         

Chain POSTROUTING (policy ACCEPT)
target     prot opt source               destination         
MASQUERADE  all  --  anywhere             anywhere 

#iptables -L -t mangle
Chain PREROUTING (policy ACCEPT)
target     prot opt source               destination         

Chain INPUT (policy ACCEPT)
target     prot opt source               destination         

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination         

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination         

Chain POSTROUTING (policy ACCEPT)
target     prot opt source               destination
squid.conf file as below, Please clarify that it should be commented out or not for Safe_ports 443 and SSL 443
Code:
#grep -v "^#" /etc/squid3/squid.conf | sed -e '/^$/d'
acl manager proto cache_object
acl localhost src 127.0.0.1/32 ::1
acl to_localhost dst 127.0.0.0/8 0.0.0.0/32 ::1
acl SSL_ports port 443
acl Safe_ports port 80          # http
acl Safe_ports port 21          # ftp
acl Safe_ports port 443         # https
acl Safe_ports port 70          # gopher
acl Safe_ports port 210         # wais
acl Safe_ports port 1025-65535  # unregistered ports
acl Safe_ports port 280         # http-mgmt
acl Safe_ports port 488         # gss-http
acl Safe_ports port 591         # filemaker
acl Safe_ports port 777         # multiling http
acl CONNECT method CONNECT
acl denied_sites dstdomain "/etc/squid3/.denied_sites"
http_access deny denied_sites
acl my_lan src 192.168.0.1/24
http_access allow my_lan
http_access allow manager localhost
http_access deny manager
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
http_access allow localhost
http_access deny all
icp_access allow all
http_port 3128 transparent
hierarchy_stoplist cgi-bin ?
cache_mem 512 MB
cache_dir ufs /var/spool/squid3 20000 16 256
access_log /var/log/squid3/access.log squid
cache_log /var/log/squid3/cache.log
coredump_dir /var/spool/squid3
refresh_pattern ^ftp:           1440    20%     10080
refresh_pattern ^gopher:        1440    0%      1440
refresh_pattern -i (/cgi-bin/|\?) 0     0%      0
refresh_pattern .               0       20%     4320
So please guide me how to setup transparent squid3 proxy as that https sites should not proxy and it should directly connect to internet and we should not get any https logs even if we do browser settings in client PC.

Last edited by roopakl; 03-11-2012 at 01:03 AM.
 
Old 03-12-2012, 09:33 AM   #2
roopakl
Member
 
Registered: Sep 2011
Posts: 92

Original Poster
Rep: Reputation: Disabled
Hi..Everyone,
Could anybody please help me for this thread?
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
No https sites logs in transparent proxy mandyapenguin Linux - Newbie 4 01-19-2012 11:35 AM
transparent proxy squid: problem with the HTTPS pnguwe Linux - Networking 7 11-22-2011 08:00 AM
Transparent proxy for LAN works, except HTTPS Ulysses_ Linux - Security 1 06-17-2011 10:22 PM
Forwarding all traffic to the proxy to another proxy (transparent proxy/redirection) lakshithaww Linux - Networking 1 10-28-2009 12:54 AM
https in transparent proxy DeepY0X Linux - Networking 14 03-09-2009 01:49 PM


All times are GMT -5. The time now is 07:17 PM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration