Hi there,
I have squid3 + iptables rules working only for http. All connection over https is blocked. Is possbile to create a rule to bypass proxy during an https connection? I would not to act "middle-man" creating certificates.
I just want to client estabilish the connection, after that squid stops to monitoring him, making possible https to any domain.
PS. I really need to use transparent connection.
Thanks in advance!
Here are my config files.
squid.config
Code:
##squid.conf
http_port 3128 intercept
cache_mem 2000 MB
cache_swap_low 90
cache_swap_high 95
cache_dir ufs /var/spool/squid3 90000 16 256
maximum_object_size 60000 KB
maximum_object_size_in_memory 100 KB
access_log /var/log/squid3/access.log squid
cache_log /var/log/squid3/cache.log
cache_store_log /var/log/squid3/store.log
mime_table /usr/share/squid3/mime.conf
cache_mgr ***
memory_pools off
dns_nameservers 192.168.25.200
dns_nameservers 8.8.8.8
dns_nameservers 8.8.4.4
diskd_program /usr/lib/squid3/diskd
unlinkd_program /usr/lib/squid3/unlinkd
refresh_pattern ^ftp: 1440 20% 10080
refresh_pattern ^gopher: 1440 0% 1440
refresh_pattern (cgi-bin|\?) 0 0% 0
refresh_pattern . 0 20% 4320
quick_abort_max 16 KB
quick_abort_pct 95
quick_abort_min 16 KB
request_header_max_size 20 KB
reply_header_max_size 20 KB
request_body_max_size 0 KB
acl interna src 192.168.0.0/24 # intranet
acl clientes src 192.168.1.0/24 # wifi for clients
acl SSL_ports port 443
acl Safe_ports port 80 8080 # http
acl Safe_ports port 21 # ftp
acl Safe_ports port 443 # https
acl Safe_ports port 70 # gopher
acl Safe_ports port 210 # wais
acl Safe_ports port 1025-65535 # unregistered ports
acl Safe_ports port 280 # http-mgmt
acl Safe_ports port 488 # gss-http
acl Safe_ports port 591 # filemaker
acl Safe_ports port 777 # multiling http
acl Safe_ports port 5222-5223 # whatsapp
acl SSL method CONNECT
acl CONNECT method CONNECT
acl purge method PURGE
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
http_access allow localhost manager
http_access deny manager
http_access allow localhost
http_access allow clientes
http_access allow interna
http_access deny all
icp_access allow interna
icp_access deny all
cache_mgr webmaster
mail_program mail
cache_effective_user proxy
cache_effective_group proxy
httpd_suppress_version_string off
visible_hostname ***
error_directory /usr/share/squid3/errors/pt-br/
delay_pools 0
iptables(Using webmin)
Code:
# Generated by iptables-save v1.4.14 on Wed Apr 9 12:16:19 2014
*filter
:FORWARD ACCEPT [0:0]
:INPUT ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
-A INPUT -i lo -j ACCEPT
-A INPUT -i eth4 -j ACCEPT
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT
-A OUTPUT -o lo -j ACCEPT
-A OUTPUT -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT
COMMIT
# Completed on Wed Apr 9 12:16:19 2014
# Generated by iptables-save v1.4.14 on Wed Apr 9 12:16:19 2014
*nat
:INPUT ACCEPT [0:0]
:PREROUTING ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
-A PREROUTING -p tcp -m tcp -s 192.168.0.0/24 --dport 80 -j REDIRECT --to-ports 3128
-A PREROUTING -p tcp -m tcp -m multiport -s 192.168.1.0/24 -j REDIRECT --to-ports 3128 --dports 80,8080
-A POSTROUTING -o eth4 -j MASQUERADE
COMMIT
# Completed on Wed Apr 9 12:16:19 2014
# Generated by iptables-save v1.4.14 on Wed Apr 9 12:16:19 2014
*mangle
:PREROUTING ACCEPT [349:91804]
:INPUT ACCEPT [345:91481]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [341:90863]
:POSTROUTING ACCEPT [341:90863]
COMMIT
# Completed on Wed Apr 9 12:16:19 2014