Is there any way to cache https requests in a proxy server?

nguyenducnam · 08-22-2015, 11:15 PM

(Poor english wish people sympathetic)

Squid server: OS slackware 14.1,kernel 3.10.7, Squid v 3.4.10.

Gaming needs,IE non squid, chrome and firefox run through squid, picture:

http://i.imgur.com/Rt02Erc.jpg

./config squid:

Code:

...................
  --with-openssl \
  --enable-icap-client\
  --enable-ssl\
  --enable-ssl-crtd\
  --enable-snmp \
  --enable-auth \
  --enable-auth-basic \
  --enable-linux-netfilter \
  --enable-async-io \
  --enable-storeio=ufs,aufs,diskd,rock \
  --enable-removal-policies=lru,heap \
  --disable-ipv6\
  --build=$ARCH-slackware-linux \
  --disable-strict-error-checking

file squid.conf:

Code:

......
# Squid normally listens to port 3128
http_port 3129
http_port 3128 intercept
https_port 3127 intercept ssl-bump generate-host-certificates=on dynamic_cert_mem_cache_size=4MB cert=/etc/squid/ssl_certs/myCA.pem

# Bump all requests except those originating from

always_direct allow all
ssl_bump none localhost
ssl_bump server-first all
sslproxy_cert_error deny all
sslproxy_flags DONT_VERIFY_PEER


# OPTIONS RELATING TO EXTERNAL SSL_CRTD 

sslcrtd_program /usr/libexec/ssl_crtd -s /var/log/squid/lib/ssl_db -M 4MB
sslcrtd_children 32 startup=5 idle=1

..........................

Load kernel iptables v 1.4.20,file rc.local:

Code:

#!/bin/sh
#
# /etc/rc.d/rc.local:  Local system initialization script.
#
# Put any local startup commands in here.  Also, if you have
# anything that needs to be run at shutdown time you can
# make an /etc/rc.d/rc.local_shutdown script and put those
# commands in there.

/sbin/modprobe iptable_nat
/sbin/sysctl -w net.ipv4.ip_forward=1
/sbin/sysctl -w net.ipv4.conf.all.send_redirects=1
/sbin/sysctl -w net.ipv4.conf.all.accept_redirects=1
/sbin/sysctl -w net.ipv4.conf.all.secure_redirects=1
/sbin/sysctl -w net.ipv4.icmp_echo_ignore_broadcasts=1
#/sbin/sysctl -w net.ipv4.conf.default.rp_filter = 0
#/sbin/sysctl -w net.ipv4.conf.default.accept_source_route = 0


if [ -x /etc/rc.d/rc.squid ]; then
/etc/rc.d/rc.squid start
fi

file rc.firewall:

Code:

#!/bin/sh
#
# /etc/rc.d/rc.firewall

iptables -t nat -A PREROUTING -i eth0 -p tcp -m tcp --dport 80 -j REDIRECT --to-ports 3128
iptables -t nat -A PREROUTING -i eth0 -p tcp -m tcp --dport 443 -j REDIRECT --to-ports 3127
iptables -I INPUT -p tcp -m tcp --dport 3128 -j ACCEPT
iptables -I INPUT -p tcp -m tcp --dport 3127 -j ACCEPT

Configuring chrome browser :Right click Google Chrome shortcut->Select "Properties"->Target->add to end of line" --proxy-server=192.168.1.150:3129" or " --proxy-server=192.168.1.151:3129". To not affect Internet Explorer

Did not know I wrong?
He does know please just help, thank you

Alien Bob · 08-23-2015, 04:57 AM

The way I do this at home:

I control the DHCP service. It is the dhcpd which is running on my Slackware server.
My Slackware server runs a proxy (tinyproxy, but squid works just the same).
The Slackware server also acts like a network router (I have un-commented the line "/usr/sbin/routed -g -s" in the script /etc/rc.d/rc.inet2).
I have an internet router with address 192.168.0.1, all traffic that does not need to use my proxy goes straight through this Netgear box to the internet. I configured the DHCP server to give those clients "192.168.0.1" as the default gateway.
So far so good.

The Slackware server also has its default gateway set to "192.168.0.1" and naturally it is using a fixed IP address... it is a server. The IP address of the server is 192.168.0.2.
Clients that need to use my proxy are configured in /etc/dhcpd.conf so that they get the IP address of the server (192.168.0.2) as the default gateway. A client which is configured that way, sends all its network traffic to my server. On the server, I have iptables rules that transparently re-route traffic on ports 80 (http) and 443 (https) to the port where the proxy is listening (3128). The proxy can be chained to a content filter but that is optional and won't work for the encrypted HTTPS traffic anyway. Traffic will then be forwarded to the Internet when it exits the proxy.

I wrote an article about this setup long ago, perhaps it is still of value for you: http://alien.slackbook.org/dokuwiki/...lackware:proxy