set https proxy with squid and iptables












2















have a Linux as router, eth0 (192.168.0.60) connect to LAN, eth1 (10.100.33.239) connect to Internet. squid works well, I can set 10.100.33.239:3128 or 192.168.0.60:3128 as proxy in web browser and visit http and https web-site.



now, I want to use iptables to setup transparent proxy, which means I can visit web site without setting proxy in my web browser.



Now, http is OK, but https is failed. would someone help me? thank you!



iptables config



iptables -t filter -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT

iptables -t filter -A FORWARD -i eth0 -p tcp --dport 443 -j ACCEPT

iptables -t nat -A POSTROUTING -o eth1 -j SNAT --to-source 10.100.33.239

iptables -t nat -A PREROUTING -i eth0 -p tcp -m tcp --dport 80 -j DNAT --to-destination 192.168.0.60:3128

iptables -t nat -A PREROUTING -i eth1 -p tcp -m tcp --dport 80 -j REDIRECT --to-ports 3128





iptables https squid







share|improve this question

























  • Have you configured squid correctly ? wiki.squid-cache.org/Features/HTTPS

    – Lawrence
    Feb 26 '14 at 12:17
















2















have a Linux as router, eth0 (192.168.0.60) connect to LAN, eth1 (10.100.33.239) connect to Internet. squid works well, I can set 10.100.33.239:3128 or 192.168.0.60:3128 as proxy in web browser and visit http and https web-site.



now, I want to use iptables to setup transparent proxy, which means I can visit web site without setting proxy in my web browser.



Now, http is OK, but https is failed. would someone help me? thank you!



iptables config



iptables -t filter -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT

iptables -t filter -A FORWARD -i eth0 -p tcp --dport 443 -j ACCEPT

iptables -t nat -A POSTROUTING -o eth1 -j SNAT --to-source 10.100.33.239

iptables -t nat -A PREROUTING -i eth0 -p tcp -m tcp --dport 80 -j DNAT --to-destination 192.168.0.60:3128

iptables -t nat -A PREROUTING -i eth1 -p tcp -m tcp --dport 80 -j REDIRECT --to-ports 3128





iptables https squid







share|improve this question

























  • Have you configured squid correctly ? wiki.squid-cache.org/Features/HTTPS

    – Lawrence
    Feb 26 '14 at 12:17














2












2








2








have a Linux as router, eth0 (192.168.0.60) connect to LAN, eth1 (10.100.33.239) connect to Internet. squid works well, I can set 10.100.33.239:3128 or 192.168.0.60:3128 as proxy in web browser and visit http and https web-site.



now, I want to use iptables to setup transparent proxy, which means I can visit web site without setting proxy in my web browser.



Now, http is OK, but https is failed. would someone help me? thank you!



iptables config



iptables -t filter -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT

iptables -t filter -A FORWARD -i eth0 -p tcp --dport 443 -j ACCEPT

iptables -t nat -A POSTROUTING -o eth1 -j SNAT --to-source 10.100.33.239

iptables -t nat -A PREROUTING -i eth0 -p tcp -m tcp --dport 80 -j DNAT --to-destination 192.168.0.60:3128

iptables -t nat -A PREROUTING -i eth1 -p tcp -m tcp --dport 80 -j REDIRECT --to-ports 3128





iptables https squid







share|improve this question
















have a Linux as router, eth0 (192.168.0.60) connect to LAN, eth1 (10.100.33.239) connect to Internet. squid works well, I can set 10.100.33.239:3128 or 192.168.0.60:3128 as proxy in web browser and visit http and https web-site.



now, I want to use iptables to setup transparent proxy, which means I can visit web site without setting proxy in my web browser.



Now, http is OK, but https is failed. would someone help me? thank you!



iptables config



iptables -t filter -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT

iptables -t filter -A FORWARD -i eth0 -p tcp --dport 443 -j ACCEPT

iptables -t nat -A POSTROUTING -o eth1 -j SNAT --to-source 10.100.33.239

iptables -t nat -A PREROUTING -i eth0 -p tcp -m tcp --dport 80 -j DNAT --to-destination 192.168.0.60:3128

iptables -t nat -A PREROUTING -i eth1 -p tcp -m tcp --dport 80 -j REDIRECT --to-ports 3128





iptables https squid




iptables https squid






share|improve this question















share|improve this question













share|improve this question




share|improve this question








edited Feb 3 '13 at 23:19







siyuan

















asked Feb 3 '13 at 15:47









siyuansiyuan

4828




4828













  • Have you configured squid correctly ? wiki.squid-cache.org/Features/HTTPS

    – Lawrence
    Feb 26 '14 at 12:17



















  • Have you configured squid correctly ? wiki.squid-cache.org/Features/HTTPS

    – Lawrence
    Feb 26 '14 at 12:17

















Have you configured squid correctly ? wiki.squid-cache.org/Features/HTTPS

– Lawrence
Feb 26 '14 at 12:17





Have you configured squid correctly ? wiki.squid-cache.org/Features/HTTPS

– Lawrence
Feb 26 '14 at 12:17










1 Answer
1






active

oldest

votes


















0














You need also forward eth0 incomes on port 443 to squid listen port 3128, to be able using transparent proxy for the https requests.



