Re: [squid-users] Squid3-Debian Lenny Transparent proxy not working with HTTPS

From: Amos Jeffries <squid3_at_treenet.co.nz>
Date: Wed, 11 Nov 2009 11:32:31 +1300

On Tue, 10 Nov 2009 10:21:04 -0500, "John Czerwinski"
<JohnCzerwinski_at_air-watch.com> wrote:
> I have configured a Squid3 proxy server on Debian using WCCP to a Cisco
> 2821 router (via GRE tunnel). Regular HTTP traffic works just fine.
> Anytime I try to connect to HTTPS, it times out.

Open port 443 on the firewall to let HTTPS out.

HTTPS cannot be intercepted. It was created as a security protocol
explicitly to prevent interception attacks on network traffic (aka WCCP,
NAT interception, wire tapping, etc).

>
> I've compiled Squid with --enable-ssl.

This merely lets Squid use SSL operations when clients explicitly
configured to use the proxy request it to make https:// connections. It
also enables TLS in some auth helpers. It's of very little use in a purely
intercepting proxy.

>
> The squid configuration is as follows:
>
>
> ####################################################################
> # Squid3 Configuration
> #
> #
> #
> # Cisco Router at 10.50.40.1
> # GRE tunnel to Ciso Router at 10.50.1.1
> #
> # Local Squid3 server
> # name: wwifi-atl-squid1
> # IP: 10.50.40.100
> # WCCPv2 (Transparent mode)
> #
> ####################################################################
> visible_hostname wwifi-atl-squid1
> # cache_effective_user squid squid
> http_port 10.50.40.100:3128 transparent

Not a good idea. It's better security to have the port number being
something random that only you, Squid and the Squid box firewall know.

The private port may also be firewalled in the mangle table INPUT chain to
prevent people connecting directly to it from outside.

> acl QUERY urlpath_regex cgi-bin \?
> cache deny QUERY

Drop the above.

> acl apache rep_header Server ^Apache
> refresh_pattern ^ftp: 1440 20% 10080
> refresh_pattern ^gopher: 1440 0% 1440

Add here:
 refresh_pattern -i (/cgi-bin/|\?) 0 0% 0

> refresh_pattern . 0 20% 4320
>
>
>
>
>
> # Access Control List Definitions
> acl localnet src 10.50.10.0/24 10.50.20.0/24 10.50.30.0/24 10.50.40.0/24
> 10.50.100.0/24 10.50.201.0/24
>
> acl manager proto cache_object
> acl localhost src 127.0.0.1/255.255.255.255
> acl to_localhost dst 127.0.0.0/8

Add here:
  acl to_localhost dst 0.0.0.0/8

> acl SSL_ports port 443 563 # https, snews
> acl SSL_ports port 873 # rsync
> acl Safe_ports port 80 # http
> acl Safe_ports port 21 # ftp
> acl Safe_ports port 443 563 # https, snews
> acl Safe_ports port 70 # gopher
> acl Safe_ports port 210 # wais
> acl Safe_ports port 1025-65535 # unregistered ports
> acl Safe_ports port 280 # http-mgmt
> acl Safe_ports port 488 # gss-http
> acl Safe_ports port 591 # filemaker
> acl Safe_ports port 777 # multiling http
> acl Safe_ports port 631 # cups
> acl Safe_ports port 873 # rsync
> acl Safe_ports port 901 # SWAT
> acl purge method PURGE

Unless you are actually using PURGE its best not to define it. Simply
doing the above turns on all the PURGE handling components and makes Squid
hold extra cache indexes etc, wasting a lot of memory.

> acl CONNECT method CONNECT
>
> # http allows/denies
> always_direct allow all
> http_access allow manager localhost
> http_access deny manager
> http_access deny !Safe_ports
> http_access deny CONNECT !SSL_ports
> http_access allow localhost
> http_access allow localnet
> http_reply_access allow all
> icp_access allow all
>

Amos
Received on Tue Nov 10 2009 - 22:32:36 MST

This archive was generated by hypermail 2.2.0 : Wed Nov 11 2009 - 12:00:03 MST