LinuxQuestions.org
Visit Jeremy's Blog.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Server
User Name
Password
Linux - Server This forum is for the discussion of Linux Software used in a server related context.

Notices


Reply
  Search this Thread
Old 04-13-2014, 01:26 PM   #1
baronobeefdip
Senior Member
 
Registered: Jul 2009
Distribution: Debian Squeeze
Posts: 1,267

Rep: Reputation: 32
squid transparent proxy not working


I have a Centos 6 server running the squid proxy server on it. I have configured the firewall rules to redirect all port 80 requests to the squid proxy port so I don't have to setup every machine manually yo use the proxy. After I set everything up and hooked up my laptop to give the networking of it a try, then I get a page that says "ERROR: The requested URL could not be retrieved".
Code:
The following error was encountered while trying to retrieve the URL: /

Invalid URL

Some aspect of the requested URL is incorrect.

Some possible problems are:

Missing or incorrect access protocol (should be http:// or similar)

Missing hostname

Illegal double-escape in the URL-Path

Illegal character in hostname; underscores are not allowed.

Your cache administrator is root.
I have google searched until i eventuall decided that I will not find anything about this issue to resolve it quickly, That's why I am asking here. I know that many people have came across this issue and fixed it but nobody on the internet has ever described in detail how they did so.

The first solution I was presented with was to comment out the line in the configuration file that denied all http access from everyone. I hooked the computer up to it and configured the browser to use the proxy manually without the need for the firewall and everything worked fine. when I took the configuration away and decided to make the firewall do the work then I started to get the error. Then I decided to mess with the configuration file some more, I added these lines to it.
Code:
acl yournetwork src 10.0.0.0/24
http_access allow yournetwork
Then I restarted the server and got the same error. What am I supposed to do now. I haven't came across a solution yet and I am at a loss. I appreciate any help that is offered.
 
Old 04-13-2014, 01:38 PM   #2
Ser Olmy
Senior Member
 
Registered: Jan 2012
Distribution: Slackware
Posts: 2,925

Rep: Reputation: Disabled
First, you should make sure the Squid configuration is valid. Configure a web browser manually as a proxy client, and verify that you can browse the web.

Once you're certain that Squid actually works, set up transparent proxying. This is a two-step process:
  • A http_port directive must be added to squid.conf with the parameter "intercept" (http_port 3128 intercept)
  • An iptables NAT rule must be created to redirect all TCP traffic to port 80 to the proxy service at port 3128
 
Old 04-13-2014, 03:37 PM   #3
baronobeefdip
Senior Member
 
Registered: Jul 2009
Distribution: Debian Squeeze
Posts: 1,267

Original Poster
Rep: Reputation: 32
Thanks, I didn't do that first one, but I did do the iptables rules. I know that the proxy works because I was able to setup a browser as a proxy client and browse the internet no problem. It was when I hooked up to the server and worked in all of the iptables rules when it started to go south. I'll do what you suggested and tell you how it goes. thanks for the help.
 
Old 04-14-2014, 07:41 PM   #4
baronobeefdip
Senior Member
 
Registered: Jul 2009
Distribution: Debian Squeeze
Posts: 1,267

Original Poster
Rep: Reputation: 32
as a followup to your iptables rules, these are the rules that I have setup for the transparent proxy. the ip address of the machine is 192.168.1.1 and the interface that is connected to the internet is eth0.
Code:
iptables -t nat -A PREROUTING -i eth1 -p tcp --dport 80 -j DNAT --to 192.168.1.1:3128
iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 80 -j REDIRECT --to-port 3128
If these rules look right let me know, if not then inform me on what I have to change.
 
Old 04-14-2014, 08:15 PM   #5
baronobeefdip
Senior Member
 
Registered: Jul 2009
Distribution: Debian Squeeze
Posts: 1,267

Original Poster
Rep: Reputation: 32
The proxy is working, thanks for the help. There is just one more thing that just came up. I am wondering if the proxy is caching the https traffic, If not then how do I get it to do that. What iptables rules should I set so that it will cache the https traffic too. I don't plant to try and decrypt the data or anything similar, This is just to increase internet bandwidth since some updates are done over https I want to decrease the amount of time for these updates to occur, instead of downloading it from the internet every time I want the clients to download from the proxy instead to speed up the download process.