Try to add this to your iptable:



iptables -t nat -A PREROUTING -i eth0 -p tcp -m tcp --dport 443 -j DNAT --to-destination 192.168.0.60:3128

iptables -t nat -A PREROUTING -i eth1 -p tcp -m tcp --dport 443 -j REDIRECT --to-ports 3128





share|improve this answer


























  • can you expand at all?

    – Sickest
    Feb 26 '14 at 3:08











  • It seems to not work well, I didn't tried it before, some instructions offer sets different port for https and generate and set certificate for this purpose (like this one: liknk). so just forwarding the 443 port, may not be a complete solution. but I'm not sure why setting IP/port of proxy sever, is fine for https requests but when we want to make it transparent NAT table forwarding is not enough.

    – 2i3r
    Feb 26 '14 at 11:24











Your Answer








StackExchange.ready(function() {
var channelOptions = {
tags: "".split(" "),
id: "3"
};
initTagRenderer("".split(" "), "".split(" "), channelOptions);

StackExchange.using("externalEditor", function() {
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled) {
StackExchange.using("snippets", function() {
createEditor();
});
}
else {
createEditor();
}
});

function createEditor() {
StackExchange.prepareEditor({
heartbeatType: 'answer',
autoActivateHeartbeat: false,
convertImagesToLinks: true,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: 10,
bindNavPrevention: true,
postfix: "",
imageUploader: {
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
},
onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
});


}
});














draft saved

draft discarded


















StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fsuperuser.com%2fquestions%2f545972%2fset-https-proxy-with-squid-and-iptables%23new-answer', 'question_page');
}
);

Post as a guest















Required, but never shown

























1 Answer
1






active

oldest

votes








1 Answer
1






active

oldest

votes









active

oldest

votes






active

oldest

votes









0














You need also forward eth0 incomes on port 443 to squid listen port 3128, to be able using transparent proxy for the https requests.



Try to add this to your iptable:



iptables -t nat -A PREROUTING -i eth0 -p tcp -m tcp --dport 443 -j DNAT --to-destination 192.168.0.60:3128

iptables -t nat -A PREROUTING -i eth1 -p tcp -m tcp --dport 443 -j REDIRECT --to-ports 3128





share|improve this answer


























  • can you expand at all?

    – Sickest
    Feb 26 '14 at 3:08











  • It seems to not work well, I didn't tried it before, some instructions offer sets different port for https and generate and set certificate for this purpose (like this one: liknk). so just forwarding the 443 port, may not be a complete solution. but I'm not sure why setting IP/port of proxy sever, is fine for https requests but when we want to make it transparent NAT table forwarding is not enough.

    – 2i3r
    Feb 26 '14 at 11:24
















0














You need also forward eth0 incomes on port 443 to squid listen port 3128, to be able using transparent proxy for the https requests.



Try to add this to your iptable:



iptables -t nat -A PREROUTING -i eth0 -p tcp -m tcp --dport 443 -j DNAT --to-destination 192.168.0.60:3128

iptables -t nat -A PREROUTING -i eth1 -p tcp -m tcp --dport 443 -j REDIRECT --to-ports 3128





share|improve this answer


























  • can you expand at all?

    – Sickest
    Feb 26 '14 at 3:08











  • It seems to not work well, I didn't tried it before, some instructions offer sets different port for https and generate and set certificate for this purpose (like this one: liknk). so just forwarding the 443 port, may not be a complete solution. but I'm not sure why setting IP/port of proxy sever, is fine for https requests but when we want to make it transparent NAT table forwarding is not enough.

    – 2i3r
    Feb 26 '14 at 11:24














0












0








0







You need also forward eth0 incomes on port 443 to squid listen port 3128, to be able using transparent proxy for the https requests.



Try to add this to your iptable:



iptables -t nat -A PREROUTING -i eth0 -p tcp -m tcp --dport 443 -j DNAT --to-destination 192.168.0.60:3128

iptables -t nat -A PREROUTING -i eth1 -p tcp -m tcp --dport 443 -j REDIRECT --to-ports 3128





share|improve this answer















You need also forward eth0 incomes on port 443 to squid listen port 3128, to be able using transparent proxy for the https requests.



