On 30/06/2021 15:25, Antony Stone wrote:
On Wednesday 30 June 2021 at 14:16:09, Ben Goz wrote:
I'm trying to configure squid as a transparent proxy using TPROXY.
The machine I'm using has 2 NICs, one for input and the other one for
output traffic.
The TPROXY iptables rules are configured on the input NIC.
1. Which version of Squid are you using?
# ./squid -v
Squid Cache: Version 4.15
Service Name: squid
This binary uses OpenSSL 1.1.1f 31 Mar 2020. For legal restrictions on
distribution see https://www.openssl.org/source/license.html
configure options: '--with-openssl' '--enable-ssl-crtd' '--enable-ecap'
'--enable-linux-netfilter' --enable-ltdl-convenience
2. Please show us the TPROXY rules you have.
iptables -t mangle -N DIVERT
iptables -t mangle -A PREROUTING -p tcp -m socket -j DIVERT
iptables -t mangle -A DIVERT -j MARK --set-mark 1
iptables -t mangle -A DIVERT -j ACCEPT
iptables -t mangle -A PREROUTING -i bond0.213 -p tcp --dport 80 -j
TPROXY --tproxy-mark 0x1/0x1 --on-port 15644
iptables -t mangle -A PREROUTING -i bond0.213 -p tcp --dport 443 -j
TPROXY --tproxy-mark 0x1/0x1 --on-port 15645
including:
ip rule add fwmark 1 lookup 100
ip -f inet route add local default dev lo table 100
3. Please show us the relevant lines for intercept proxying from your
squid.conf
http_port 15644 tproxy
https_port 15645 ssl-bump tproxy generate-host-certificates=on
options=ALL dynamic_cert_mem_cache_size=4MB
cert=/usr/local/squid/etc/ssl_cert/myCA.pem
dhparams=/usr/local/squid/etc/dhparam.pem
always_direct allow all
Regards,
Antony.
_______________________________________________
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users
