Re: [squid-users] https could not access with ssl bump in squid 3.4

From: Jerry OELoo <oyljerry_at_gmail.com>
Date: Fri, 28 Feb 2014 15:49:03 +0800

To summarize it. Please correct me if anything wrong, Thanks in advance.

If I want to just transparent pass through http/https packets (Do not
read, modify it), I can just use http_port to open some port, and
client set browser proxy+port directly, and from my testing, it is
right.

If I want to get client's https request, such as get the browser html
content in https, insert some javascript into client's browser https
response page, I need set up NAT on server B
(B should be a gateway or server? A is a LAN PC whose gateway points
B?, Am i right here?),

and then iptables to redirect client A's https packets to squid
https_port. then use squid ssl bump to read/write client's html
content in https.

On Thu, Feb 27, 2014 at 6:06 PM, Amos Jeffries <squid3_at_treenet.co.nz> wrote:
> On 27/02/2014 10:22 p.m., Jerry OELoo wrote:
>> Sorry for spam,
>> It looks like I am wrong, after netstat, I find there is no any
>> program listen on 80 and 443 port, I think this is the reason that
>> there is no any traffic redirect by iptables from 80/443 to 3128/3130.
>> after I change client chrome's proxy port from 80 to 3128, it can
>> access internet.
>>
>> So back to my question. Client A and Server B in the same LAN, and B
>> has squid ssl bump feature on, Now, I want to Client A access HTTPS
>> via B as proxy, and I want to use ssl bump to read/modify HTTPS
>> package from Client A.
>> Below are my testing result,
>>
>> 1) Client A, Chrome browser HTTPS proxy seting both point to Server B
>> IP with port 3128, It's work, Client A can access HTTPS successfully.
>> 2) Client A, Chrome browser HTTPS proxy direct point to Sever B IP
>> with port 3130, It's NOT work, Client A could not access HTTPS
>> As Amos's suggestion, I should redirect packets from port 443 to squid
>> port 3130 (iptables .....).It means Squid ssl bump could not support
>> that client A directly connect to server B 3130 port with HTTPS
>> request?
>
> Correct. Keep the squid port receiving NAT'ed connections separate from
> the Squid port receiving direct / expicit connections.
> This is easy, just give Squid another http_port line.
>
> BTW: I recommend using 3128 as the port for normal/explicit proxy usage.
>
> The NAT receiving port is only necesarily used by the Squid box kernel,
> so it can be 100% private - right down to the point of firewalling it in
> "iptables -t mangle -p tcp --dport XX -j REJECT" against external
> packets arriving straight there.
>
>
>> I should add another application that listen for HTTPS 443
>> port on Server B, and add iptables to redirect 443 traffic to 3130
>> port for squid ssl bump do further analysis? Is this the correct way?
>> if is, I should use which HTTPS server?
>
> see my other email. :-)
>
> Amos

-- 
Rejoice,I Desire!
Received on Fri Feb 28 2014 - 07:49:10 MST

This archive was generated by hypermail 2.2.0 : Sat Mar 01 2014 - 12:00:06 MST