Need help to solve problem with Squid 3.5.26 SSL Bump setting & iptables rules

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
3 messages Options
Reply | Threaded
Open this post in threaded view
|

Need help to solve problem with Squid 3.5.26 SSL Bump setting & iptables rules

Arsalan Hussain
Dear all,

i have configured squid 3.5.26 SSL bump on CENTOS 6.2 to share internet and delay pools to control bandwidth (my configuration files attached)


Problem what i facing and not understanding the issue.

1- clients who send request-  proxy setting working fine with this directive http_port 3128
 -  Delay pools working fine, internet browsing to all clients using proxy is working.

2- When transparent proxy clients sent http request via iptables ... REDIRECT.
http_port 3129 intercept
OR
When transparent proxy clients sent https request via iptables ... REDIRECT.
https_port 3130 intercept ssl-bump generate-host-certificates=on
dynamic_cert_mem_cache_size=4MB cert=/etc/squid/ssl_certs/squid.pem

I observed the problem in both cases when client sent request through IPTABLES Squid service got failed. When i stop iptables and start squid then it start working.
-A PREROUTING -p tcp -m tcp --dport 80 -j REDIRECT --to-ports 3129
-A PREROUTING -p tcp -m tcp --dport 443 -j REDIRECT --to-ports 3130

3-  my objective to setup squid.
     *  Internet sharing to Proxy setting configured clients.
     *  Internet sharing to Proxy Transparent clients (Those request directed to server from ip route 0.0.0.0 0.0.0.0 Proxy-IP from CISCO Network for HTTP and HTTPS Requests without configuring proxy setting (coming from wireless).
     *  delay pools for HTTP and HTTPS both browsing for proxy & transparent clients.


Kindly if somebody help me to fix my problems and if share any setting which works. I had added ssl bump certificate because the service was crashing again and again without any reason after a few days or sometime on same day.


--
With Regards,


Arsalan Hussain

If you don't fight for what you want, don't cry for what you lose.

_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users

Squid conf and Iptables .txt (4K) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: Need help to solve problem with Squid 3.5.26 SSL Bump setting & iptables rules

Eliezer Croitoru
Hey,

The iptables rules doesn't make any sense:
IPTABLES SETTING

# Generated by iptables-save v1.4.7 on Mon Jul 31 05:43:29 2017
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [8330155:414444635]
-A INPUT -i eth1 -j ACCEPT  
-A INPUT -p tcp -m tcp --dport 3128 -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -i eth0 -m state --state RELATED,ESTABLISHED -j ACCEPT
-A PREROUTING -p tcp -m tcp --dport 80 -j REDIRECT --to-ports 3129
-A PREROUTING -p tcp -m tcp --dport 443 -j REDIRECT --to-ports 3130
-A INPUT -j DROP
COMMIT
# Completed on Mon Jul 31 05:43:29 2017

There is no PREROUTING in the filter table...
Take a peek at:
http://wiki.squid-cache.org/ConfigExamples/Intercept/LinuxRedirect#iptables_configuration

and also I suggest you to use intercept ports such as:
13128 (for http, port 80)
13129 ( for https, port 443)

And not port 3130.

Let me know if it helps with something.

Eliezer

----
http://ngtech.co.il/lmgtfy/
Linux System Administrator
Mobile: +972-5-28704261
Email: [hidden email]


From: squid-users [mailto:[hidden email]] On Behalf Of Arsalan Hussain
Sent: Tuesday, August 1, 2017 12:45
To: [hidden email]
Subject: [squid-users] Need help to solve problem with Squid 3.5.26 SSL Bump setting & iptables rules

Dear all,
i have configured squid 3.5.26 SSL bump on CENTOS 6.2 to share internet and delay pools to control bandwidth (my configuration files attached)

Problem what i facing and not understanding the issue.

1- clients who send request-  proxy setting working fine with this directive http_port 3128
 -  Delay pools working fine, internet browsing to all clients using proxy is working.

2- When transparent proxy clients sent http request via iptables ... REDIRECT.
http_port 3129 intercept
OR
When transparent proxy clients sent https request via iptables ... REDIRECT.
https_port 3130 intercept ssl-bump generate-host-certificates=on
dynamic_cert_mem_cache_size=4MB cert=/etc/squid/ssl_certs/squid.pem
I observed the problem in both cases when client sent request through IPTABLES Squid service got failed. When i stop iptables and start squid then it start working.
-A PREROUTING -p tcp -m tcp --dport 80 -j REDIRECT --to-ports 3129
-A PREROUTING -p tcp -m tcp --dport 443 -j REDIRECT --to-ports 3130

3-  my objective to setup squid.
     *  Internet sharing to Proxy setting configured clients.
     *  Internet sharing to Proxy Transparent clients (Those request directed to server from ip route 0.0.0.0 0.0.0.0 Proxy-IP from CISCO Network for HTTP and HTTPS Requests without configuring proxy setting (coming from wireless).
     *  delay pools for HTTP and HTTPS both browsing for proxy & transparent clients.


Kindly if somebody help me to fix my problems and if share any setting which works. I had added ssl bump certificate because the service was crashing again and again without any reason after a few days or sometime on same day.



--
With Regards,

Arsalan Hussain
If you don't fight for what you want, don't cry for what you lose.