Last edited by baronobeefdip; 04-14-2014 at 08:56 PM.
 
Old 04-17-2014, 05:30 AM   #6
Ser Olmy
Senior Member
 
Registered: Jan 2012
Distribution: Slackware
Posts: 2,925

Rep: Reputation: Disabled
Quote:
Originally Posted by baronobeefdip View Post
There is just one more thing that just came up. I am wondering if the proxy is caching the https traffic, If not then how do I get it to do that.
Unfortunately, you can't.

Proxying HTTPS traffic involves a special proxy command, "CONNECT", as the client has to connect directly to the server to obtain the X.509 certificate and then establish an encrypted SSL or TLS connection. In such a scenario, the proxy server sees only encrypted traffic, and can neither cache data nor perform content filtering.

If you were to transparently intercept an HTTPS request, your proxy would have to hand out a certificate with a "subject" field matching the web server name. Since only the real web server has the private encryption key matching the public key in the certificate, the proxy cannot just download and hand over the real certificate and then act as an intermediary for a SSL/TLS connection. If that was possible, it would mean SSL/TLS would be vulnerable to a Man-in-the-Middle attack, which it isn't.

Some organizations handle this scenario by forcing all clients to trust an internal Certificate Authority, which in turn hands out (fake) SSL/TLS certificates every time a client tries to access a web site that uses HTTPS. That way, the proxy can impersonate any web server when it talks to the client, while it creates an HTTPS connection to the real server in the background. This practice is generally frowned upon, and may even be illegal in some countries.

Last edited by Ser Olmy; 04-17-2014 at 05:31 AM.
 
Old 04-17-2014, 10:23 AM   #7
baronobeefdip
Senior Member
 
Registered: Jul 2009
Distribution: Debian Squeeze
Posts: 1,267

Original Poster
Rep: Reputation: 32
Quote:
Originally Posted by Ser Olmy View Post
Some organizations handle this scenario by forcing all clients to trust an internal Certificate Authority, which in turn hands out (fake) SSL/TLS certificates every time a client tries to access a web site that uses HTTPS. That way, the proxy can impersonate any web server when it talks to the client, while it creates an HTTPS connection to the real server in the background. This practice is generally frowned upon, and may even be illegal in some countries.
I live in the United States, so I understand that I should steer clear of that. I understand that many companies implement this in order to monitor their employees activities. From what you have told me, it sounds a little excessive. Any employee if talented and tech savvy enough will be able to tunnel all of their traffic via SSH. I was just wondering, My research partners and I came to an agreement that private information, such as that being transported via https, should be kept private therefore be discarded immediately after use. Your setup sounds like an SSLStrip attack in a way. A test that I have never used before, I'm a cyber security researcher and I don't see any need to do so yet. Thanks for the help. The upside here is that all software updates will be cached (eliminating the need to download everything from the internet all over again) so I can quickly update several clients at the same time with less time than that would be used without the proxy. I'm now wondering if I can integrate the proxy with security settings incorporated with usernames and passwords from an active directory server. Other Linux services have been integrated with this such as samba, postfix and dovecot. A challenging endeavor but do-able.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
transparent proxy with squid v 3.1.19 lindampofu Linux - Newbie 1 09-27-2012 04:37 AM
Transparent proxy not working in squid 2.6 farhad_aslam Linux - Server 3 10-13-2011 05:12 AM
Ubuntu 8.04: Transparent proxy using squid working but block domain not working bleketux Linux - Networking 10 03-16-2009 06:41 AM
transparent squid proxy not working Niceman2005 Linux - Networking 5 01-17-2008 05:10 PM
Ubuntu, Squid Transparent Proxy server is not working pocs Linux - Networking 6 10-31-2007 10:42 AM

LinuxQuestions.org > Forums > Linux Forums > Linux - Server

All times are GMT -5. The time now is 08:51 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration