Redirect 443 Traffic of a Particular Incoming IP Address?Easiest way to allow direct HTTPS connection in Intercept mode?Transparent redirection to squid proxy server on the cloudSquid transparent proxy for outgoing traffic onlyURL filtering HTTPS trafficTransparent Proxy squid TCP_MISS/503 Error in all pagesQuestions about squids transparent proxyHTTPS Content Filtering without de-crypting traffic using squid?How do I configure my Ubuntu Server running Squid to act as a gateway?IP Tables intercept exceptionBlock HTTPS Traffic with Transparent Proxy Setup
On San Andreas Speedruns, why do players blow up the Picador in the mission Ryder?
Why does the hash of infinity have the digits of π?
Why didn't Thanos use the Time Stone to stop the Avengers' plan?
Is this statement about cut time correct?
Need to read my home electrical Meter
Why isn't 'chemically-strengthened glass' made with potassium carbonate to begin with?
WordPress 5.2.1 deactivated my jQuery
Why haven't we yet tried accelerating a space station with people inside to a near light speed?
Manager questioning my time estimates for a project
The art of clickbait captions
Why are Stein manifolds/spaces the analog of affine varieties/schemes in algebraic geometry?
USPS Back Room - Trespassing?
How did NASA Langley end up with the first 737?
Finding collisions of the first few bits of a SHA-1 hash
Why did British Steel have to borrow 120 million pounds (from the government) to cover its ETS obligations?
Take elements from a list based on two criteria
Public transport tickets in UK for two weeks
Find this cartoon
How to deal with a colleague who is being aggressive?
What could a self-sustaining lunar colony slowly lose that would ultimately prove fatal?
Shorten or merge multiple lines of `&> /dev/null &`
How do I superimpose two math symbols?
How can I make an argument that my time is valuable?
Are there any German nonsense poems (Jabberwocky)?
Redirect 443 Traffic of a Particular Incoming IP Address?
Easiest way to allow direct HTTPS connection in Intercept mode?Transparent redirection to squid proxy server on the cloudSquid transparent proxy for outgoing traffic onlyURL filtering HTTPS trafficTransparent Proxy squid TCP_MISS/503 Error in all pagesQuestions about squids transparent proxyHTTPS Content Filtering without de-crypting traffic using squid?How do I configure my Ubuntu Server running Squid to act as a gateway?IP Tables intercept exceptionBlock HTTPS Traffic with Transparent Proxy Setup
.everyoneloves__top-leaderboard:empty,.everyoneloves__mid-leaderboard:empty,.everyoneloves__bot-mid-leaderboard:empty height:90px;width:728px;box-sizing:border-box;
Currently, my IPtable indiscriminately sends all incoming request to my Squid transparent proxy. However, since I need SSL to work, I need a way to avoid intercepting SSL traffic.
Idea
- example.com -> IP= 100.100.100.1
- http access to example.com -> Send to Squid proxy
- https access to example.com -> Intercept request for 100.100.100.1:443; instead of sending it to Squid proxy, redirect it back to the ip of example.com 100.100.100.1
Is it possible to do this in iptable? Thanks!
Edit: I'm adding more information about my setup.
- End-Client
- DNS Server
- Squid Box
Due to specific requirement, I have to send traffic to the Squid transparent proxy using DNS redirection rather than typical router/gateway redirection.
Interception Method
- User Requests www.example.com
- DNS server points www.example.com to Squid Server
- Squid server intercepts www.example.com request
Current IP Table Rules
- Forward Port 80 to Port 3128 (Squid port)
- Forward Port 443 to Port 3128 (Squid Port)
Apparently, you are using a typical router/gateway to forward traffic to Squid, you can just forward port 80 and ignore 443 because 443 traffic will go directly, bypassing Squid.
Unfortunately, with my current setup, if I don't forward 443, any https connection will simply timeout.
The only solution now is to intercept all 443 request, map the each domain with each unique IP address, and send the request back to the original source IP.
I tried using Rinetd to forward 443 to the original website's IP address. Unfortunately, this method will forward all my 443 traffic to only 1 IP address because it won't differentiate the request IP.
For example, I map 443 to the IP of Gmail.com. When I visit https://gmail.com, it will work fine. However, if I visit https://hotmail.com, it will still send me to the IP of gmail.com
I need to find a way to map each IP with each domain so when I visit gmail.com, it will forward to the IP of gmail; when I visit hotmail.com, it will forward me to the IP of hotmail.com
iptables squid
asked Jul 24 '11 at 3:56
NicoloNicolo
615
|
show 8 more comments
Currently, my IPtable indiscriminately sends all incoming request to my Squid transparent proxy. However, since I need SSL to work, I need a way to avoid intercepting SSL traffic.
Idea
- example.com -> IP= 100.100.100.1
- http access to example.com -> Send to Squid proxy
- https access to example.com -> Intercept request for 100.100.100.1:443; instead of sending it to Squid proxy, redirect it back to the ip of example.com 100.100.100.1
Is it possible to do this in iptable? Thanks!
Edit: I'm adding more information about my setup.
- End-Client
- DNS Server
- Squid Box
Due to specific requirement, I have to send traffic to the Squid transparent proxy using DNS redirection rather than typical router/gateway redirection.
Interception Method
- User Requests www.example.com
- DNS server points www.example.com to Squid Server
- Squid server intercepts www.example.com request
Current IP Table Rules
- Forward Port 80 to Port 3128 (Squid port)
- Forward Port 443 to Port 3128 (Squid Port)
Apparently, you are using a typical router/gateway to forward traffic to Squid, you can just forward port 80 and ignore 443 because 443 traffic will go directly, bypassing Squid.
Unfortunately, with my current setup, if I don't forward 443, any https connection will simply timeout.
The only solution now is to intercept all 443 request, map the each domain with each unique IP address, and send the request back to the original source IP.
I tried using Rinetd to forward 443 to the original website's IP address. Unfortunately, this method will forward all my 443 traffic to only 1 IP address because it won't differentiate the request IP.
For example, I map 443 to the IP of Gmail.com. When I visit https://gmail.com, it will work fine. However, if I visit https://hotmail.com, it will still send me to the IP of gmail.com
I need to find a way to map each IP with each domain so when I visit gmail.com, it will forward to the IP of gmail; when I visit hotmail.com, it will forward me to the IP of hotmail.com
iptables squid
asked Jul 24 '11 at 3:56
NicoloNicolo
615
2
You might want to share a snippet of your actual rules in place.
– user48838
Jul 24 '11 at 4:07
There's no such thing as a "transparent proxy with DNS redirection" -- that's just a proxy.
– womble♦
Jul 24 '11 at 5:54
It's a proxy. It's a transparent proxy, and I use DNS redirection to direct my traffic to my Squid box. I don't know why you down-voted this question? I've provided extensive information. I also spoke to Amos, one of the lead developers of Squid. He pointed me this possible solution so I need some helps on how to achieve this on iptable/rinetd.
– Nicolo
Jul 24 '11 at 6:09
What magical DNS server are you using that does this? Is it saving the requests anywhere?
– Zoredache
Jul 24 '11 at 7:10
@Zoredache: It doesn't take much to make any authoritative DNS server do this – just remove the root hints and add a wildcard A record at the root.
– fission
Jul 24 '11 at 7:32
|
show 8 more comments
Currently, my IPtable indiscriminately sends all incoming request to my Squid transparent proxy. However, since I need SSL to work, I need a way to avoid intercepting SSL traffic.
Idea
- example.com -> IP= 100.100.100.1
- http access to example.com -> Send to Squid proxy
- https access to example.com -> Intercept request for 100.100.100.1:443; instead of sending it to Squid proxy, redirect it back to the ip of example.com 100.100.100.1
Is it possible to do this in iptable? Thanks!
Edit: I'm adding more information about my setup.
- End-Client
- DNS Server
- Squid Box
Due to specific requirement, I have to send traffic to the Squid transparent proxy using DNS redirection rather than typical router/gateway redirection.
Interception Method
- User Requests www.example.com
- DNS server points www.example.com to Squid Server
- Squid server intercepts www.example.com request
Current IP Table Rules
- Forward Port 80 to Port 3128 (Squid port)
- Forward Port 443 to Port 3128 (Squid Port)
Apparently, you are using a typical router/gateway to forward traffic to Squid, you can just forward port 80 and ignore 443 because 443 traffic will go directly, bypassing Squid.
Unfortunately, with my current setup, if I don't forward 443, any https connection will simply timeout.
The only solution now is to intercept all 443 request, map the each domain with each unique IP address, and send the request back to the original source IP.
I tried using Rinetd to forward 443 to the original website's IP address. Unfortunately, this method will forward all my 443 traffic to only 1 IP address because it won't differentiate the request IP.
For example, I map 443 to the IP of Gmail.com. When I visit https://gmail.com, it will work fine. However, if I visit https://hotmail.com, it will still send me to the IP of gmail.com
I need to find a way to map each IP with each domain so when I visit gmail.com, it will forward to the IP of gmail; when I visit hotmail.com, it will forward me to the IP of hotmail.com
iptables squid
asked Jul 24 '11 at 3:56
NicoloNicolo
615
Currently, my IPtable indiscriminately sends all incoming request to my Squid transparent proxy. However, since I need SSL to work, I need a way to avoid intercepting SSL traffic.
Idea
- example.com -> IP= 100.100.100.1
- http access to example.com -> Send to Squid proxy
- https access to example.com -> Intercept request for 100.100.100.1:443; instead of sending it to Squid proxy, redirect it back to the ip of example.com 100.100.100.1
Is it possible to do this in iptable? Thanks!
Edit: I'm adding more information about my setup.
- End-Client
- DNS Server
- Squid Box
Due to specific requirement, I have to send traffic to the Squid transparent proxy using DNS redirection rather than typical router/gateway redirection.
Interception Method
- User Requests www.example.com
- DNS server points www.example.com to Squid Server
- Squid server intercepts www.example.com request
Current IP Table Rules
- Forward Port 80 to Port 3128 (Squid port)
- Forward Port 443 to Port 3128 (Squid Port)
Apparently, you are using a typical router/gateway to forward traffic to Squid, you can just forward port 80 and ignore 443 because 443 traffic will go directly, bypassing Squid.
Unfortunately, with my current setup, if I don't forward 443, any https connection will simply timeout.
The only solution now is to intercept all 443 request, map the each domain with each unique IP address, and send the request back to the original source IP.
I tried using Rinetd to forward 443 to the original website's IP address. Unfortunately, this method will forward all my 443 traffic to only 1 IP address because it won't differentiate the request IP.
For example, I map 443 to the IP of Gmail.com. When I visit https://gmail.com, it will work fine. However, if I visit https://hotmail.com, it will still send me to the IP of gmail.com
I need to find a way to map each IP with each domain so when I visit gmail.com, it will forward to the IP of gmail; when I visit hotmail.com, it will forward me to the IP of hotmail.com
iptables squid
iptables squid
asked Jul 24 '11 at 3:56
NicoloNicolo
615
asked Jul 24 '11 at 3:56
NicoloNicolo
615
edited Jul 24 '11 at 5:45
Nicolo
asked Jul 24 '11 at 3:56
NicoloNicolo
615
asked Jul 24 '11 at 3:56
NicoloNicolo
615
asked Jul 24 '11 at 3:56
NicoloNicolo
615
615
2
You might want to share a snippet of your actual rules in place.
– user48838
Jul 24 '11 at 4:07
There's no such thing as a "transparent proxy with DNS redirection" -- that's just a proxy.
– womble♦
Jul 24 '11 at 5:54
It's a proxy. It's a transparent proxy, and I use DNS redirection to direct my traffic to my Squid box. I don't know why you down-voted this question? I've provided extensive information. I also spoke to Amos, one of the lead developers of Squid. He pointed me this possible solution so I need some helps on how to achieve this on iptable/rinetd.
– Nicolo
Jul 24 '11 at 6:09
What magical DNS server are you using that does this? Is it saving the requests anywhere?
– Zoredache
Jul 24 '11 at 7:10
@Zoredache: It doesn't take much to make any authoritative DNS server do this – just remove the root hints and add a wildcard A record at the root.
– fission
Jul 24 '11 at 7:32
|
show 8 more comments
2
You might want to share a snippet of your actual rules in place.
– user48838
Jul 24 '11 at 4:07
There's no such thing as a "transparent proxy with DNS redirection" -- that's just a proxy.
– womble♦
Jul 24 '11 at 5:54
It's a proxy. It's a transparent proxy, and I use DNS redirection to direct my traffic to my Squid box. I don't know why you down-voted this question? I've provided extensive information. I also spoke to Amos, one of the lead developers of Squid. He pointed me this possible solution so I need some helps on how to achieve this on iptable/rinetd.
– Nicolo
Jul 24 '11 at 6:09
What magical DNS server are you using that does this? Is it saving the requests anywhere?
– Zoredache
Jul 24 '11 at 7:10
@Zoredache: It doesn't take much to make any authoritative DNS server do this – just remove the root hints and add a wildcard A record at the root.
– fission
Jul 24 '11 at 7:32
2
2
You might want to share a snippet of your actual rules in place.
– user48838
Jul 24 '11 at 4:07
You might want to share a snippet of your actual rules in place.
– user48838
Jul 24 '11 at 4:07
There's no such thing as a "transparent proxy with DNS redirection" -- that's just a proxy.
– womble♦
Jul 24 '11 at 5:54
There's no such thing as a "transparent proxy with DNS redirection" -- that's just a proxy.
