[Fwd: Re: SSL Bump for regex URL comparison]

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
2 messages Options
Reply | Threaded
Open this post in threaded view
|

[Fwd: Re: SSL Bump for regex URL comparison]

Joe Foster
Good morning,

I have tried the attached but I still receive the same result.

I have attached a screen shot to show what happens, its like there is no
connection.

I have tried it with and without listing 3128 as a safe ssl port. I
imagine its not needed as its generated from Squid.

HTTPS isn't connecting, HTTP is though that's no surprise, I'm only
diverting port 443 to port 3128.

There are no logs being generated so I cant find out more.

I can't for the life of me see what I'm doing wrong.

Your advise if greatly received.

Thank you

Joe
 

I have the below rule added to my firewall for the redirect:
connection config redirect
        option proto 'tcp'
        option src 'lan'
        option src_ip '!192.168.1.101'
        option src_dport '443'
        option dest 'lan'
        option dest_ip '192.168.1.101'
        option dest_port '3128'
        option target 'DNAT'



On Thu, 2017-11-16 at 10:38 +0100, Matus UHLAR - fantomas wrote:
> On 16.11.17 08:21, Joe Foster wrote:
> >The problem is the connections are not getting through. It just acts
like
> >there is no WiFi connection.
>
> what exactly is the error? Does squid receive those connections?
> does squid reject them?
>


_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users

Screenshot from 2017-11-17 09-36-42.png (82K) Download Attachment
squidconf (1K) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: [Fwd: Re: SSL Bump for regex URL comparison]

Amos Jeffries
Administrator
On 18/11/17 01:45, Joe Foster wrote:
> Good morning,
>
> I have tried the attached but I still receive the same result.
>
> I have attached a screen shot to show what happens, its like there is no
> connection.
>

There isn't ...

> I have tried it with and without listing 3128 as a safe ssl port. I
> imagine its not needed as its generated from Squid.
>
> HTTPS isn't connecting, HTTP is though that's no surprise, I'm only
> diverting port 443 to port 3128.

Your port 3128 is configured to only accept plaintext HTTP traffic. It
cannot handle the TLS on port 443 traffic.

FWIW the "ssl-bump" option does not make an http_port capable of
receiving TLS. It just makes Squid attempt to decrypt the data tunneled
inside plain-text CONNECT requests (if any), in accordance with the
ssl_bump rules actions.

>
> There are no logs being generated so I cant find out more.
>

Most currently distributed Squid versions do not log connections that
fail with no HTTP activity happening on them. Except when debugging the
underlying TCP I/O activity.



> I can't for the life of me see what I'm doing wrong.
>
> Your advise if greatly received.
>
> Thank you
>
> Joe
>  
>
> I have the below rule added to my firewall for the redirect:
> connection config redirect
>          option proto 'tcp'
>          option src 'lan'
>          option src_ip '!192.168.1.101'
>          option src_dport '443'
>          option dest 'lan'
>          option dest_ip '192.168.1.101'
>          option dest_port '3128'
>          option target 'DNAT'
>

NAT can only happen on the Squid machine itself. You must *route* the
packets without any type of DNAT prior to their arrival at the Squid device.

Amos
_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users