Hi
I am redirecting all HTTP/S traffic to squid for caching
Code:
iptables -t nat -A PREROUTING -i ${INT_IF} -p tcp -s 192.168.101.0/24 ! -d 192.168.101.0/24 --dport 80 -j REDIRECT --to-port 8080
iptables -t nat -A PREROUTING -i ${INT_IF} -p tcp -s 192.168.101.0/24 ! -d 192.168.101.0/24 --dport 443 -j REDIRECT --to-port 8090
which than I am receiving in squid for transparent caching separately for http & https traffic
Code:
http_port 192.168.101.101:8080 intercept
https_port 192.168.101.101:8090 intercept ssl-bump \
cert=/etc/squid/ssl_cert/squid.pem \
generate-host-certificates=on dynamic_cert_mem_cache_size=4MB
sslcrtd_program /usr/libexec/squid/ssl_crtd -s /var/lib/ssl_db -M 4MB
acl broken_sites ssl::server_name .wikipedia.org .nsatc.net .microsoft.com
ssl_bump splice broken_sites
ssl_bump peek all
ssl_bump bump all
All that is forwarded to privoxy for filtering where as privoxy does not handle ssl traffic is filtered only for http sites
Code:
cache_peer 127.0.0.1 parent 3128 0 no-query no-digest
What I am planning to do is to separate traffic for http & https
Code:
acl ACL_HTTP proto HTTP
acl ACL_HTTPS proto HTTPS
acl ACL_HTTPS2 port 443
cache_peer 127.0.0.1 parent 3128 0 name=http_peer no-query no-digest
cache_peer 127.0.0.1 parent 3129 0 name=https_peer ssl no-query no-digest
cache_peer_access https_peer allow ACL_HTTPS
cache_peer_access https_peer allow ACL_HTTPS2
cache_peer_access http_peer allow ACL_HTTP
never_direct allow all
http traffic would be than forwarded to privoxy. Where to send https to?
Way I see it that from squid I send https traffic to ProxHTTPSProxyMII which sends it to privoxy for filtering and gets it back from privoxy to send to actual server. Is this correct approach and if it is how do I configure privoxy for it. So far I have rather simple configuration which does not differentiate between front and rear server
Code:
...
listen-address 127.0.0.1:3128
permit-access localhost
permit-access 192.168.101.0/24
forward 192.168.*.* .
forward 127.*.*.*/ .
forward :443 .
My question is do I need to edit privoxy config to listen on more than port 3128 or do I need to simply edit config.ini from ProxHTTPSProxyMII into this?
Code:
ProxAddr = http://localhost:3128
FrontPort = 3129
RearPort = 3130
EDIT: It turned out that to use squid for ssl parent proxy I had to add option "ssl" to that proxy otherwise squid would fail with
Code:
2018/05/09 07:50:44 kid1| assertion failed: PeerConnector.cc:116: "peer->use_ssl"
so proper line for https traffic is
cache_peer 127.0.0.1 parent 3129 0 name=https_peer ssl no-query no-digest
instead of
cache_peer 127.0.0.1 parent 3129 0 name=https_peer no-query no-digest