_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|

Re: Need help to solve problem with Squid 3.5.26 SSL Bump setting & iptables rules

Arsalan Hussain
Dear Eliezer

i had created new iptables configuration and it works fine for an hour (attached)

both transparent proxy and with setting proxy clients accessing internet through squid

but after every hour the service gets crash or unstable. and need to restart squid and iptables services to work

i found the following error in access.log when service gets disturb. I don't know the reason and such traffic what it is about and how to resolve it. when we restart server, the services again start fine and internet works.

1502858587.658 114260 192.168.2.162 TAG_NONE/503 0 CONNECT dc.services.visualstudio.com:443 - HIER_NONE/- -
1502858587.658 114260 192.168.2.162 TAG_NONE/503 0 CONNECT dc.services.visualstudio.com:443 - HIER_NONE/- -
1502858587.658 114258 192.168.5.1 TAG_NONE/503 0 CONNECT update.googleapis.com:443 - HIER_NONE/- -
1502858587.658 114252 192.168.2.125 TAG_NONE/503 0 CONNECT update.googleapis.com:443 - HIER_NONE/- -
1502858587.658 114256 192.168.2.188 TAG_NONE/503 0 CONNECT en.wikibooks.org:443 - HIER_NONE/- -
1502858587.658 114256 192.168.2.188 TAG_NONE/503 0 CONNECT en.wikibooks.org:443 - HIER_NONE/- -
1502858587.658 114256 192.168.2.188 TAG_NONE/503 0 CONNECT en.wikibooks.org:443 - HIER_NONE/- -
1502858587.658 114256 192.168.2.188 TAG_NONE/503 0 CONNECT en.wikibooks.org:443 - HIER_NONE/-



On Tue, Aug 1, 2017 at 5:17 PM, Eliezer Croitoru <[hidden email]> wrote:
Hey,

The iptables rules doesn't make any sense:
IPTABLES SETTING

# Generated by iptables-save v1.4.7 on Mon Jul 31 05:43:29 2017
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [8330155:414444635]
-A INPUT -i eth1 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 3128 -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -i eth0 -m state --state RELATED,ESTABLISHED -j ACCEPT
-A PREROUTING -p tcp -m tcp --dport 80 -j REDIRECT --to-ports 3129
-A PREROUTING -p tcp -m tcp --dport 443 -j REDIRECT --to-ports 3130
-A INPUT -j DROP
COMMIT
# Completed on Mon Jul 31 05:43:29 2017

There is no PREROUTING in the filter table...
Take a peek at:
http://wiki.squid-cache.org/ConfigExamples/Intercept/LinuxRedirect#iptables_configuration

and also I suggest you to use intercept ports such as:
13128 (for http, port 80)
13129 ( for https, port 443)

And not port 3130.

Let me know if it helps with something.

Eliezer

----
http://ngtech.co.il/lmgtfy/
Linux System Administrator
Mobile: +972-5-28704261
Email: [hidden email]


From: squid-users [mailto:[hidden email]] On Behalf Of Arsalan Hussain
Sent: Tuesday, August 1, 2017 12:45
To: [hidden email]
Subject: [squid-users] Need help to solve problem with Squid 3.5.26 SSL Bump setting & iptables rules

Dear all,
i have configured squid 3.5.26 SSL bump on CENTOS 6.2 to share internet and delay pools to control bandwidth (my configuration files attached)

Problem what i facing and not understanding the issue.

1- clients who send request-  proxy setting working fine with this directive http_port 3128
 -  Delay pools working fine, internet browsing to all clients using proxy is working.

2- When transparent proxy clients sent http request via iptables ... REDIRECT.
http_port 3129 intercept
OR
When transparent proxy clients sent https request via iptables ... REDIRECT.
https_port 3130 intercept ssl-bump generate-host-certificates=on
dynamic_cert_mem_cache_size=4MB cert=/etc/squid/ssl_certs/squid.pem
I observed the problem in both cases when client sent request through IPTABLES Squid service got failed. When i stop iptables and start squid then it start working.
-A PREROUTING -p tcp -m tcp --dport 80 -j REDIRECT --to-ports 3129
-A PREROUTING -p tcp -m tcp --dport 443 -j REDIRECT --to-ports 3130

3-  my objective to setup squid.
     *  Internet sharing to Proxy setting configured clients.
     *  Internet sharing to Proxy Transparent clients (Those request directed to server from ip route 0.0.0.0 0.0.0.0 Proxy-IP from CISCO Network for HTTP and HTTPS Requests without configuring proxy setting (coming from wireless).
     *  delay pools for HTTP and HTTPS both browsing for proxy & transparent clients.


Kindly if somebody help me to fix my problems and if share any setting which works. I had added ssl bump certificate because the service was crashing again and again without any reason after a few days or sometime on same day.



--
With Regards,

Arsalan Hussain
If you don't fight for what you want, don't cry for what you lose.




--
With Regards,


Arsalan Hussain
Assistant Director, Networks & Information System

PRESTON UNIVERSITY
Add: Plot: 85, Street No: 3, Sector H-8/1, Islamabad, Pakistan
Cell: +92-322-5018611
UAN: (51) 111-707-808 (Ext: 443)

Don't expect to see a change if you don't make one.

_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users

iptables 10-04-2017 Final SSL bump.txt (1K) Download Attachment
Iptables rule new.png (37K) Download Attachment