– womble♦
Jul 24 '11 at 5:54
It's a proxy. It's a transparent proxy, and I use DNS redirection to direct my traffic to my Squid box. I don't know why you down-voted this question? I've provided extensive information. I also spoke to Amos, one of the lead developers of Squid. He pointed me this possible solution so I need some helps on how to achieve this on iptable/rinetd.
– Nicolo
Jul 24 '11 at 6:09
It's a proxy. It's a transparent proxy, and I use DNS redirection to direct my traffic to my Squid box. I don't know why you down-voted this question? I've provided extensive information. I also spoke to Amos, one of the lead developers of Squid. He pointed me this possible solution so I need some helps on how to achieve this on iptable/rinetd.
– Nicolo
Jul 24 '11 at 6:09
What magical DNS server are you using that does this? Is it saving the requests anywhere?
– Zoredache
Jul 24 '11 at 7:10
What magical DNS server are you using that does this? Is it saving the requests anywhere?
– Zoredache
Jul 24 '11 at 7:10
@Zoredache: It doesn't take much to make any authoritative DNS server do this – just remove the root hints and add a wildcard A record at the root.
– fission
Jul 24 '11 at 7:32
@Zoredache: It doesn't take much to make any authoritative DNS server do this – just remove the root hints and add a wildcard A record at the root.
– fission
Jul 24 '11 at 7:32
|
show 8 more comments
2 Answers
2
active
oldest
votes
What you're describing is a "transparent SSL proxy", which effectively doesn't exist (for the forward case; it could work for SSL accelerators). Let's see why:
- The client attempts to resolve serverfault.com.
- Your "fictitious DNS" server returns the address of the Squid box.
- The client connects to squidbox:443 and attempts to start a TLS session.
At this point, certificates need to be exchanged, etc.
However…how does the Squid box know what site is really being accessed (ie what remote host to connect to)? The client doesn't tell the SSL server what site it's expecting – it relies on the server to know that already! This is part of the security features of SSL.
It's the same problem with iptables – how would it know what host the client really wanted? That information is simply not available (because the "fictitious DNS" server has thrown it away).
The only way I know to proxy SSL is via the CONNECT method; and for that, you need to specify the Squid box as an explicit proxy.
Honestly, the problem is the DNS redirect. I'm baffled about why you can't use iptables to redirect port 80 and leave 443 alone.
answered Jul 24 '11 at 7:14
fissionfission
2,64111726
Thanks Fission. Based on what you said, Forward proxy could work with SSL? I can sign my own certificate under transparent mode but the browser obviously throws a SSL warning. Would forward mode also do this?
– Nicolo
Jul 24 '11 at 8:37
To answer your last part about leaving 443 alone, if I do not redirect 443 to my Squid port, all https connection will timeout because my squid traffic comes from DNS redirection instead of a typical internal network. My deployment requirement is special challenge.
– Nicolo
Jul 24 '11 at 8:39
I said that it was impossible. Squid cannot simply guess which site you're really trying to connect to.
– fission
Jul 24 '11 at 8:50
You are right about "how does the host know what the client wanted". I couldn't really figure this out either.
– Nicolo
Jul 24 '11 at 8:51
what aspect are you referring as impossible? the SSL part or the general DNS-Redirection-Squid part? For the latter, it works perfectly fine. DNS redirects the http request to my Squid box, my Squid Box intercepts it, proxy it, and acts as the intermediary between the client and the external web servers. This setup is working 100% in my present deployment. The only thing I need is to "enable" the SSL functionality.
– Nicolo
Jul 24 '11 at 8:55
|
show 2 more comments
You can not redirect the https traffic (443) to any port, using iptables. Squid does not process https requests in transparent mode (only http):
PD: eth1 localnet and eth0 internet
You can do this: Redirect http traffic LAN (eth1) to a squid proxy transparent-port 8080 (http). In squid.conf must be the rule: http_port 8080 intercept
iptables -t nat -A PREROUTING -i eth1 -p tcp --dport 80 -j REDIRECT --to-port 8080
And open 443 port to localnet
iptables -A INPUT -i eth1 -p tcp --dport 443 -j ACCEPT
iptables -A FORWARD -i eth1 -p tcp --dport 443 -o eth0 -j ACCEPT
You can not do this: Redirect https traffic LAN (eth1) to a squid proxy non-transparent-port 3128 (https) (Fake Rule). It does not matter if in squid.conf the rule exists: http_port 3128
iptables -t nat -A PREROUTING -i eth1 -p tcp --dport 443 -j REDIRECT --to-port 3128
Alternatives:
- Squid-in-the-middle SSL Bump
- Use a filtering by DNS instead of Proxy (like pi-hole). But it's slower than squid and it does not filter the protocol DNS over HTTPS
answered May 10 at 18:49
ajcgajcg
1063
add a comment |
Your Answer
StackExchange.ready(function()
var channelOptions =
tags: "".split(" "),
id: "2"
;
initTagRenderer("".split(" "), "".split(" "), channelOptions);
StackExchange.using("externalEditor", function()
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled)
StackExchange.using("snippets", function()
createEditor();
);
else
createEditor();
);
function createEditor()
StackExchange.prepareEditor(
heartbeatType: 'answer',
autoActivateHeartbeat: false,
convertImagesToLinks: true,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: 10,
bindNavPrevention: true,
postfix: "",
imageUploader:
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
,
onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
);
);
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fserverfault.com%2fquestions%2f293472%2fredirect-443-traffic-of-a-particular-incoming-ip-address%23new-answer', 'question_page');
);
Post as a guest
Required, but never shown
2 Answers
2
active
oldest
votes
2 Answers
2
active
oldest
votes
active
oldest
votes
active
oldest
votes
What you're describing is a "transparent SSL proxy", which effectively doesn't exist (for the forward case; it could work for SSL accelerators). Let's see why:
- The client attempts to resolve serverfault.com.
