questions setting up transparent proxy

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
5 messages Options
Reply | Threaded
Open this post in threaded view
|

questions setting up transparent proxy

John Ratliff
When I try to setup squid as a transparent proxy, I never get any
response from Squid.

I can make it work fine as a regular proxy using Firefox.

I've tried it on a Debian 9 server and a CentOS 7 server, and I get the
same result.

This is my configuration for the CentOS 7 server. I've put it wide open
right now.

acl localnet src 10.0.0.0/8     # RFC1918 possible internal network
acl localnet src 172.16.0.0/12  # RFC1918 possible internal network
acl localnet src 192.168.0.0/16 # RFC1918 possible internal network
acl localnet src fc00::/7       # RFC 4193 local private network range
acl localnet src fe80::/10      # RFC 4291 link-local
acl SSL_ports port 443
acl Safe_ports port 80          # http
acl Safe_ports port 21          # ftp
acl Safe_ports port 443         # https
acl Safe_ports port 70          # gopher
acl Safe_ports port 210         # wais
acl Safe_ports port 1025-65535  # unregistered ports
acl Safe_ports port 280         # http-mgmt
acl Safe_ports port 488         # gss-http
acl Safe_ports port 591         # filemaker
acl Safe_ports port 777         # multiling http
acl CONNECT method CONNECT
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
http_access allow localhost manager
http_access deny manager
http_access allow localnet
http_access allow localhost
http_access allow all
http_port 3128 intercept
coredump_dir /var/spool/squid
refresh_pattern ^ftp:           1440    20%     10080
refresh_pattern ^gopher:        1440    0%      1440
refresh_pattern -i (/cgi-bin/|\?) 0     0%      0
refresh_pattern .               0       20%     4320

When I try a wget request from a server that is being redirected to
Squid, I get this:

$ wget debian.org
--2018-01-03 14:50:24--  http://debian.org/
Resolving debian.org (debian.org)... 130.89.148.14, 149.20.4.15,
128.31.0.62, ...
Connecting to debian.org (debian.org)|130.89.148.14|:80... connected.
HTTP request sent, awaiting response... No data received.
Retrying.

If I remove 'intercept' from the http_port directive, I get 400 Bad
Request instead.

$ wget debian.org
--2018-01-03 14:49:22--  http://debian.org/
Resolving debian.org (debian.org)... 5.153.231.4, 130.89.148.14,
149.20.4.15, ...
Connecting to debian.org (debian.org)|5.153.231.4|:80... connected.
HTTP request sent, awaiting response... 400 Bad Request
2018-01-03 14:49:22 ERROR 400: Bad Request.

Both machines are behind the same firewall. I used
iptables -t nat -A PREROUTING -p tcp --dport 80 -j DNAT --to
10.77.9.120:3128

to do the traffic redirect.

Traffic flows to the server running squid. I can verify this with
tcpdump. The packets are making it from wget to the server. I just don't
know what happens after that.

Thanks.
_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|

Re: questions setting up transparent proxy

Antony Stone
On Wednesday 03 January 2018 at 21:06:42, John Ratliff wrote:

> When I try to setup squid as a transparent proxy, I never get any
> response from Squid.

> When I try a wget request from a server that is being redirected

How (and more importantly, where) are you doing the redirect?

> Both machines are behind the same firewall. I used
> iptables -t nat -A PREROUTING -p tcp --dport 80 -j DNAT --to
> 10.77.9.120:3128

If that firewall is not on the machine running Squid, then that's your problem.

> Traffic flows to the server running squid. I can verify this with
> tcpdump. The packets are making it from wget to the server. I just don't
> know what happens after that.

https://wiki.squid-cache.org/ConfigExamples/Intercept/LinuxRedirect

"NOTE: This configuration is given for use *on the squid box*. This is required
to perform intercept accurately and securely. To intercept from a gateway
machine and direct traffic at a *separate squid box* use policy routing."

https://wiki.squid-cache.org/ConfigExamples/Intercept/IptablesPolicyRoute


Antony.

--
Schrödinger's rule of data integrity: the condition of any backup is unknown
until a restore is attempted.

                                                   Please reply to the list;
                                                         please *don't* CC me.
_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|

Re: questions setting up transparent proxy

John Ratliff
On 1/3/2018 3:26 PM, Antony Stone wrote:

> On Wednesday 03 January 2018 at 21:06:42, John Ratliff wrote:
>
>> When I try to setup squid as a transparent proxy, I never get any
>> response from Squid.
>
>> When I try a wget request from a server that is being redirected
>
> How (and more importantly, where) are you doing the redirect?
>
>> Both machines are behind the same firewall. I used
>> iptables -t nat -A PREROUTING -p tcp --dport 80 -j DNAT --to
>> 10.77.9.120:3128
>
> If that firewall is not on the machine running Squid, then that's your problem.
>
>> Traffic flows to the server running squid. I can verify this with
>> tcpdump. The packets are making it from wget to the server. I just don't
>> know what happens after that.
>
> https://wiki.squid-cache.org/ConfigExamples/Intercept/LinuxRedirect
>
> "NOTE: This configuration is given for use *on the squid box*. This is required
> to perform intercept accurately and securely. To intercept from a gateway
> machine and direct traffic at a *separate squid box* use policy routing."
>
> https://wiki.squid-cache.org/ConfigExamples/Intercept/IptablesPolicyRoute
>
>
> Antony.
>

Thanks. I put squid on the firewall itself. It works for http, but not
for https. I get errors with curl and wget.

$ curl https://debian.org
curl: (35) error:140770FC:SSL routines:SSL23_GET_SERVER_HELLO:unknown
protocol

$ wget https://debian.org
--2018-01-03 20:02:45--  https://debian.org/
Resolving debian.org (debian.org)... 5.153.231.4, 128.31.0.62,
130.89.148.14, ...
Connecting to debian.org (debian.org)|5.153.231.4|:443... connected.
GnuTLS: An unexpected TLS packet was received.
Unable to establish SSL connection.

I made some config changes:

http_port 3128 intercept
http_port 3129 intercept ssl-bump generate-host-certificates=on
cert=/etc/squid/squid.pem

sslcrtd_program /usr/lib/squid/ssl_crtd -s /var/lib/ssl_db -M 4MB

ssl_bump bump all

Here are my PREROUTING nat table rules.

REDIRECT tcp  --  10.77.9.0/24 anywhere tcp dpt:http redir ports 3128
REDIRECT tcp  --  10.77.9.0/24 anywhere tcp dpt:https redir ports 3129

And in the INPUT chain of the filter table:

ACCEPT tcp  --  10.77.9.0/24 anywhere tcp dpt:3128
ACCEPT tcp  --  10.77.9.0/24 anywhere tcp dpt:3129

The server I am on has IP 10.77.9.102.

_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|

Re: questions setting up transparent proxy

Amos Jeffries
Administrator
On 04/01/18 14:09, John Ratliff wrote:

> On 1/3/2018 3:26 PM, Antony Stone wrote:
>> On Wednesday 03 January 2018 at 21:06:42, John Ratliff wrote:
>>
>>> When I try to setup squid as a transparent proxy, I never get any
>>> response from Squid.
>>
>>> When I try a wget request from a server that is being redirected
>>
>> How (and more importantly, where) are you doing the redirect?
>>
>>> Both machines are behind the same firewall. I used
>>> iptables -t nat -A PREROUTING -p tcp --dport 80 -j DNAT --to
>>> 10.77.9.120:3128
>>
>> If that firewall is not on the machine running Squid, then that's your
>> problem.
>>
>>> Traffic flows to the server running squid. I can verify this with
>>> tcpdump. The packets are making it from wget to the server. I just don't
>>> know what happens after that.
>>
>> https://wiki.squid-cache.org/ConfigExamples/Intercept/LinuxRedirect
>>
>> "NOTE: This configuration is given for use *on the squid box*. This is
>> required
>> to perform intercept accurately and securely. To intercept from a gateway
>> machine and direct traffic at a *separate squid box* use policy routing."
>>
>> https://wiki.squid-cache.org/ConfigExamples/Intercept/IptablesPolicyRoute
>>
>>
>> Antony.
>>
>
> Thanks. I put squid on the firewall itself. It works for http, but not
> for https. I get errors with curl and wget.
>
> $ curl https://debian.org
> curl: (35) error:140770FC:SSL routines:SSL23_GET_SERVER_HELLO:unknown
> protocol
>
> $ wget https://debian.org
> --2018-01-03 20:02:45--  https://debian.org/
> Resolving debian.org (debian.org)... 5.153.231.4, 128.31.0.62,
> 130.89.148.14, ...
> Connecting to debian.org (debian.org)|5.153.231.4|:443... connected.
> GnuTLS: An unexpected TLS packet was received.
> Unable to establish SSL connection.
>
> I made some config changes:
>
> http_port 3128 intercept
> http_port 3129 intercept ssl-bump generate-host-certificates=on
> cert=/etc/squid/squid.pem

That should be:

  https_port 3129 intercept ssl-bump generate-host-certificates=on \
    cert=/etc/squid/squid.pem

Note the 's' in https_port.


>
> sslcrtd_program /usr/lib/squid/ssl_crtd -s /var/lib/ssl_db -M 4MB
>
> ssl_bump bump all


This instructs Squid to bump before even receiving the client TLS
handshake - ie. generate a server certificate with zero details to work
with about what the client wants.
That leads to a LOT of problems and security issues. Please do not do that.

See <https://wiki.squid-cache.org/Features/SslPeekAndSplice> for better
config examples.


