Re: [squid-users] squid with qlproxy on fedora 20 not working for https traffic

From: Amos Jeffries <squid3_at_treenet.co.nz>
Date: Tue, 10 Jun 2014 19:30:02 +1200

On 10/06/2014 1:08 p.m., MrErr wrote:
> Hi have spent two days googling and going through these forums and have not
> been able to get https filtering working. I am new to all of this kind of
> networking stuff. So i do need a lot of help :)
>
> I have a gateway machine which is my rotuer. On this same gateway i have
> squid and qlproxy installed. I want to be able to filter on both http and
> https. Only http filtering works now, but not https. So i am not able to
> make google default to safe search.
>
> I am going to paste my configuration files, so my apologies for the long
> files.
>
> My squid.conf is
>
> acl localnet src 192.168.13.0/24
> acl localnet src 127.0.0.1/8
> acl wanip src 97.90.225.128
> acl SSL_ports port 443
> acl Safe_ports port 80 # http
> acl Safe_ports port 8080 # http
> acl Safe_ports port 21 # ftp
> acl Safe_ports port 443 # https
> acl Safe_ports port 70 # gopher
> acl Safe_ports port 210 # wais
> acl Safe_ports port 1025-65535 # unregistered ports
> acl Safe_ports port 280 # http-mgmt
> acl Safe_ports port 488 # gss-http
> acl Safe_ports port 591 # filemaker
> acl Safe_ports port 777 # multiling http
> acl CONNECT method CONNECT
> http_access deny !Safe_ports
> http_access allow CONNECT SSL_ports
> http_access deny CONNECT !SSL_ports
> http_access allow localhost manager
> http_access deny manager
> http_access deny to_localhost
> http_access allow localnet
> http_access allow wanip
> http_access allow localhost
> http_access deny all
> http_port 192.168.13.1:3128
> http_port 192.168.13.1:3129 intercept
> https_port 192.168.13.1:3130 intercept ssl-bump cert=/etc/squid/myCA.pem

You are using server-first bumping.
I dont think that works without the certificate generator being
configured. It just means Squid takes the server cert and uses it as the
basis for the one delivered to the client.

> acl qlproxy_https_exclusions dstdomain
> "/etc/opt/quintolabs/qlproxy/squid/https_exclusions.conf"
> acl qlproxy_https_targets dstdomain
> "/etc/opt/quintolabs/qlproxy/squid/https_targets.conf"
> ssl_bump none localhost
> ssl_bump server-first qlproxy_https_targets
> always_direct allow all
> cache_dir ufs /var/spool/squid 100 16 256
> coredump_dir /var/spool/squid
> refresh_pattern ^ftp: 1440 20% 10080
> refresh_pattern ^gopher: 1440 0% 1440
> refresh_pattern -i (/cgi-bin/|\?) 0 0% 0
> refresh_pattern . 0 20% 4320
> icap_enable on
> icap_preview_enable on
> icap_preview_size 4096
> icap_persistent_connections on
> icap_send_client_ip on
> icap_send_client_username on
> icap_client_username_header X-Client-Username
> icap_service qlproxy1 reqmod_precache 0 icap://127.0.0.1:1344/reqmod
> icap_service qlproxy2 respmod_precache 0 icap://127.0.0.1:1344/respmod
> adaptation_access qlproxy1 allow all
> adaptation_access qlproxy2 allow all
>
> my iptables are
>

Hint: you may want to look at the tool "ferm" to make these rules
simpler, faster and easier to read. It generates rules a bit more
optimal than this while also allowing easier config than iptables
directy. (and does IPv6 firewall config transparently!).

