4.0.21 Ssl bump access denied

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
5 messages Options
Reply | Threaded
Open this post in threaded view
|

4.0.21 Ssl bump access denied

snable snable
Hello

i forward from.my openwrt router the traffic for 443 and 80 to my squid box to port 3129 and 3128

certificates gets created from squid

but i always get on every single page an access denied error from the proxy.

ssl_bump bump all

is configured

any idea?

thanka

_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|

Re: 4.0.21 Ssl bump access denied

Amos Jeffries
Administrator
On 08/11/17 04:52, snable snable wrote:
> Hello
>
> i forward from.my openwrt router the traffic for 443 and 80 to my squid
> box to port 3129 and 3128
>

What do you mean by "forward" ?

Any dst-IP:port NAT operation *MUST* only happen on the Squid device
itself or _later_ down the traffic path. Traffic must be *routed* to
that Squid device.


Amos
_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|

Re: 4.0.21 Ssl bump access denied

snable snable


hey

thanks:

i post in detail

i have an openwrt box. clients are attached there to the 192.168.2.0/24 network via nat. i attached the router as a wan device on my 192.168.1.0/24 with 192.168.1.254 as my internet gateway.

i have a squidbox  with squid 4 running on ports 3128 and 3129 and 3130.
 i forward the traffic from the openwrt via:

                                                
iptables -t mangle -A PREROUTING -j ACCEPT -p tcp
 --dport 80 -s 192.168.1.222                     
iptables -t mangle -A PREROUTING -j MARK --set-ma
rk 3 -p tcp --dport 80                           
iptables -t mangle -A PREROUTING -j ACCEPT -p tcp
 --dport 443 -s 192.168.1.222                    
iptables -t mangle -A PREROUTING -j MARK --set-ma
rk 3 -p tcp --dport 443                          
ip rule add fwmark 3 table 2                     
ip route add default via 192.168.1.222 dev eth0.2
 table 2

on the squid box redirected it via

iptables -A PREROUTING -t nat -i eth0 -p tcp --dp
ort 443 -j REDIRECT --to-port 3129               
                                                 
iptables -A PREROUTING -t nat -i eth0 -p tcp --dp
ort 80 -j REDIRECT --to-port 3128


http works fine


https brings:

ERROR

The requested URL could not be retrieved


The following error was encountered while trying to retrieve the URL: https://192.168.1.222/*

Connection to 192.168.1.222 failed.

The system returned: (111) Connection refused

The remote host or network may be down. Please try the request again.

Your cache administrator is [hidden email].




i had this working a while ago but i forget how.



Am 08.11.2017 05:32 schrieb "Amos Jeffries" <[hidden email]>:
On 08/11/17 04:52, snable snable wrote:
Hello

i forward from.my openwrt router the traffic for 443 and 80 to my squid box to port 3129 and 3128


What do you mean by "forward" ?

Any dst-IP:port NAT operation *MUST* only happen on the Squid device itself or _later_ down the traffic path. Traffic must be *routed* to that Squid device.


Amos
_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users


_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|

Re: 4.0.21 Ssl bump access denied

snable snable
Access.log brings for www.heise.de on https

NECT 192.168.1.222:443 - HIER_NONE/- -          
1510489280.731      2 192.168.1.200 NONE/200 0 CO
NNECT 192.168.1.222:443 - HIER_NONE/- -          
1510489280.836      1 192.168.1.200 TCP_MISS/503 
4691 GET https://www.heise.de/ - ORIGINAL_DST/192
.168.1.222 text/html                             
1510489280.892      1 192.168.1.200 TCP_MISS/503 
NAL_DST/192.168.1.222 text/html                  
1510489283.136      2 192.168.1.200 NONE/200 0 CO
NNECT 192.168.1.222:443 - HIER_NONE/- -          
1510489283.224      1 192.168.1.200 TCP_MISS/503 


Am 12.11.2017 12:46 schrieb "snable snable" <[hidden email]>:


hey

thanks:

i post in detail

i have an openwrt box. clients are attached there to the 192.168.2.0/24 network via nat. i attached the router as a wan device on my 192.168.1.0/24 with 192.168.1.254 as my internet gateway.

i have a squidbox  with squid 4 running on ports 3128 and 3129 and 3130.
 i forward the traffic from the openwrt via:

                                                
iptables -t mangle -A PREROUTING -j ACCEPT -p tcp
 --dport 80 -s 192.168.1.222                     
iptables -t mangle -A PREROUTING -j MARK --set-ma
rk 3 -p tcp --dport 80                           
iptables -t mangle -A PREROUTING -j ACCEPT -p tcp
 --dport 443 -s 192.168.1.222                    
iptables -t mangle -A PREROUTING -j MARK --set-ma
rk 3 -p tcp --dport 443                          
ip rule add fwmark 3 table 2                     
ip route add default via 192.168.1.222 dev eth0.2
 table 2

on the squid box redirected it via

iptables -A PREROUTING -t nat -i eth0 -p tcp --dp
ort 443 -j REDIRECT --to-port 3129               
                                                 
iptables -A PREROUTING -t nat -i eth0 -p tcp --dp
ort 80 -j REDIRECT --to-port 3128


http works fine


https brings:

ERROR

The requested URL could not be retrieved


The following error was encountered while trying to retrieve the URL: https://192.168.1.222/*

Connection to 192.168.1.222 failed.

The system returned: (111) Connection refused

The remote host or network may be down. Please try the request again.

Your cache administrator is [hidden email].




i had this working a while ago but i forget how.



Am 08.11.2017 05:32 schrieb "Amos Jeffries" <[hidden email]>:
On 08/11/17 04:52, snable snable wrote:
Hello

i forward from.my openwrt router the traffic for 443 and 80 to my squid box to port 3129 and 3128


What do you mean by "forward" ?

Any dst-IP:port NAT operation *MUST* only happen on the Squid device itself or _later_ down the traffic path. Traffic must be *routed* to that Squid device.


Amos
_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users



_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|

Re: 4.0.21 Ssl bump access denied

Amos Jeffries
Administrator
On 13/11/17 01:25, snable snable wrote:
> Access.log brings for www.heise.de on https
>
> NECT 192.168.1.222:443 <http://192.168.1.222:443> - HIER_NONE/- -
> 1510489280.731      2 192.168.1.200 NONE/200 0 CO
> NNECT 192.168.1.222:443 <http://192.168.1.222:443> - HIER_NONE/- -
> 1510489280.836      1 192.168.1.200 TCP_MISS/503
> 4691 GET https://www.heise.de/ - ORIGINAL_DST/192
> .168.1.222 text/html


ORIGINAL_DST is the server IP your system NAT tables say the client is
connecting to.

So the above means the NAT system is intercepting the client at
192.168.1.200 connecting to the webserver at 192.168.1.222:443.


>
> Am 12.11.2017 12:46 schrieb "snable snable" wrote:
>
>         hey
>
>         thanks:
>
>         i post in detail
>
>         i have an openwrt box. clients are attached there to the
>         192.168.2.0/24 <http://192.168.2.0/24> network via nat. i
>         attached the router as a wan device on my 192.168.1.0/24
>         <http://192.168.1.0/24> with 192.168.1.254 as my internet gateway.
>
>         i have a squidbox  with squid 4 running on ports 3128 and 3129
>         and 3130.
>           i forward the traffic from the openwrt via:
>
>         iptables -t mangle -A PREROUTING -j ACCEPT -p tcp
>           --dport 80 -s 192.168.1.222
>         iptables -t mangle -A PREROUTING -j MARK --set-ma
>         rk 3 -p tcp --dport 80
>         iptables -t mangle -A PREROUTING -j ACCEPT -p tcp
>           --dport 443 -s 192.168.1.222
>         iptables -t mangle -A PREROUTING -j MARK --set-ma
>         rk 3 -p tcp --dport 443
>         ip rule add fwmark 3 table 2
>         ip route add default via 192.168.1.222 dev eth0.2
>           table 2
>
>         on the squid box redirected it via
>
>         iptables -A PREROUTING -t nat -i eth0 -p tcp --dp
>         ort 443 -j REDIRECT --to-port 3129
>         iptables -A PREROUTING -t nat -i eth0 -p tcp --dp
>         ort 80 -j REDIRECT --to-port 3128
>

There are no rules above preventing the NAT system intercepting the
Squid outbound traffic.

Please see the iptables rules documented at:
<https://wiki.squid-cache.org/ConfigExamples/Intercept/LinuxRedirect>.

-j ACCEPT in the *mangle* table only means iptables does not do your
MARKing. It has no effect on these NAT table operations.

Amos
_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users