Re: [K12OSN] problem with MASQUERADE

["Christopher K. Johnson" <ckjohnson gwi net>]

jam mcquil com wrote:

> On Tue, 23 Dec 2003, Julius Szelagiewicz wrote:
>
>  
>
> > On Tue, 23 Dec 2003 jam mcquil com wrote:
> >    
> >
> > > Hmm, I'm wondering if maybe you are doing transparent proxying
> > > with squid for port 80, but not 443.
> > >
> > > Your normal browsing would work because of squid, and
> > > your Secure connections would work because of MASQ.
> > >
> > > Turn off MASQ, and you lose secure connections.
> > >
> > > If that's the case, then perhaps you can configure transparent
> > > proxying for port 443 also.
> > >
> > > Just a guess.
> > >
> > >      
> > Jim,
> > 	this is one of those guesses that seem to shout "Aha!". Ok, what
> > do i do to squid to proxy port 443 - add listen on 443 in squid config
> > and push 443 traffic to squid box?
> > julius
> >    
>
> Hmm, no.  I think you need to pick a different port to map to.
> the same way port 80 is redirected to 3128, I think you need
> to use iptables to redirect 443 to something else.  I'm sure there's
> a standard way to do this, I just don't know what it is.
>
> prolly eHarrison or someone else more well versed in squid setup
> can help out.  I'm just the "idea" guy here :)
>
> Jim.
>
>  

You cannot transparently proxy ports that are for encrypted connections 
such as 443.  You can source nat them and let them pass without 
involving squid, or you can use non-transparent proxying.  The problem 
is that if you add a redirect squid has no way to know what the original 
destination was for an ssl connection, because the ssl negotiations 
occur before the http request header that tells squid the intended 
destination.  With non-transparent proxying the browser must be 
configured to use the squid box as a proxy, and for secure connections 
knows to send the proxy a  "connect" request for the secure server, then 
start ssl on the resulting connection.

I recommend switching to non-transparent proxying.  That way squid can 
be configured to require authentication from users, which can be ldap 
based, and allow or deny specific connection requests.

Alternatively, if you don't care about allowing or denying access to 
secure sites, merely logging IP addresses, then you can use the source 
nat solution and add logging to the iptables rules you use to configure it.

--
-----------------------------------------------------------
  "Spend less!  Do more!  Go Open Source..." -- Dirigo.net
  Chris Johnson, RHCE #807000448202021