Hey,
Let me see if I understood that right. I can change TPROXY to REDIRECT in my iptables.sh and in the ssl-bump replace proxy with intercept. Then, I can run your bash script after creating domains-to-bypass.txt and putting skype domains in there. Is that right? or am I missing something? P.S: Skype for Business uses Lync servers, I do not think skype.com<http://skype.com> is its domain at all. [cid:2FD1C3AB-E45C-49F0-84AB-0F8AC658BD11@routerb408e2.com]Piensa en el medio ambiente antes de imprimir este email. On Dec 5, 2016, at 6:54 PM, Eliezer Croitoru <elie...@ngtech.co.il<mailto:elie...@ngtech.co.il>> wrote: Hey, Well it’s nice to have such a tutorial but I didn’t followed all of it. You will want to use REDIRECT in the nat table rather then trroxy. But if it works now and the only issue is skype then you can try my script at: https://gist.github.com/elico/e0faadf0cc63942c5aaade808a87deef And maybe you will need to monitor your logs for incoming requests with new ip addresses. I started working on an external_acl helper that can help in such scenarios which identifies if the destination server might be of skype but I think that most of the information exists at: https://github.com/vel21ripn/nDPI/blob/netfilter/src/lib/protocols/skype.c https://github.com/ntop/nDPI/blob/dev/src/lib/protocols/skype.c And also: https://github.com/ntop/nDPI/blob/d9a2d9a6bd4d476d666d26cb713952760a975d92/src/lib/ndpi_content_match.c.inc#L286 Try to see if when you add these ip addresses to bypass it works fine. Eliezer ---- Eliezer Croitoru<http://ngtech.co.il/lmgtfy/> Linux System Administrator Mobile: +972-5-28704261 Email: elie...@ngtech.co.il<mailto:elie...@ngtech.co.il> <Untitled Attachment 1.jpg> From: Sameh Onaissi [mailto:sameh.onai...@solcv.com] Sent: Tuesday, December 6, 2016 1:28 AM To: Eliezer Croitoru <elie...@ngtech.co.il<mailto:elie...@ngtech.co.il>> Cc: squid-users@lists.squid-cache.org<mailto:squid-users@lists.squid-cache.org> Subject: Re: [squid-users] Skype for Business behind a transparent squid (TProxy) HTTP/S Hello Eliezer, thank you for the reply. Honestly, to get things working after several failed attempts to intercept HTTPS, I followed this guide: http://www.cyberscie.com/2015/08/installing-squid-357-as-transparent.html?showComment=1463513043421 My squid.conf is simple: http://pastebin.com/9uZ4kxW6 I have collected a few IPs that skype for business uses, I tried allowing them through IP-tables but it did not work. <Untitled Attachment 2.jpg> Piensa en el medio ambiente antes de imprimir este email. On Dec 5, 2016, at 6:16 PM, Eliezer Croitoru <elie...@ngtech.co.il<mailto:elie...@ngtech.co.il>> wrote: Hey, The first suggestion is to find out what servers needs to be in the exceptions from squid interception. It should be a bunch of IP addresses. The possibility of skype hosting services to hold unwanted sites or content is slight but not impossible. You don’t need tproxy on this machine since it is masquerading in any case(just a pointer that will ease your life). We can try to recognize together what IP addresses are required to be “bypassed” from squid interception. And we are missing the squid.conf so we are limited to even know if your setup should work to begin with. Eliezer ---- Eliezer Croitoru<http://ngtech.co.il/lmgtfy/> Linux System Administrator Mobile: +972-5-28704261 Email: elie...@ngtech.co.il<mailto:elie...@ngtech.co.il> <Picture (Device Independent Bitmap) 1.jpg> From: squid-users [mailto:squid-users-boun...@lists.squid-cache.org] On Behalf Of Sameh Onaissi Sent: Tuesday, December 6, 2016 12:47 AM To: squid-users@lists.squid-cache.org<mailto:squid-users@lists.squid-cache.org> Subject: [squid-users] Skype for Business behind a transparent squid (TProxy) HTTP/S I have a Ubuntu 16.04 server with Squid 3.5.22 installed. It acts as a gateway in a LAN. It is configured to intercept HTTP and HTTPS traffic (Transparent). So iptables redirects were used for ports 80 and 443. The server runs two scripts: nat.sh to bridge the two network cards, allowing LAN computers access to the internet through the servers Internet interface card. iptables.sh which defines the ip rules and port forwarding: http://pastebin.com/SqpbmYQQ BEFORE RUNNING iptables.sh... When I connect a LAN computer to it, everything works as expected. Complete Internet access with some HTTP and HTTPS domains blocked/redirected to another page. Skype for Business logs in successfully. AFTER RUNNING iptables.sh Skype for Business disconnects, and fails to re-connect, normal skype works just fine. I revised: https://support.office.com/en-us/article/Create-DNS-records-at-eNomCentral-for-Office-365-a6626053-a9c8-445b-81ee-eeb6672fae77?ui=en-US&rs=en-US&ad=US#bkmk_verify<https://support.office.com/en-us/article/Create-DNS-records-at-eNomCentral-for-Office-365-a6626053-a9c8-445b-81ee-eeb6672fae77?ui=en-US&rs=en-US&ad=US> And added all DNS configurations on enom. That got rid of the DNS error I was getting to another error saying service is temporarily unavailable. Any suggestions to why this is happening? Any solutions? Note: both router and Ubuntu's WAN interface use Google's 8.8.8.8 DNS Any help is really appreciated as I have been trying to fix this for days! <Picture (Device Independent Bitmap) 2.jpg> Piensa en el medio ambiente antes de imprimir este email.
_______________________________________________ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
