Re: [squid-users] Transparent proxy with HTTPS on freebsd

From: abdul sami <sami.memon_at_gmail.com>
Date: Fri, 1 May 2009 21:44:50 +0500

Deal All,

So champs now the interesting part starts. ok

A few days ago we had proxy configured in the following way.

                                     DR Site
                                      \
                                       \ int: bge0 intt: bge1
internal net -> lan switch -> \Squid on BSD -> firewall -> public net
                                        IP=X \ IP=Y
                                                              \
                                                          Branches

1. Above diagram shows that our internal net & and DR site is
connected to squid on interface bge0 and uses transparent proxy
whereas branches come to bge1 and uses manual proxy to get access to
internet.

2. in above configuration http and https was working perfectly fine.

after that in our company major changes were made in network and in
result our proxy working scenario also changed as below.

                                                        DR site
                                                           |
                                int: bge0 | int: bge1
internal net -> lan switch -> Squid on BSD| -> firewall -> public net
                                   IP=X \ IP=Y
                                                              \
                                                               Branches

1. By network guys DR site traffic forcibly shifted to bge1, and
resultantly internet access at DR site stopped functioning.

2. my colleague who was previously looking proxy changed following
rule in ipfw file as below (as per his statement), and after that
internet access for http started working but https traffic stopped
working at both sides where transparent proxy was working i-e at DR
site and internal net, however https still work at branches.

RULE: ipfw add divert natd all from any to any via bge1

CHANGED TO:

RULE: ipfw add divert natd all from internal net/24 to any via bge1

3. my network colleague told me that proxy is adding it's address as
source address to http packets but not to https, and passes https
packets with source address of internal net, which is ultimately
blocked at perimeter firewall.

now pls note that i have freshly started working on squid couple of
months has only passed.

so when https didn't run, i gone through documentation, forums etc
(one example is of your previous answers) and found that https would
not work on squid on transprent configuration & Got SURPRISED that how
it was working previously then. anyways now when i say this to my head
that squid on transparent proxy mode wont work for https he is not
ready to accept.

I argued with network colleagues that there must be some other
setttings had been done for https but the do not agree and say that we
had checked every thing and no such settings was there proxy was doing
all functionality,

Repeating Problem: Currently proxy adds it address as source to http
traffic but not https, in https case it simple forwards packets with
soruce address of internal net. and perimeter firewall allows proxy ip
traffic and drops internal net addresses, resultantly https does not
work.

So this is the whole story and i have got really stuck, what should i do.!!!!

.SUGGESTIONS DESPARITLY NEEDED.

With Regards,

>
>
>
>
> On Thu, Apr 30, 2009 at 8:24 AM, Amos Jeffries <squid3_at_treenet.co.nz> wrote:
>>> First of all let me Thank you v much to all for replies.
>>>
>>> i am searching/reading for PAC / port forwarding for squid on FreeBSD,
>>> but it would be grateful to me if you provide me an example/source.
>>
>> http://wiki.squid-cache.org/Technology/WPAD
>>
>>>
>>> again i repeat i only want to allow https site like (gmail, yahoo)
>>> behind my transparent proxy to work.
>>>
>>
>> Once the requests are going to Squid properly this is a simple matter of
>> ACLs.
>>
>> Amos
>>
>>
>
Received on Fri May 01 2009 - 16:44:52 MDT

This archive was generated by hypermail 2.2.0 : Sat May 02 2009 - 12:00:01 MDT