> # Generated by iptables-save v1.4.19.1 on Mon Jun 9 20:03:48 2014
> *nat
> :PREROUTING ACCEPT [683:114416]
> :INPUT ACCEPT [477:31902]
> :OUTPUT ACCEPT [441:27340]
> :POSTROUTING ACCEPT [2:176]
> :OUTPUT_direct - [0:0]
> :POSTROUTING_ZONES - [0:0]
> :POSTROUTING_ZONES_SOURCE - [0:0]
> :POSTROUTING_direct - [0:0]
> :POST_external - [0:0]
> :POST_external_allow - [0:0]
> :POST_external_deny - [0:0]
> :POST_external_log - [0:0]
> :POST_internal - [0:0]
> :POST_internal_allow - [0:0]
> :POST_internal_deny - [0:0]
> :POST_internal_log - [0:0]
> :POST_public - [0:0]
> :POST_public_allow - [0:0]
> :POST_public_deny - [0:0]
> :POST_public_log - [0:0]
> :PREROUTING_ZONES - [0:0]
> :PREROUTING_ZONES_SOURCE - [0:0]
> :PREROUTING_direct - [0:0]
> :PRE_external - [0:0]
> :PRE_external_allow - [0:0]
> :PRE_external_deny - [0:0]
> :PRE_external_log - [0:0]
> :PRE_internal - [0:0]
> :PRE_internal_allow - [0:0]
> :PRE_internal_deny - [0:0]
> :PRE_internal_log - [0:0]
> :PRE_public - [0:0]
> :PRE_public_allow - [0:0]
> :PRE_public_deny - [0:0]
> :PRE_public_log - [0:0]
> -A PREROUTING -j PREROUTING_direct
> -A PREROUTING -j PREROUTING_ZONES_SOURCE
> -A PREROUTING -j PREROUTING_ZONES
> -A OUTPUT -j OUTPUT_direct
> -A POSTROUTING -j POSTROUTING_direct
> -A POSTROUTING -j POSTROUTING_ZONES_SOURCE
> -A POSTROUTING -j POSTROUTING_ZONES
> -A POSTROUTING_ZONES -o p6p1 -g POST_internal
> -A POSTROUTING_ZONES -o p2p1 -g POST_external
> -A POSTROUTING_ZONES -g POST_public
> -A POST_external -j POST_external_log
> -A POST_external -j POST_external_deny
> -A POST_external -j POST_external_allow
> -A POST_external_allow ! -i lo -j MASQUERADE
> -A POST_internal -j POST_internal_log
> -A POST_internal -j POST_internal_deny
> -A POST_internal -j POST_internal_allow
> -A POST_public -j POST_public_log
> -A POST_public -j POST_public_deny
> -A POST_public -j POST_public_allow
> -A POST_public_allow ! -i lo -j MASQUERADE
> -A PREROUTING_ZONES -i p6p1 -g PRE_internal
> -A PREROUTING_ZONES -i p2p1 -g PRE_external
> -A PREROUTING_ZONES -g PRE_public
> -A PREROUTING_direct -i p6p1 -p tcp -m tcp --dport 80 -j DNAT
> --to-destination 192.168.13.1:3129
> -A PREROUTING_direct -i p6p1 -p tcp -m tcp --dport 443 -j DNAT
> --to-destination 192.168.13.1:3130
> -A PREROUTING_direct -i p2p1 -p tcp -m tcp --dport 443 -j REDIRECT
> --to-ports 3130
> -A PREROUTING_direct -i p2p1 -p tcp -m tcp --dport 80 -j REDIRECT --to-ports
> 3129
> -A PRE_external -j PRE_external_log
> -A PRE_external -j PRE_external_deny
> -A PRE_external -j PRE_external_allow
> -A PRE_external_allow -p tcp -m mark --mark 0x64 -j DNAT --to-destination
> 192.168.13.108:22
> -A PRE_external_allow -p tcp -m mark --mark 0x65 -j DNAT --to-destination
> 192.168.13.107:22
> -A PRE_external_allow -p tcp -m mark --mark 0x66 -j DNAT --to-destination
> 192.168.13.104:5000-5020
> -A PRE_external_allow -p tcp -m mark --mark 0x67 -j DNAT --to-destination
> 192.168.13.105:22
> -A PRE_external_allow -p tcp -m mark --mark 0x68 -j DNAT --to-destination
> 192.168.13.109:22
> -A PRE_external_allow -p tcp -m mark --mark 0x69 -j DNAT --to-destination
> 192.168.13.104:22
> -A PRE_external_allow -p tcp -m mark --mark 0x6a -j DNAT --to-destination
> 192.168.13.106:22
