LinuxQuestions.org
Help answer threads with 0 replies.
Home Forums Tutorials Articles Register
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Networking
Reload this Page [SOLVED] Squid 3 intercept mode blocking https
User Name
Password
Linux - Networking This forum is for any issue related to networks or networking.
Routing, network cards, OSI, etc. Anything is fair game.

Notices


Reply
  Search this Thread
Old 04-14-2014, 01:47 PM   #1
rpugsley
LQ Newbie
 
Registered: Apr 2014
Posts: 2

Rep: Reputation: Disabled
Unhappy Squid 3 intercept mode blocking https

Hi there,

I have squid3 + iptables rules working only for http. All connection over https is blocked. Is possbile to create a rule to bypass proxy during an https connection? I would not to act "middle-man" creating certificates.
I just want to client estabilish the connection, after that squid stops to monitoring him, making possible https to any domain.

PS. I really need to use transparent connection.


Thanks in advance!

Here are my config files.

squid.config
Code:
##squid.conf
http_port 3128 intercept
cache_mem 2000 MB 
cache_swap_low 90
cache_swap_high 95
cache_dir ufs /var/spool/squid3 90000 16 256 

maximum_object_size 60000 KB
maximum_object_size_in_memory 100 KB

access_log /var/log/squid3/access.log squid
cache_log /var/log/squid3/cache.log
cache_store_log /var/log/squid3/store.log
mime_table /usr/share/squid3/mime.conf

cache_mgr ***
memory_pools off

dns_nameservers 192.168.25.200
dns_nameservers 8.8.8.8
dns_nameservers 8.8.4.4


diskd_program /usr/lib/squid3/diskd
unlinkd_program /usr/lib/squid3/unlinkd

refresh_pattern ^ftp:           1440    20%     10080
refresh_pattern ^gopher:        1440    0%      1440
refresh_pattern (cgi-bin|\?)    0       0%      0
refresh_pattern .               0       20%     4320
quick_abort_max 16 KB
quick_abort_pct 95
quick_abort_min 16 KB
request_header_max_size 20 KB
reply_header_max_size 20 KB
request_body_max_size 0 KB


acl interna src 192.168.0.0/24 # intranet
acl clientes src 192.168.1.0/24 # wifi for clients

acl SSL_ports port 443

acl Safe_ports port 80 8080 # http
acl Safe_ports port 21 # ftp
acl Safe_ports port 443 # https
acl Safe_ports port 70 # gopher
acl Safe_ports port 210 # wais
acl Safe_ports port 1025-65535 # unregistered ports
acl Safe_ports port 280 # http-mgmt
acl Safe_ports port 488 # gss-http
acl Safe_ports port 591 # filemaker
acl Safe_ports port 777 # multiling http
acl Safe_ports port 5222-5223 # whatsapp
acl SSL method CONNECT

acl CONNECT method CONNECT
acl purge method PURGE 


http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports

http_access allow localhost manager
http_access deny manager

http_access allow localhost
http_access allow clientes
http_access allow interna

http_access deny all

icp_access allow interna
icp_access deny all

cache_mgr webmaster
mail_program mail
cache_effective_user proxy
cache_effective_group proxy
httpd_suppress_version_string off
visible_hostname ***

error_directory /usr/share/squid3/errors/pt-br/

delay_pools 0
iptables(Using webmin)
Code:
# Generated by iptables-save v1.4.14 on Wed Apr  9 12:16:19 2014
*filter
:FORWARD ACCEPT [0:0]
:INPUT ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
-A INPUT -i lo -j ACCEPT
-A INPUT -i eth4 -j ACCEPT
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT
-A OUTPUT -o lo -j ACCEPT
-A OUTPUT -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT
COMMIT
# Completed on Wed Apr  9 12:16:19 2014
# Generated by iptables-save v1.4.14 on Wed Apr  9 12:16:19 2014
*nat
:INPUT ACCEPT [0:0]
:PREROUTING ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
-A PREROUTING -p tcp -m tcp -s 192.168.0.0/24 --dport 80 -j REDIRECT --to-ports 3128
-A PREROUTING -p tcp -m tcp -m multiport -s 192.168.1.0/24 -j REDIRECT --to-ports 3128 --dports 80,8080
-A POSTROUTING -o eth4 -j MASQUERADE
COMMIT
# Completed on Wed Apr  9 12:16:19 2014
# Generated by iptables-save v1.4.14 on Wed Apr  9 12:16:19 2014
*mangle
:PREROUTING ACCEPT [349:91804]
:INPUT ACCEPT [345:91481]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [341:90863]
:POSTROUTING ACCEPT [341:90863]
COMMIT
# Completed on Wed Apr  9 12:16:19 2014
 
Old 04-15-2014, 08:15 AM   #2
rpugsley
LQ Newbie
 
Registered: Apr 2014
Posts: 2

Original Poster
Rep: Reputation: Disabled
I just uncommented the line net.ipv4.ip_forward=1 in /etc/sysctl.conf , now it`s working.
 
  


Reply



Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts
BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Intercept and Forward TCP 443 Traffic to an HTTPS Proxy (using CONNECT) DDRRE Linux - Networking 11 10-12-2012 04:17 PM
hot to block gmail without blocking https in SQUID Sharia Linux - Server 1 04-08-2010 06:09 AM
Intercept UDP packet in transparent bridge mode vragukumar Linux - Networking 2 12-22-2009 07:36 AM
Squid does not listen at transparent (intercept) mode!!! HELP! mpeg2server Linux - Server 4 12-05-2009 04:25 AM
Squid: Blocking HTTPS URL priyadarshan Linux - Security 1 08-26-2009 04:29 AM

LinuxQuestions.org > Forums > Linux Forums > Linux - Networking

All times are GMT -5. The time now is 02:11 AM.

Contact Us - Advertising Info - Rules - Privacy - LQ Merchandise - Donations - Contributing Member - LQ Sitemap -
Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration