-   Linux - Networking (
-   -   transparent proxy squid: problem with the HTTPS (

pnguwe 06-30-2009 04:04 AM

transparent proxy squid: problem with the HTTPS
Dear Linuxer,

I have an Ubuntu server (8.10) and a Squid (2.7) installed in it. A pc, as a client, is connected to that server. The browser in the client is set to use proxy in the server for all port (checked "use this proxy for all protocol"). I found that the client can browse a lot internet pages perfectly, including the https page, such as gmail and yahoomail.

Then I try to make the squid as a transparent proxy. I put an ip rule at the server as follow:
iptables -t nat -A PREROUTING -i eth1 -p tcp -m tcp –dport 80 -j REDIRECT -–to-ports 3128
iptables -t nat -A PREROUTING -i eth0 -p tcp -m tcp –dport 80 -j DNAT --to-destination

Then I cleared the proxy from the browser in the client to test the transparent. It works, but for http site only. It does not work for https page, such as gmail and yahoomail.

In this situation, I believe that the squid server is already working well, but there must be something with the iptables-things. I want to fix it so the client can access the https page as well in transparent mode. Is there anyone can help me?

thanks in advance.

acid_kewpie 06-30-2009 04:43 AM

Well you're not directing port 443 are you? http = 80, https = 443. That said, you can't transparently proxy 443, and if you could it'd be of no use to you at all, as you could do nothing more with it that iptables would afford you, i.e. IP address filtering. This is because the proxy will only see a request for an SSL connection with the end server, not a request for a web page. When HTTPS is explicitly proxied, it will send an HTTP CONNECT request to the proxy asking to be connected to the end server, which is very different to the way the connection looks without a proxy, whereby it's a purely generic SSL connection that needs to be fully established before it starts talking HTTP inside the SSL tunnel.

Transparent proxying sucks. It *seems* like a good idea, and at some point everyone, including me, thinks it's awesome due to the lack of client configuration and such, but it's not, it's really not. Use squid as a real, non-transparent, proxy and you'll soon be glad you did. Things like proxy.pac or wpad.dat auto configuration files (or AD group policy if applicable) help the client side administration massively.

pnguwe 06-30-2009 05:15 AM

I have tried to redirect 443 port, but it does not work either. I redirected 443 port to 3128, and client browser displayed an error (ssl_error_rx_record_to_long).

You are right, I think I need to find another way. What about passing the 443 port directly to the end server. would it be working?

Thanks for the information.

acid_kewpie 06-30-2009 11:27 AM

it would, but then why bother with any form of proxy at all? just remove the box completely.

russlan74 11-04-2009 01:09 PM


Originally Posted by acid_kewpie (Post 3591621)
it would, but then why bother with any form of proxy at all? just remove the box completely.

It still useful to proxy ssl connections. You may apply some bandwidth control functionality, or access lists ...

hainguyenle89 11-22-2011 07:48 AM

another problem
I also have problem with this transparent type. I can apply some rules such as allowing a range of ip adds to access website while I can not apply some another rules such as controlling the bandwidth, denying some ip adds. But it's surprising that all rules can be applied by manually modifying the web proxy server by a web browser such as firefox... I can not understand this making me get mad :(. Please help me :confused:

acid_kewpie 11-22-2011 08:17 AM

please don't drag up new threads, if you have a new question, post a new thread.

hainguyenle89 11-22-2011 09:00 AM

I'm sorry about that :D.

All times are GMT -5. The time now is 02:28 PM.