> -A PRE_external_allow -p udp -m mark --mark 0x6b -j DNAT --to-destination
> 192.168.13.104:5000-5020
> -A PRE_external_allow -p tcp -m mark --mark 0x6c -j DNAT --to-destination
> 192.168.13.102:22
> -A PRE_internal -j PRE_internal_log
> -A PRE_internal -j PRE_internal_deny
> -A PRE_internal -j PRE_internal_allow
> -A PRE_public -j PRE_public_log
> -A PRE_public -j PRE_public_deny
> -A PRE_public -j PRE_public_allow
> COMMIT
> # Completed on Mon Jun 9 20:03:48 2014
> # Generated by iptables-save v1.4.19.1 on Mon Jun 9 20:03:48 2014
> *mangle
> :PREROUTING ACCEPT [209855:83194674]
> :INPUT ACCEPT [163899:49094240]
> :FORWARD ACCEPT [45956:34100434]
> :OUTPUT ACCEPT [164192:62941135]
> :POSTROUTING ACCEPT [210148:97041569]
> :FORWARD_direct - [0:0]
> :INPUT_direct - [0:0]
> :OUTPUT_direct - [0:0]
> :POSTROUTING_direct - [0:0]
> :PREROUTING_ZONES - [0:0]
> :PREROUTING_ZONES_SOURCE - [0:0]
> :PREROUTING_direct - [0:0]
> :PRE_external - [0:0]
> :PRE_external_allow - [0:0]
> :PRE_external_deny - [0:0]
> :PRE_external_log - [0:0]
> :PRE_internal - [0:0]
> :PRE_internal_allow - [0:0]
> :PRE_internal_deny - [0:0]
> :PRE_internal_log - [0:0]
> :PRE_public - [0:0]
> :PRE_public_allow - [0:0]
> :PRE_public_deny - [0:0]
> :PRE_public_log - [0:0]
> -A PREROUTING -j PREROUTING_direct
> -A PREROUTING -j PREROUTING_ZONES_SOURCE
> -A PREROUTING -j PREROUTING_ZONES
> -A INPUT -j INPUT_direct
> -A FORWARD -j FORWARD_direct
> -A OUTPUT -j OUTPUT_direct
> -A POSTROUTING -j POSTROUTING_direct
> -A PREROUTING_ZONES -i p6p1 -g PRE_internal
> -A PREROUTING_ZONES -i p2p1 -g PRE_external
> -A PREROUTING_ZONES -g PRE_public
> -A PRE_external -j PRE_external_log
> -A PRE_external -j PRE_external_deny
> -A PRE_external -j PRE_external_allow
> -A PRE_external_allow -p tcp -m tcp --dport 2082 -j MARK --set-xmark
> 0x64/0xffffffff
> -A PRE_external_allow -p tcp -m tcp --dport 2072 -j MARK --set-xmark
> 0x65/0xffffffff
> -A PRE_external_allow -p tcp -m tcp --dport 5000:5020 -j MARK --set-xmark
> 0x66/0xffffffff
> -A PRE_external_allow -p tcp -m tcp --dport 2052 -j MARK --set-xmark
> 0x67/0xffffffff
> -A PRE_external_allow -p tcp -m tcp --dport 2092 -j MARK --set-xmark
> 0x68/0xffffffff
> -A PRE_external_allow -p tcp -m tcp --dport 2042 -j MARK --set-xmark
> 0x69/0xffffffff
> -A PRE_external_allow -p tcp -m tcp --dport 2062 -j MARK --set-xmark
> 0x6a/0xffffffff
> -A PRE_external_allow -p udp -m udp --dport 5000:5020 -j MARK --set-xmark
> 0x6b/0xffffffff
> -A PRE_external_allow -p tcp -m tcp --dport 2022 -j MARK --set-xmark
> 0x6c/0xffffffff
> -A PRE_internal -j PRE_internal_log
> -A PRE_internal -j PRE_internal_deny
> -A PRE_internal -j PRE_internal_allow
> -A PRE_public -j PRE_public_log
> -A PRE_public -j PRE_public_deny
> -A PRE_public -j PRE_public_allow
> COMMIT
> # Completed on Mon Jun 9 20:03:48 2014
> # Generated by iptables-save v1.4.19.1 on Mon Jun 9 20:03:48 2014
> *security
> :INPUT ACCEPT [162157:48535784]
> :FORWARD ACCEPT [45956:34100434]
> :OUTPUT ACCEPT [164192:62941135]
> :FORWARD_direct - [0:0]
> :INPUT_direct - [0:0]
> :OUTPUT_direct - [0:0]
> -A INPUT -j INPUT_direct
> -A FORWARD -j FORWARD_direct
> -A OUTPUT -j OUTPUT_direct
> COMMIT
> # Completed on Mon Jun 9 20:03:48 2014