>
> Here are my PREROUTING nat table rules.
>
> REDIRECT tcp  --  10.77.9.0/24 anywhere tcp dpt:http redir ports 3128
> REDIRECT tcp  --  10.77.9.0/24 anywhere tcp dpt:https redir ports 3129
>
> And in the INPUT chain of the filter table:
>
> ACCEPT tcp  --  10.77.9.0/24 anywhere tcp dpt:3128
> ACCEPT tcp  --  10.77.9.0/24 anywhere tcp dpt:3129
>
> The server I am on has IP 10.77.9.102.
>


You appear to be missing the MASQUERADE rule to send packets back to the
client.

Also the mangle table (*not* filter) rules are important to block
external traffic directly to those Squid ports without interfering with
the NAT operations.

<https://wiki.squid-cache.org/ConfigExamples/Intercept/LinuxRedirect>

Amos
_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|

Re: questions setting up transparent proxy

John Ratliff
On 1/3/2018 9:05 PM, Amos Jeffries wrote:
 > On 04/01/18 14:09, John Ratliff wrote:
 >> On 1/3/2018 3:26 PM, Antony Stone wrote:
 >>> On Wednesday 03 January 2018 at 21:06:42, John Ratliff wrote:
 >>>
 >>>> When I try to setup squid as a transparent proxy, I never get any
 >>>> response from Squid.
 >>>
 >>>> When I try a wget request from a server that is being redirected
 >>>
 >>> How (and more importantly, where) are you doing the redirect?
 >>>
 >>>> Both machines are behind the same firewall. I used
 >>>> iptables -t nat -A PREROUTING -p tcp --dport 80 -j DNAT --to
 >>>> 10.77.9.120:3128
 >>>
 >>> If that firewall is not on the machine running Squid, then that's
 >>> your problem.
 >>>
 >>>> Traffic flows to the server running squid. I can verify this with
 >>>> tcpdump. The packets are making it from wget to the server. I just
 >>>> don't
 >>>> know what happens after that.
 >>>
 >>> https://wiki.squid-cache.org/ConfigExamples/Intercept/LinuxRedirect
 >>>
 >>> "NOTE: This configuration is given for use *on the squid box*. This
 >>> is required
 >>> to perform intercept accurately and securely. To intercept from a
 >>> gateway
 >>> machine and direct traffic at a *separate squid box* use policy
 >>> routing."
 >>>
 >>>
https://wiki.squid-cache.org/ConfigExamples/Intercept/IptablesPolicyRoute
 >>>
 >>>
 >>>
 >>> Antony.
 >>>
 >>
 >> Thanks. I put squid on the firewall itself. It works for http, but not
 >> for https. I get errors with curl and wget.
 >>
 >> $ curl https://debian.org
 >> curl: (35) error:140770FC:SSL routines:SSL23_GET_SERVER_HELLO:unknown
 >> protocol
 >>
 >> $ wget https://debian.org
 >> --2018-01-03 20:02:45--  https://debian.org/
 >> Resolving debian.org (debian.org)... 5.153.231.4, 128.31.0.62,
 >> 130.89.148.14, ...
 >> Connecting to debian.org (debian.org)|5.153.231.4|:443... connected.
 >> GnuTLS: An unexpected TLS packet was received.
 >> Unable to establish SSL connection.
 >>
 >> I made some config changes:
 >>
 >> http_port 3128 intercept
 >> http_port 3129 intercept ssl-bump generate-host-certificates=on
 >> cert=/etc/squid/squid.pem
 >
 > That should be:
 >
 >   https_port 3129 intercept ssl-bump generate-host-certificates=on \
 >     cert=/etc/squid/squid.pem
 >
 > Note the 's' in https_port.
Thanks. This was the issue.

 >
 >
 >>
 >> sslcrtd_program /usr/lib/squid/ssl_crtd -s /var/lib/ssl_db -M 4MB
 >>
 >> ssl_bump bump all
I changed it to peek and splice.

 >
 >
 > This instructs Squid to bump before even receiving the client TLS
 > handshake - ie. generate a server certificate with zero details to work
 > with about what the client wants.
 > That leads to a LOT of problems and security issues. Please do not do
that.
 >
 > See <https://wiki.squid-cache.org/Features/SslPeekAndSplice> for better
 > config examples.
 >
 >
 >>
 >> Here are my PREROUTING nat table rules.
 >>
 >> REDIRECT tcp  --  10.77.9.0/24 anywhere tcp dpt:http redir ports 3128
 >> REDIRECT tcp  --  10.77.9.0/24 anywhere tcp dpt:https redir ports 3129
 >>
 >> And in the INPUT chain of the filter table:
 >>
 >> ACCEPT tcp  --  10.77.9.0/24 anywhere tcp dpt:3128
 >> ACCEPT tcp  --  10.77.9.0/24 anywhere tcp dpt:3129
 >>
 >> The server I am on has IP 10.77.9.102.
 >>
 >
 >
 > You appear to be missing the MASQUERADE rule to send packets back to the
 > client.
I have SNAT rules instead. There are many IPs on this firewall.

 >
 > Also the mangle table (*not* filter) rules are important to block
 > external traffic directly to those Squid ports without interfering with
 > the NAT operations.
I didn't post these rules, but I made them. Thanks.


Thanks.
_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users