- Your "fictitious DNS" server returns the address of the Squid box.
- The client connects to squidbox:443 and attempts to start a TLS session.
At this point, certificates need to be exchanged, etc.
However…how does the Squid box know what site is really being accessed (ie what remote host to connect to)? The client doesn't tell the SSL server what site it's expecting – it relies on the server to know that already! This is part of the security features of SSL.
It's the same problem with iptables – how would it know what host the client really wanted? That information is simply not available (because the "fictitious DNS" server has thrown it away).
The only way I know to proxy SSL is via the CONNECT method; and for that, you need to specify the Squid box as an explicit proxy.
Honestly, the problem is the DNS redirect. I'm baffled about why you can't use iptables to redirect port 80 and leave 443 alone.
answered Jul 24 '11 at 7:14
fissionfission
2,64111726
Thanks Fission. Based on what you said, Forward proxy could work with SSL? I can sign my own certificate under transparent mode but the browser obviously throws a SSL warning. Would forward mode also do this?
– Nicolo
Jul 24 '11 at 8:37
To answer your last part about leaving 443 alone, if I do not redirect 443 to my Squid port, all https connection will timeout because my squid traffic comes from DNS redirection instead of a typical internal network. My deployment requirement is special challenge.
– Nicolo
Jul 24 '11 at 8:39
I said that it was impossible. Squid cannot simply guess which site you're really trying to connect to.
– fission
Jul 24 '11 at 8:50
You are right about "how does the host know what the client wanted". I couldn't really figure this out either.
– Nicolo
Jul 24 '11 at 8:51
what aspect are you referring as impossible? the SSL part or the general DNS-Redirection-Squid part? For the latter, it works perfectly fine. DNS redirects the http request to my Squid box, my Squid Box intercepts it, proxy it, and acts as the intermediary between the client and the external web servers. This setup is working 100% in my present deployment. The only thing I need is to "enable" the SSL functionality.
– Nicolo
Jul 24 '11 at 8:55
|
show 2 more comments
What you're describing is a "transparent SSL proxy", which effectively doesn't exist (for the forward case; it could work for SSL accelerators). Let's see why:
- The client attempts to resolve serverfault.com.
- Your "fictitious DNS" server returns the address of the Squid box.
- The client connects to squidbox:443 and attempts to start a TLS session.
At this point, certificates need to be exchanged, etc.
However…how does the Squid box know what site is really being accessed (ie what remote host to connect to)? The client doesn't tell the SSL server what site it's expecting – it relies on the server to know that already! This is part of the security features of SSL.
It's the same problem with iptables – how would it know what host the client really wanted? That information is simply not available (because the "fictitious DNS" server has thrown it away).
The only way I know to proxy SSL is via the CONNECT method; and for that, you need to specify the Squid box as an explicit proxy.
Honestly, the problem is the DNS redirect. I'm baffled about why you can't use iptables to redirect port 80 and leave 443 alone.
answered Jul 24 '11 at 7:14
fissionfission
2,64111726
Thanks Fission. Based on what you said, Forward proxy could work with SSL? I can sign my own certificate under transparent mode but the browser obviously throws a SSL warning. Would forward mode also do this?
– Nicolo
Jul 24 '11 at 8:37
To answer your last part about leaving 443 alone, if I do not redirect 443 to my Squid port, all https connection will timeout because my squid traffic comes from DNS redirection instead of a typical internal network. My deployment requirement is special challenge.
– Nicolo
Jul 24 '11 at 8:39
I said that it was impossible. Squid cannot simply guess which site you're really trying to connect to.
– fission
Jul 24 '11 at 8:50
You are right about "how does the host know what the client wanted". I couldn't really figure this out either.
– Nicolo
Jul 24 '11 at 8:51
what aspect are you referring as impossible? the SSL part or the general DNS-Redirection-Squid part? For the latter, it works perfectly fine. DNS redirects the http request to my Squid box, my Squid Box intercepts it, proxy it, and acts as the intermediary between the client and the external web servers. This setup is working 100% in my present deployment. The only thing I need is to "enable" the SSL functionality.
– Nicolo
Jul 24 '11 at 8:55
|
show 2 more comments
What you're describing is a "transparent SSL proxy", which effectively doesn't exist (for the forward case; it could work for SSL accelerators). Let's see why:
- The client attempts to resolve serverfault.com.
- Your "fictitious DNS" server returns the address of the Squid box.
- The client connects to squidbox:443 and attempts to start a TLS session.
At this point, certificates need to be exchanged, etc.
However…how does the Squid box know what site is really being accessed (ie what remote host to connect to)? The client doesn't tell the SSL server what site it's expecting – it relies on the server to know that already! This is part of the security features of SSL.
It's the same problem with iptables – how would it know what host the client really wanted? That information is simply not available (because the "fictitious DNS" server has thrown it away).
The only way I know to proxy SSL is via the CONNECT method; and for that, you need to specify the Squid box as an explicit proxy.
Honestly, the problem is the DNS redirect. I'm baffled about why you can't use iptables to redirect port 80 and leave 443 alone.
answered Jul 24 '11 at 7:14
fissionfission
2,64111726
What you're describing is a "transparent SSL proxy", which effectively doesn't exist (for the forward case; it could work for SSL accelerators). Let's see why:
- The client attempts to resolve serverfault.com.
- Your "fictitious DNS" server returns the address of the Squid box.
- The client connects to squidbox:443 and attempts to start a TLS session.
At this point, certificates need to be exchanged, etc.
However…how does the Squid box know what site is really being accessed (ie what remote host to connect to)? The client doesn't tell the SSL server what site it's expecting – it relies on the server to know that already! This is part of the security features of SSL.
It's the same problem with iptables – how would it know what host the client really wanted? That information is simply not available (because the "fictitious DNS" server has thrown it away).
The only way I know to proxy SSL is via the CONNECT method; and for that, you need to specify the Squid box as an explicit proxy.
Honestly, the problem is the DNS redirect. I'm baffled about why you can't use iptables to redirect port 80 and leave 443 alone.
answered Jul 24 '11 at 7:14
fissionfission
2,64111726
answered Jul 24 '11 at 7:14
fissionfission
2,64111726
answered Jul 24 '11 at 7:14
fissionfission
2,64111726
answered Jul 24 '11 at 7:14
fissionfission
2,64111726
2,64111726
Thanks Fission. Based on what you said, Forward proxy could work with SSL? I can sign my own certificate under transparent mode but the browser obviously throws a SSL warning. Would forward mode also do this?
– Nicolo
Jul 24 '11 at 8:37
To answer your last part about leaving 443 alone, if I do not redirect 443 to my Squid port, all https connection will timeout because my squid traffic comes from DNS redirection instead of a typical internal network. My deployment requirement is special challenge.
– Nicolo
Jul 24 '11 at 8:39
I said that it was impossible. Squid cannot simply guess which site you're really trying to connect to.
– fission
Jul 24 '11 at 8:50
You are right about "how does the host know what the client wanted". I couldn't really figure this out either.
– Nicolo
Jul 24 '11 at 8:51
what aspect are you referring as impossible? the SSL part or the general DNS-Redirection-Squid part? For the latter, it works perfectly fine. DNS redirects the http request to my Squid box, my Squid Box intercepts it, proxy it, and acts as the intermediary between the client and the external web servers. This setup is working 100% in my present deployment. The only thing I need is to "enable" the SSL functionality.
– Nicolo
Jul 24 '11 at 8:55
|
show 2 more comments
Thanks Fission. Based on what you said, Forward proxy could work with SSL? I can sign my own certificate under transparent mode but the browser obviously throws a SSL warning. Would forward mode also do this?
– Nicolo
Jul 24 '11 at 8:37
To answer your last part about leaving 443 alone, if I do not redirect 443 to my Squid port, all https connection will timeout because my squid traffic comes from DNS redirection instead of a typical internal network. My deployment requirement is special challenge.
– Nicolo
Jul 24 '11 at 8:39
I said that it was impossible. Squid cannot simply guess which site you're really trying to connect to.
– fission
Jul 24 '11 at 8:50
You are right about "how does the host know what the client wanted". I couldn't really figure this out either.