> # Generated by iptables-save v1.4.19.1 on Mon Jun 9 20:03:48 2014
> *raw
> :PREROUTING ACCEPT [209855:83194674]
> :OUTPUT ACCEPT [164192:62941135]
> :OUTPUT_direct - [0:0]
> :PREROUTING_direct - [0:0]
> -A PREROUTING -j PREROUTING_direct
> -A OUTPUT -j OUTPUT_direct
> COMMIT
> # Completed on Mon Jun 9 20:03:48 2014
> # Generated by iptables-save v1.4.19.1 on Mon Jun 9 20:03:48 2014
> *filter
> :INPUT ACCEPT [0:0]
> :FORWARD ACCEPT [0:0]
> :OUTPUT ACCEPT [164192:62941135]
> :FORWARD_IN_ZONES - [0:0]
> :FORWARD_IN_ZONES_SOURCE - [0:0]
> :FORWARD_OUT_ZONES - [0:0]
> :FORWARD_OUT_ZONES_SOURCE - [0:0]
> :FORWARD_direct - [0:0]
> :FWDI_external - [0:0]
> :FWDI_external_allow - [0:0]
> :FWDI_external_deny - [0:0]
> :FWDI_external_log - [0:0]
> :FWDI_internal - [0:0]
> :FWDI_internal_allow - [0:0]
> :FWDI_internal_deny - [0:0]
> :FWDI_internal_log - [0:0]
> :FWDI_public - [0:0]
> :FWDI_public_allow - [0:0]
> :FWDI_public_deny - [0:0]
> :FWDI_public_log - [0:0]
> :FWDO_external - [0:0]
> :FWDO_external_allow - [0:0]
> :FWDO_external_deny - [0:0]
> :FWDO_external_log - [0:0]
> :FWDO_internal - [0:0]
> :FWDO_internal_allow - [0:0]
> :FWDO_internal_deny - [0:0]
> :FWDO_internal_log - [0:0]
> :FWDO_public - [0:0]
> :FWDO_public_allow - [0:0]
> :FWDO_public_deny - [0:0]
> :FWDO_public_log - [0:0]
> :INPUT_ZONES - [0:0]
> :INPUT_ZONES_SOURCE - [0:0]
> :INPUT_direct - [0:0]
> :IN_external - [0:0]
> :IN_external_allow - [0:0]
> :IN_external_deny - [0:0]
> :IN_external_log - [0:0]
> :IN_internal - [0:0]
> :IN_internal_allow - [0:0]
> :IN_internal_deny - [0:0]
> :IN_internal_log - [0:0]
> :IN_public - [0:0]
> :IN_public_allow - [0:0]
> :IN_public_deny - [0:0]
> :IN_public_log - [0:0]
> :OUTPUT_direct - [0:0]
> -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
> -A INPUT -i lo -j ACCEPT
> -A INPUT -j INPUT_direct
> -A INPUT -j INPUT_ZONES_SOURCE
> -A INPUT -j INPUT_ZONES
> -A INPUT -p icmp -j ACCEPT
> -A INPUT -j REJECT --reject-with icmp-host-prohibited
> -A FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
> -A FORWARD -i lo -j ACCEPT
> -A FORWARD -j FORWARD_direct
> -A FORWARD -j FORWARD_IN_ZONES_SOURCE
> -A FORWARD -j FORWARD_IN_ZONES
> -A FORWARD -j FORWARD_OUT_ZONES_SOURCE
> -A FORWARD -j FORWARD_OUT_ZONES
> -A FORWARD -p icmp -j ACCEPT
> -A FORWARD -j REJECT --reject-with icmp-host-prohibited
> -A OUTPUT -j OUTPUT_direct
> -A FORWARD_IN_ZONES -i p6p1 -g FWDI_internal
> -A FORWARD_IN_ZONES -i p2p1 -g FWDI_external
> -A FORWARD_IN_ZONES -g FWDI_public
> -A FORWARD_OUT_ZONES -o p6p1 -g FWDO_internal
> -A FORWARD_OUT_ZONES -o p2p1 -g FWDO_external
> -A FORWARD_OUT_ZONES -g FWDO_public
> -A FWDI_external -j FWDI_external_log
> -A FWDI_external -j FWDI_external_deny
> -A FWDI_external -j FWDI_external_allow
> -A FWDI_external_allow -m conntrack --ctstate NEW -m mark --mark 0x64 -j
> ACCEPT
> -A FWDI_external_allow -m conntrack --ctstate NEW -m mark --mark 0x65 -j
> ACCEPT
> -A FWDI_external_allow -m conntrack --ctstate NEW -m mark --mark 0x66 -j
> ACCEPT
> -A FWDI_external_allow -m conntrack --ctstate NEW -m mark --mark 0x67 -j
> ACCEPT
> -A FWDI_external_allow -m conntrack --ctstate NEW -m mark --mark 0x68 -j
> ACCEPT
> -A FWDI_external_allow -m conntrack --ctstate NEW -m mark --mark 0x69 -j
