Squid 3.1 transparent proxy for HTTPS connection getting problems
Respected Sir,
I am running OS rhel6.3 and intalled squid 3.1 with comes with the os
i have configure my iptables as following to accesss internet with transperatent proxy
Chain PREROUTING (policy ACCEPT)
target prot opt source destination
REDIRECT tcp -- anywhere anywhere tcp dpt:http redir ports 3128
REDIRECT tcp -- anywhere anywhere tcp dpt:https redir ports 3130
Chain POSTROUTING (policy ACCEPT)
target prot opt source destination
MASQUERADE all -- anywhere anywhere
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
Configured the /etc/squid.conf with the following transparent proxy args as below
http_port 3128 transparent
http_port 3130 transparent cert=/etc/pki/tls/certs/njcert.pem key=/etc/pki/tls/certs/njkey.pem
but when i try to connect from the client supposed in firefox i am getting the following error
ssl received a record that exceeded the maximum permissible error code ssl_error_rx_record_too_long
firefox version 18.0.2
I need to configure transparent proxy to work with https connectivity
Please reply asap
Responses
Couple questions on your setup:
1) Is your iptabes - presumably your Firefox-running client's defaultroute - device s using multiple interfaces (one LAN-facing; one WAN-facing)?
2) Are you attempting to do SSL-intercept at the proxy (i.e., your client's SSL connection is terminating at the proxy and the proxy is maintaining its own connection to the utimate SSL destination), or are you simply forwarding all SSL packets unaltered between your Firefox-running client and the remote, SSL-enabled web site?
From what you're describing, it sounds like you're looking to do SSL-interception/inspection. There used to be a SourceForge project for an application-layer deep packet inspection tool. Can't remember if it actually broke apart SSL-protected sessions (SSL is generally designed to make that a non-trivial and CPU intensive endeavor to do seamlessly) or just detected well known services (like SSL) whether running on their standard ports or alternate ports.
At any rate, this portal probably isn't going to be where you're going to find a cookbook on how to implement an application-layer packet-classifier. The "easy", though not cheap, route to that type of solution is to buy an SSL-proxy/interceptor/inspector from a compay like BlueCoat.
Note that, even once you've either bought or engineered a solution, the presence of such an inline-interceptor is easily detected by a moderately savvy user (the kind of user that's likely to be using privoxy for circumvention). Basically, all you do is compare a site's SSL fingerprint as seen by the (transparently) proxied client versus an unaltered SSL fingerprint.
Welcome! Check out the Getting Started with Red Hat page for quick tours and guides for common tasks.