– Nicolo
Jul 24 '11 at 8:51
what aspect are you referring as impossible? the SSL part or the general DNS-Redirection-Squid part? For the latter, it works perfectly fine. DNS redirects the http request to my Squid box, my Squid Box intercepts it, proxy it, and acts as the intermediary between the client and the external web servers. This setup is working 100% in my present deployment. The only thing I need is to "enable" the SSL functionality.
– Nicolo
Jul 24 '11 at 8:55
Thanks Fission. Based on what you said, Forward proxy could work with SSL? I can sign my own certificate under transparent mode but the browser obviously throws a SSL warning. Would forward mode also do this?
– Nicolo
Jul 24 '11 at 8:37
Thanks Fission. Based on what you said, Forward proxy could work with SSL? I can sign my own certificate under transparent mode but the browser obviously throws a SSL warning. Would forward mode also do this?
– Nicolo
Jul 24 '11 at 8:37
To answer your last part about leaving 443 alone, if I do not redirect 443 to my Squid port, all https connection will timeout because my squid traffic comes from DNS redirection instead of a typical internal network. My deployment requirement is special challenge.
– Nicolo
Jul 24 '11 at 8:39
To answer your last part about leaving 443 alone, if I do not redirect 443 to my Squid port, all https connection will timeout because my squid traffic comes from DNS redirection instead of a typical internal network. My deployment requirement is special challenge.
– Nicolo
Jul 24 '11 at 8:39
I said that it was impossible. Squid cannot simply guess which site you're really trying to connect to.
– fission
Jul 24 '11 at 8:50
I said that it was impossible. Squid cannot simply guess which site you're really trying to connect to.
– fission
Jul 24 '11 at 8:50
You are right about "how does the host know what the client wanted". I couldn't really figure this out either.
– Nicolo
Jul 24 '11 at 8:51
You are right about "how does the host know what the client wanted". I couldn't really figure this out either.
– Nicolo
Jul 24 '11 at 8:51
what aspect are you referring as impossible? the SSL part or the general DNS-Redirection-Squid part? For the latter, it works perfectly fine. DNS redirects the http request to my Squid box, my Squid Box intercepts it, proxy it, and acts as the intermediary between the client and the external web servers. This setup is working 100% in my present deployment. The only thing I need is to "enable" the SSL functionality.
– Nicolo
Jul 24 '11 at 8:55
what aspect are you referring as impossible? the SSL part or the general DNS-Redirection-Squid part? For the latter, it works perfectly fine. DNS redirects the http request to my Squid box, my Squid Box intercepts it, proxy it, and acts as the intermediary between the client and the external web servers. This setup is working 100% in my present deployment. The only thing I need is to "enable" the SSL functionality.
– Nicolo
Jul 24 '11 at 8:55
|
show 2 more comments
You can not redirect the https traffic (443) to any port, using iptables. Squid does not process https requests in transparent mode (only http):
PD: eth1 localnet and eth0 internet
You can do this: Redirect http traffic LAN (eth1) to a squid proxy transparent-port 8080 (http). In squid.conf must be the rule: http_port 8080 intercept
iptables -t nat -A PREROUTING -i eth1 -p tcp --dport 80 -j REDIRECT --to-port 8080
And open 443 port to localnet
iptables -A INPUT -i eth1 -p tcp --dport 443 -j ACCEPT
iptables -A FORWARD -i eth1 -p tcp --dport 443 -o eth0 -j ACCEPT
You can not do this: Redirect https traffic LAN (eth1) to a squid proxy non-transparent-port 3128 (https) (Fake Rule). It does not matter if in squid.conf the rule exists: http_port 3128
iptables -t nat -A PREROUTING -i eth1 -p tcp --dport 443 -j REDIRECT --to-port 3128
Alternatives:
- Squid-in-the-middle SSL Bump
- Use a filtering by DNS instead of Proxy (like pi-hole). But it's slower than squid and it does not filter the protocol DNS over HTTPS
answered May 10 at 18:49
ajcgajcg
1063
add a comment |
You can not redirect the https traffic (443) to any port, using iptables. Squid does not process https requests in transparent mode (only http):
PD: eth1 localnet and eth0 internet
You can do this: Redirect http traffic LAN (eth1) to a squid proxy transparent-port 8080 (http). In squid.conf must be the rule: http_port 8080 intercept
iptables -t nat -A PREROUTING -i eth1 -p tcp --dport 80 -j REDIRECT --to-port 8080
And open 443 port to localnet
iptables -A INPUT -i eth1 -p tcp --dport 443 -j ACCEPT
iptables -A FORWARD -i eth1 -p tcp --dport 443 -o eth0 -j ACCEPT
You can not do this: Redirect https traffic LAN (eth1) to a squid proxy non-transparent-port 3128 (https) (Fake Rule). It does not matter if in squid.conf the rule exists: http_port 3128
iptables -t nat -A PREROUTING -i eth1 -p tcp --dport 443 -j REDIRECT --to-port 3128
Alternatives:
- Squid-in-the-middle SSL Bump
- Use a filtering by DNS instead of Proxy (like pi-hole). But it's slower than squid and it does not filter the protocol DNS over HTTPS
answered May 10 at 18:49
ajcgajcg
1063
add a comment |
You can not redirect the https traffic (443) to any port, using iptables. Squid does not process https requests in transparent mode (only http):
PD: eth1 localnet and eth0 internet
You can do this: Redirect http traffic LAN (eth1) to a squid proxy transparent-port 8080 (http). In squid.conf must be the rule: http_port 8080 intercept
iptables -t nat -A PREROUTING -i eth1 -p tcp --dport 80 -j REDIRECT --to-port 8080
And open 443 port to localnet
iptables -A INPUT -i eth1 -p tcp --dport 443 -j ACCEPT
iptables -A FORWARD -i eth1 -p tcp --dport 443 -o eth0 -j ACCEPT
You can not do this: Redirect https traffic LAN (eth1) to a squid proxy non-transparent-port 3128 (https) (Fake Rule). It does not matter if in squid.conf the rule exists: http_port 3128
iptables -t nat -A PREROUTING -i eth1 -p tcp --dport 443 -j REDIRECT --to-port 3128
Alternatives:
- Squid-in-the-middle SSL Bump
- Use a filtering by DNS instead of Proxy (like pi-hole). But it's slower than squid and it does not filter the protocol DNS over HTTPS
answered May 10 at 18:49
ajcgajcg
1063
You can not redirect the https traffic (443) to any port, using iptables. Squid does not process https requests in transparent mode (only http):
PD: eth1 localnet and eth0 internet
You can do this: Redirect http traffic LAN (eth1) to a squid proxy transparent-port 8080 (http). In squid.conf must be the rule: http_port 8080 intercept
iptables -t nat -A PREROUTING -i eth1 -p tcp --dport 80 -j REDIRECT --to-port 8080
And open 443 port to localnet
iptables -A INPUT -i eth1 -p tcp --dport 443 -j ACCEPT
iptables -A FORWARD -i eth1 -p tcp --dport 443 -o eth0 -j ACCEPT
You can not do this: Redirect https traffic LAN (eth1) to a squid proxy non-transparent-port 3128 (https) (Fake Rule). It does not matter if in squid.conf the rule exists: http_port 3128
iptables -t nat -A PREROUTING -i eth1 -p tcp --dport 443 -j REDIRECT --to-port 3128
Alternatives:
- Squid-in-the-middle SSL Bump
- Use a filtering by DNS instead of Proxy (like pi-hole). But it's slower than squid and it does not filter the protocol DNS over HTTPS
answered May 10 at 18:49
ajcgajcg
1063
edited May 10 at 19:09
answered May 10 at 18:49
ajcgajcg
1063
answered May 10 at 18:49
ajcgajcg
1063
answered May 10 at 18:49
ajcgajcg
1063
1063
add a comment |
add a comment |
Thanks for contributing an answer to Server Fault!
- Please be sure to answer the question. Provide details and share your research!
But avoid …
- Asking for help, clarification, or responding to other answers.
- Making statements based on opinion; back them up with references or personal experience.
To learn more, see our tips on writing great answers.
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fserverfault.com%2fquestions%2f293472%2fredirect-443-traffic-of-a-particular-incoming-ip-address%23new-answer', 'question_page');
);
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
2
You might want to share a snippet of your actual rules in place.
– user48838
Jul 24 '11 at 4:07
There's no such thing as a "transparent proxy with DNS redirection" -- that's just a proxy.
– womble♦
Jul 24 '11 at 5:54
It's a proxy. It's a transparent proxy, and I use DNS redirection to direct my traffic to my Squid box. I don't know why you down-voted this question? I've provided extensive information. I also spoke to Amos, one of the lead developers of Squid. He pointed me this possible solution so I need some helps on how to achieve this on iptable/rinetd.
– Nicolo
Jul 24 '11 at 6:09
What magical DNS server are you using that does this? Is it saving the requests anywhere?
– Zoredache
Jul 24 '11 at 7:10
@Zoredache: It doesn't take much to make any authoritative DNS server do this – just remove the root hints and add a wildcard A record at the root.
– fission
Jul 24 '11 at 7:32