Squid 3.1 transparent proxy for HTTPS connection getting problems

Latest response

Respected Sir,

 

I am running OS rhel6.3 and intalled squid 3.1 with comes with the os

i have configure my iptables as following to accesss internet with transperatent proxy

Chain PREROUTING (policy ACCEPT)
target     prot opt source               destination         
REDIRECT   tcp  --  anywhere             anywhere            tcp dpt:http redir ports 3128
REDIRECT   tcp  --  anywhere             anywhere            tcp dpt:https redir ports 3130

Chain POSTROUTING (policy ACCEPT)
target     prot opt source               destination         
MASQUERADE  all  --  anywhere             anywhere            

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination

 

Configured the /etc/squid.conf with the following transparent proxy args as below

http_port 3128 transparent
http_port 3130 transparent cert=/etc/pki/tls/certs/njcert.pem key=/etc/pki/tls/certs/njkey.pem

but when i try to connect from the client supposed in firefox i am getting the following error

ssl received a record that exceeded the maximum permissible error code ssl_error_rx_record_too_long

firefox version 18.0.2

I need to configure transparent proxy to work with https connectivity

Please reply asap

 

 

 

 

 

 

Responses

Couple questions on your setup:

1) Is your iptabes - presumably your Firefox-running client's defaultroute - device s using multiple interfaces (one LAN-facing; one WAN-facing)?

2) Are you attempting to do SSL-intercept at the proxy (i.e., your client's SSL connection is terminating at the proxy and the proxy is maintaining its own connection to the utimate SSL destination), or are you simply forwarding all SSL packets unaltered between your Firefox-running client and the remote, SSL-enabled web site?

i have configure default route to my router and access the website from the differnet client connected to my lan pointing the gateway to my firewall

 

the http sites are able to access but the https site were unable to access

yes i am doing SSL intercept at the proxy level

yes my client SSL connection is terminating at the proxy

Please give me the solution

 

we have an iptables firewall with the squid transparent proxy on it and need to filter the https traffic also from squid

because idetified that sum users are using tor browser privoxy that bypass our firewall and proxy security

So how to block it by using iptables or with squid

 

 

Pratik, if you require an answer urgently I encourage you to open a support case with Red Hat. 

From what you're describing, it sounds like you're looking to do SSL-interception/inspection. There used to be a SourceForge project for an application-layer deep packet inspection tool. Can't remember if it actually broke apart SSL-protected sessions (SSL is generally designed to make that a non-trivial and CPU intensive endeavor to do seamlessly) or just detected well known services (like SSL) whether running on their standard ports or alternate ports. 

At any rate, this portal probably isn't going to be where you're going to find a cookbook on how to implement an application-layer packet-classifier. The "easy", though not cheap, route to that type of solution is to buy an SSL-proxy/interceptor/inspector from a compay like BlueCoat.

Note that, even once you've either bought or engineered a solution, the presence of such an inline-interceptor is easily detected by a moderately savvy user (the kind of user that's likely to be using privoxy for circumvention). Basically, all you do is compare a site's SSL fingerprint as seen by the (transparently) proxied client versus an unaltered SSL fingerprint.

 

Close

Welcome! Check out the Getting Started with Red Hat page for quick tours and guides for common tasks.