How to get https_port transparent proxy to work?

[Eric To]

Hello,

I've read and tried to follow several guides on the internet trying to get Squid to work as a simple transparent proxy for both http/https traffic, I mainly just trying to create a simple testing environment to just ensure "proxy stuff" works when a proxy url is specified.

I took the default squid.conf and added the following configuration (pulled from guides/FAQs):

==============================

http_port 3128
https_port 3129 intercept \
ssl-bump \
generate-host-certificates=on \
dynamic_cert_mem_cache_size=4MB \
cert=/etc/squid/certs/squid-ca-cert-key.pem \
options=ALL

sslcrtd_program /lib/squid/security_file_certgen -s /var/cache/squid_ssldb -M 4MB

acl step1 at_step SslBump1
ssl_bump peek step1
ssl_bump bump all

tls_outgoing_options options=NO_SSLv3,NO_TLSv1,NO_TLSv1_1

==============================

In my application, when I specify my proxy URL to http://localhost:3128, everything worked as expected, Squid would do its things:
==============================

1690467340.625    105 127.0.0.1 TCP_MISS/200 12154 POST http://scvptest.carillon.ca/cisg2r1 - HIER_DIRECT/192.64.30.14 application/scvp-cv-response
1690467342.166    211 127.0.0.1 TCP_MISS/200 4992 GET http://www.carillon.ca/caops/test-CISCA2.p7c - HIER_DIRECT/192.64.30.9 application/pkcs7-mime
1690467342.655     91 127.0.0.1 TCP_MISS/200 12154 POST http://scvptest.carillon.ca/cisg2r1 - HIER_DIRECT/192.64.30.14 application/scvp-cv-response

==============================

However, hitting https://localhost:3129, I am having a hard time connecting through it.

==============================
1690468199.725      0 127.0.0.1 NONE/000 0 NONE error:accept-client-connection - HIER_NONE/- -
1690469483.230      0 127.0.0.1 NONE/000 0 NONE error:accept-client-connection - HIER_NONE/- -

==============================

For some reason, despite I disabled TLSv1, in my wireshark trace, the client still ended up sending TLSv1 handskake to squid.

What/how do I need to configure it such that https traffic would just pass through Squid like a transparent proxy?

Running squid -k parse on the config, there is no error either.

Any hint would be appreciated. 

Regards,

Eric

[Rafael Akchurin]

Hello Eric,

Some other actions need to be done on the firewall to redirect https/http traffic to squid, like in https://docs.diladele.com/tutorials/transparent_proxy_debian/index.html

Best regards,

Rafael

Op 27 jul. 2023 om 17:11 heeft Eric To <tots...@gmail.com> het volgende geschreven:

Hello,

<wireshark.png>

What/how do I need to configure it such that https traffic would just pass through Squid like a transparent proxy?

Running squid -k parse on the config, there is no error either.

Any hint would be appreciated. 

Regards,

Eric

--
You received this message because you are subscribed to the Google Groups "Diladele Web Safety" group.
To unsubscribe from this group and stop receiving emails from it, send an email to web-safety+...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/web-safety/0adb8589-f629-473e-9078-e5ac2de6d5a5n%40googlegroups.com.

<wireshark.png>