Try to add this to your iptable:



iptables -t nat -A PREROUTING -i eth0 -p tcp -m tcp --dport 443 -j DNAT --to-destination 192.168.0.60:3128

iptables -t nat -A PREROUTING -i eth1 -p tcp -m tcp --dport 443 -j REDIRECT --to-ports 3128






share|improve this answer














share|improve this answer



share|improve this answer








edited Feb 26 '14 at 11:27

























answered Feb 26 '14 at 0:21









2i3r2i3r

23210




23210













  • can you expand at all?

    – Sickest
    Feb 26 '14 at 3:08











  • It seems to not work well, I didn't tried it before, some instructions offer sets different port for https and generate and set certificate for this purpose (like this one: liknk). so just forwarding the 443 port, may not be a complete solution. but I'm not sure why setting IP/port of proxy sever, is fine for https requests but when we want to make it transparent NAT table forwarding is not enough.

    – 2i3r
    Feb 26 '14 at 11:24



















  • can you expand at all?

    – Sickest
    Feb 26 '14 at 3:08











  • It seems to not work well, I didn't tried it before, some instructions offer sets different port for https and generate and set certificate for this purpose (like this one: liknk). so just forwarding the 443 port, may not be a complete solution. but I'm not sure why setting IP/port of proxy sever, is fine for https requests but when we want to make it transparent NAT table forwarding is not enough.

    – 2i3r
    Feb 26 '14 at 11:24

















can you expand at all?

– Sickest
Feb 26 '14 at 3:08





can you expand at all?

– Sickest
Feb 26 '14 at 3:08













It seems to not work well, I didn't tried it before, some instructions offer sets different port for https and generate and set certificate for this purpose (like this one: liknk). so just forwarding the 443 port, may not be a complete solution. but I'm not sure why setting IP/port of proxy sever, is fine for https requests but when we want to make it transparent NAT table forwarding is not enough.

– 2i3r
Feb 26 '14 at 11:24





It seems to not work well, I didn't tried it before, some instructions offer sets different port for https and generate and set certificate for this purpose (like this one: liknk). so just forwarding the 443 port, may not be a complete solution. but I'm not sure why setting IP/port of proxy sever, is fine for https requests but when we want to make it transparent NAT table forwarding is not enough.

– 2i3r
Feb 26 '14 at 11:24


















draft saved

draft discarded




















































Thanks for contributing an answer to Super User!


  • Please be sure to answer the question. Provide details and share your research!

But avoid



  • Asking for help, clarification, or responding to other answers.

  • Making statements based on opinion; back them up with references or personal experience.


To learn more, see our tips on writing great answers.




draft saved


draft discarded














StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fsuperuser.com%2fquestions%2f545972%2fset-https-proxy-with-squid-and-iptables%23new-answer', 'question_page');
}
);

Post as a guest















Required, but never shown





















































Required, but never shown














Required, but never shown












Required, but never shown







Required, but never shown

































Required, but never shown














Required, but never shown












Required, but never shown







Required, but never shown







-

Popular posts from this blog

Index of /

This page is only for reference, If you need detailed information, please check here
Read more

Tribalistas

Image
  Nota: Para o álbum homônimo, veja Tribalistas (álbum de 2002). Para o segundo álbum homônimo, veja Tribalistas (álbum de 2017). Para o tipo de organização tribal, veja Tribalismo. Tribalistas Informação geral Origem Salvador e Rio de Janeiro País   Brasil Gênero(s) MPB Pop Samba Período em atividade 2002–2004 2017–atualmente Gravadora(s) EMI Phonomotor Records Universal Music Afiliação(ões) Dadi Pretinho da Serrinha Margareth Menezes Integrantes Arnaldo Antunes Carlinhos Brown Marisa Monte Página oficial www2.uol.com.br/tribalistas/ ...
Read more

Listed building

Image
Listed building (literalmente: prédio listado ) é toda estrutura protegida por lei pelo complexo sistema de tombamento do Reino Unido. Um listed building é qualquer estrutura oficialmente designada como tendo especial interesse arquitetônico, histórico ou cultural. É um estatuto amplamente usado, aplicado a centenas de milhares de estruturas. Estruturas tombadas não podem ser alteradas sem permissão especial, e desfrutam de isenções fiscais e outros benefícios. Cada um dos países do Reino Unido trata tombamento de forma diferente: Índice 1 Inglaterra 2 País de Gales 3 Irlanda do Norte 4 Escócia 5 Referências Inglaterra | O Palácio de Buckingham, Londres. As estruturas tombadas são listadas no Statutory List of Buildings of Special Architectural or Historic Interest , e incluem campos, sinais de trânsito, piers e áreas geográficas. A principal legislação pertinente é o Ancient Monuments and Archaeological Areas Act 1979 , [ 1 ] embora legisla...
Read more