On 06/17/2013 12:01 PM, Nuno Fernandes wrote:
When I send traffic that I expect be be intercepted to Squid, I get
the following errors in the log file (and a TCP RST from squid):
ERROR: No forward-proxy ports configured
NF getsockopt(SO_ORIGINAL_DST) failed on local=10.174.14.75:80
remote=107.3.142.99:60377 FD 10 flags=33: (92) Protocol not available
I know I am missing something pretty simple here.
I wouldn't say it is simple. I may be wrong but i think it may not work. To my
knowledge, squid in intercept mode will use the original destination of the tcp
connection (as passed by netfilter in SO_ORIGINAL_DST) as the server address
were it will fetch the x509 cert and mimic that.
For what i've read in your email, the original destination is your amazon box
so it can't connect to itself and fetch the certificate.
Without transparent mode the browser explicits connect to the proxy and request
a connection to some server. Then squid can fetch the certificate and mimic
that.
A working scenario would be to place a box at customer premisses that would do
a GRE tunneling to the Amazon BOX.
Best regards,
Nuno Fernandes
GRE TUNNEL TO AMAZON BOX wouldn't work.
You will need some tunnel and prefer secured one if you are intercepting
any data.
The main idea is to route the traffic through the squid box and not
direct traffic to the squid box since squid logic is to "open the
packets and resolve data based on the packets on how to fake the
connection to the client" (too long).
But since the above is the idea what you have done is pretty useless.
SSL works mostly based on IP so you will need to keep the dst ip without
DNS thingy.
I was asked about it couple times and people just don't understand how
and what it does and there for making this specific mistake of
engineering in development of a product.
if your client has demands you can demand couple things too in order to
complete your task.
Intercepting SSL is not "yet just another thing" it's a very complex and
delicate task that should be handled carefully and smartly.
Eliezer