> ACCEPT
> -A FWDI_external_allow -m conntrack --ctstate NEW -m mark --mark 0x6a -j
> ACCEPT
> -A FWDI_external_allow -m conntrack --ctstate NEW -m mark --mark 0x6b -j
> ACCEPT
> -A FWDI_external_allow -m conntrack --ctstate NEW -m mark --mark 0x6c -j
> ACCEPT
> -A FWDI_internal -j FWDI_internal_log
> -A FWDI_internal -j FWDI_internal_deny
> -A FWDI_internal -j FWDI_internal_allow
> -A FWDI_public -j FWDI_public_log
> -A FWDI_public -j FWDI_public_deny
> -A FWDI_public -j FWDI_public_allow
> -A FWDO_external -j FWDO_external_log
> -A FWDO_external -j FWDO_external_deny
> -A FWDO_external -j FWDO_external_allow
> -A FWDO_external_allow -j ACCEPT
> -A FWDO_internal -j FWDO_internal_log
> -A FWDO_internal -j FWDO_internal_deny
> -A FWDO_internal -j FWDO_internal_allow
> -A FWDO_public -j FWDO_public_log
> -A FWDO_public -j FWDO_public_deny
> -A FWDO_public -j FWDO_public_allow
> -A FWDO_public_allow -j ACCEPT
> -A INPUT_ZONES -i p6p1 -g IN_internal
> -A INPUT_ZONES -i p2p1 -g IN_external
> -A INPUT_ZONES -g IN_public
> -A INPUT_direct -s 192.168.13.0/24 -p tcp -m tcp --dport 3129 -j ACCEPT
> -A INPUT_direct -s 192.168.13.0/24 -p tcp -m tcp --dport 3130 -j ACCEPT
> -A IN_external -j IN_external_log
> -A IN_external -j IN_external_deny
> -A IN_external -j IN_external_allow
> -A IN_external_allow -p tcp -m tcp --dport 2012 -m conntrack --ctstate NEW
> -j ACCEPT
> -A IN_internal -j IN_internal_log
> -A IN_internal -j IN_internal_deny
> -A IN_internal -j IN_internal_allow
> -A IN_internal_allow -d 224.0.0.251/32 -p udp -m udp --dport 5353 -m
> conntrack --ctstate NEW -j ACCEPT
> -A IN_internal_allow -p udp -m udp --dport 631 -m conntrack --ctstate NEW -j
> ACCEPT
> -A IN_internal_allow -p tcp -m tcp --dport 5900:5903 -m conntrack --ctstate
> NEW -j ACCEPT
> -A IN_internal_allow -p tcp -m tcp --dport 22 -m conntrack --ctstate NEW -j
> ACCEPT
> -A IN_internal_allow -p tcp -m tcp --dport 53 -m conntrack --ctstate NEW -j
> ACCEPT
> -A IN_internal_allow -p udp -m udp --dport 53 -m conntrack --ctstate NEW -j
> ACCEPT
> -A IN_internal_allow -p udp -m udp --dport 67 -m conntrack --ctstate NEW -j
> ACCEPT
> -A IN_internal_allow -p udp -m udp --dport 137 -m conntrack --ctstate NEW -j
> ACCEPT
> -A IN_internal_allow -p udp -m udp --dport 138 -m conntrack --ctstate NEW -j
> ACCEPT
> -A IN_internal_allow -p tcp -m tcp --dport 2032 -m conntrack --ctstate NEW
> -j ACCEPT
> -A IN_internal_allow -p tcp -m tcp --dport 10000 -m conntrack --ctstate NEW
> -j ACCEPT
> -A IN_public -j IN_public_log
> -A IN_public -j IN_public_deny
> -A IN_public -j IN_public_allow
> -A IN_public_allow -d 224.0.0.251/32 -p udp -m udp --dport 5353 -m conntrack
> --ctstate NEW -j ACCEPT
> -A IN_public_allow -p tcp -m tcp --dport 22 -m conntrack --ctstate NEW -j
> ACCEPT
> COMMIT
> # Completed on Mon Jun 9 20:03:48 2014
>
> can someone please help.
>
>
>
> --
> View this message in context: http://squid-web-proxy-cache.1019090.n4.nabble.com/squid-with-qlproxy-on-fedora-20-not-working-for-https-traffic-tp4666277.html
> Sent from the Squid - Users mailing list archive at Nabble.com.
>
Received on Tue Jun 10 2014 - 07:30:18 MDT

This archive was generated by hypermail 2.2.0 : Tue Jun 10 2014 - 12:00:04 MDT