Https website is not accessible once transparent proxy is set up

Https website is not accessible once transparent proxy is set up

[Sam Chan]

Hi,

I have just set up a transparent proxy (Squid 3.0 on Debian etch).

Http redirect to port 3128 is ok and I can see http traffic in
access.log.

Chain PREROUTING (policy ACCEPT)
target     prot opt source               destination
REDIRECT   tcp  --  anywhere             anywhere            tcp dpt:www
redir ports 3128


But I cannot access https website even though I have enable port 443 to
be forwarded.

Chain FORWARD (policy DROP)
target     prot opt source               destination
LOG        0    --  anywhere             anywhere            state
INVALID LOG level warning tcp-options ip-options prefix `DROP INVALID
FORWARD'
DROP       0    --  anywhere             anywhere            state
INVALID
ACCEPT     0    --  anywhere             anywhere            state
RELATED,ESTABLISHED
ACCEPT     tcp  --  localnet/24          anywhere            tcp
dpt:https flags:FIN,SYN,RST,ACK/SYN state NEW
LOG        0    --  anywhere             anywhere            LOG level
warning tcp-options ip-options prefix `DROP '

Base on what I see on my syslog, whenever I browse any https site, the
packet falls under INVALID and hence drop base on my second rule above.

Can anybody help me?

Re: Https website is not accessible once transparent proxy is set up

[ArcosCom Linux User]

Read about HTTP transparent proxy.

The HTTPS can't be transparently proxied (as I now) for yet.

Regards

El Mar, 16 de Septiembre de 2008, 8:49, Sam Chan escribió:
> Hi,
>
> I have just set up a transparent proxy (Squid 3.0 on Debian etch).
>
> Http redirect to port 3128 is ok and I can see http traffic in
> access.log.
>
> Chain PREROUTING (policy ACCEPT)
> target     prot opt source               destination
> REDIRECT   tcp  --  anywhere             anywhere            tcp dpt:www
> redir ports 3128
>
>
> But I cannot access https website even though I have enable port 443 to
> be forwarded.
>
> Chain FORWARD (policy DROP)
> target     prot opt source               destination
> LOG        0    --  anywhere             anywhere            state
> INVALID LOG level warning tcp-options ip-options prefix `DROP INVALID
> FORWARD'
> DROP       0    --  anywhere             anywhere            state
> INVALID
> ACCEPT     0    --  anywhere             anywhere            state
> RELATED,ESTABLISHED
> ACCEPT     tcp  --  localnet/24          anywhere            tcp
> dpt:https flags:FIN,SYN,RST,ACK/SYN state NEW
> LOG        0    --  anywhere             anywhere            LOG level
> warning tcp-options ip-options prefix `DROP '
>
> Base on what I see on my syslog, whenever I browse any https site, the
> packet falls under INVALID and hence drop base on my second rule above.
>
> Can anybody help me?
>
> --
> To unsubscribe from this list: send the line "unsubscribe netfilter" in
> the body of a message to majordomo@vger.kernel.org
> More majordomo info at  http://vger.kernel.org/majordomo-info.html
>

Re: Https website is not accessible once transparent proxy is set up

[John Haxby]

ArcosCom Linux User wrote:
> Read about HTTP transparent proxy.
>
> The HTTPS can't be transparently proxied (as I now) for yet.
>   

Well, not by squid, but the connection can be transparently proxied.   I 
have a tiny transparent proxy that redirects all connections to any port 
outside an intranet to a connection through an HTTP CONNECT request.

jch

Re: Https website is not accessible once transparent proxy is set up

[ArcosCom Linux User]

El Mar, 16 de Septiembre de 2008, 13:19, John Haxby escribió:
> ArcosCom Linux User wrote:
>> Read about HTTP transparent proxy.
>>
>> The HTTPS can't be transparently proxied (as I now) for yet.
>>
>
> Well, not by squid, but the connection can be transparently proxied.   I
> have a tiny transparent proxy that redirects all connections to any port
> outside an intranet to a connection through an HTTP CONNECT request.
>

As I now (and have working some HTTP proxyes with squid+iptables), the
problem are the requests.

Well, when you do a REDIRECT from 80 to 3128 (for squid), the squid must
know that it is working in transparent mode to process correctly the HTTP
requests, because they aren't directly for the proxy.

If you use the same theory for any other protocol, the "proxy" must know
how to process correctly these type of connections.

What "tiny transparent proxy" are you using? Perhaps, anybody could help
you in any trick with it!!.


> jch
> --
> To unsubscribe from this list: send the line "unsubscribe netfilter" in
> the body of a message to majordomo@vger.kernel.org
> More majordomo info at  http://vger.kernel.org/majordomo-info.html
>

Regards

Re: Https website is not accessible once transparent proxy is set up

[John Haxby]

ArcosCom Linux User wrote:
> El Mar, 16 de Septiembre de 2008, 13:19, John Haxby escribió:
>   
>> Well, not by squid, but the connection can be transparently proxied.   I
>> have a tiny transparent proxy that redirects all connections to any port
>> outside an intranet to a connection through an HTTP CONNECT request.
>>
>>     
> As I now (and have working some HTTP proxyes with squid+iptables), the
> problem are the requests.
>
> Well, when you do a REDIRECT from 80 to 3128 (for squid), the squid must
> know that it is working in transparent mode to process correctly the HTTP
> requests, because they aren't directly for the proxy.
>
> If you use the same theory for any other protocol, the "proxy" must know
> how to process correctly these type of connections.
>
> What "tiny transparent proxy" are you using? Perhaps, anybody could help
> you in any trick with it!!.
>
>   

It's a small program that basically accepts connections, creates an 
onward connection to the http proxy at the periphery and sends an 
appropriate CONNECT <addr>:<port> request.

The address and port come from this

    struct sockaddr_in sin;
    socklen_t len = sizeof(sin);
    getsockopt (sock, SOL_IP, SO_ORIGINAL_DST, &sin, &len);
    sprintf(buf, "CONNECT %s:%d HTTP/1.0\r\n\r\n",
           inet_ntoa(sin.sin_addr), ntohs(sin.sin_port));

I can't remember if I found this by grepping the squid source code or 
from a different web proxy.  I really must find the time to pretty up my 
program (and remove the bug that makes it crash from time to time) so I 
can publish it somewhere for general consumption.   It saves having to 
configure world+dog to use a proxy.

jch

Re: Https website is not accessible once transparent proxy is set up

[Vimal]

>   struct sockaddr_in sin;
>   socklen_t len = sizeof(sin);
>   getsockopt (sock, SOL_IP, SO_ORIGINAL_DST, &sin, &len);
>   sprintf(buf, "CONNECT %s:%d HTTP/1.0\r\n\r\n",
>          inet_ntoa(sin.sin_addr), ntohs(sin.sin_port));
>

The idea is wonderful.

> I can't remember if I found this by grepping the squid source code or from a
> different web proxy.  I really must find the time to pretty up my program
> (and remove the bug that makes it crash from time to time) so I can publish
> it somewhere for general consumption.   It saves having to configure
> world+dog to use a proxy.

This is something similar to what applications like: tsocks and
transconnect do. But, they work at the client side.

But, can one setup a NAT server that does the appropriate forwarding
for https connections? This would look like there is a transparent
proxy setup.

Apologies, if the thread actually talks about the above mentioned stuff ... :)

-- 
Vimal