Re: [squid-users] WCCP transparent proxy

From: nipun_mlist Assam <nipunmlist_at_gmail.com>
Date: Wed, 12 Oct 2011 14:49:27 +0530

On Wed, Oct 12, 2011 at 11:05 AM, Amos Jeffries <squid3_at_treenet.co.nz> wrote:
> On 12/10/11 17:33, nipun_mlist Assam wrote:
>>
>> This may be relevant to this question.
>> While trying to use squid for transparent proxy (tproxy ) on linux
>> (kerne 2.6.39 with centos 6.0), I noticed the following
>>
>> 1. Client IP spoofing doesn't work (but for our work, this requirement
>> was a must).
>
> In what way?

The root web server was seeing the IP of the squid box, not of the
client machine for all http requests. I.e. the web server will see
that the HTTP requests are coming from the squid box. Our requirement
is that, both the web servers and client machines should not be aware
of a squid proxy sitting in between and hence they should not see the
IP of squid box in HTTP related traffics.

squid.conf is as shown below (I am pasting only http_port related lines):

.
.
http_port 85 tproxy
http_port 86 ssl-bump cert=/extra/squid/etc/Centos6.0.pem tproxy
generate-host-certificates=on dynamic_cert_mem_cache_size=4MB
.
.

IPTABLES was configured as shown below (port 80 traffics are forwarded
to port 85 where squid "expects" HTTP traffic, and port 443 traffic
are forwarded to port 86 where "HTTPS" traffic are expected):

 iptables -t mangle -N DIVERT
 iptables -t mangle -A PREROUTING -p tcp -m socket -j DIVERT
 iptables -t mangle -A DIVERT -j MARK --set-mark 1
 iptables -t mangle -A DIVERT -j ACCEPT
 ip rule add fwmark 1 lookup 100
 ip route add local 0.0.0.0/0 dev lo table 100
 iptables -t mangle -A PREROUTING -p tcp --dport 80 -j TPROXY
--tproxy-mark 0x1/0x1 --on-port 85
 iptables -t mangle -A PREROUTING -p tcp --dport 443 -j TPROXY
--tproxy-mark 0x1/0x1 --on-port 86

>
>> 2. Squid with tproxy doesn't work with HTTPS traffic.
>
> In what way?
>
> HTTP:
>  http_port 1 tproxy ...
>
> HTTPS:
>  https_port 2 tproxy ...
>
>>

We cannot use https_port here. Because, we are seeing the traffic from
squid to the root webserver goes as http traffic after that.
We configured squid as given following:
http_port port1 tproxy
http_port port2 ssl-bump cert=/extra/squid/etc/Centos6.0.pem tproxy
generate-host-certificates=on dynamic_cert_mem_cache_size=4MB

In case of http_port, squid uses the "HTTP CONNECT" as a trigger to
switch to SSL. But with tproxy, there won't be any HTTP CONNECT from
the browsers (as browsers won't know they are going through a proxy),
and then squid fails (as It expects a HTTP request, but actually SSL
connect/handshake related data arrives).

>> I made fixes for both the issues and then above problems were solved.
>> I made an assumption that traffic with destination port 443 will be
>> always used for HTTPs,  and,   that I used as an indication to switch
>> to SSL on squid side. Squid will transparently listen on two ports,
>> one of this port will be used for port 80 traffic and the other for
>> port 443 traffic.
>
>
> You cannot make this assumption. The system administrator has configured the
> port (http_port vs https_port) to match the traffic arriving. Both in Squid
> and in the firewall. Replacing this manual configuration automatically with
> a possibly wrong assumption is not a good thing to do.
>
Ok. I will do the change.

> Also, Squid does not correctly handle the SSL when it arrives via
> interception. Due to not having the SSL security keys which are installed on
> the destination web server the client was contacting.
>  Do not confuse this with a TPROXY failure.
>
Yes. We are aware of this issue. Working around this issue might be a
lot of work.

>> I made the changes in squid 3.2.0.10 code base. I am wondering if
>> those fixes are already available somewhere.
>>
>> Regards,
>> Nipun
>>
>
> Please first re-check your solution to #2 in light of the https_port
> directive and comments above.
>
> Please check that the changes will still apply easily on the latest 3.2
> series or 3.HEAD series code.
>
> Then please submit to squid-dev mailing list for review. The submission
> guidelines can be found at:
>  http://wiki.squid-cache.org/MergeProcedure
>
> Amos
> --
> Please be using
>  Current Stable Squid 2.7.STABLE9 or 3.1.15
>  Beta testers wanted for 3.2.0.12
>
Received on Wed Oct 12 2011 - 09:19:42 MDT

This archive was generated by hypermail 2.2.0 : Wed Oct 12 2011 - 12:00:02 MDT