I am attempting to run the QLProxy Virtual Appliance with SSL Bump in a transparent proxy and cannot for the life of me get it to work. I keep receiving "Invalid URL" errors from Squid (version 3.3.8).
Squid config is as follows
acl localnet src 10.0.0.0/8 # RFC1918 possible internal network
acl localnet src 172.16.0.0/12 # RFC1918 possible internal network
acl localnet src 192.168.0.0/16 # RFC1918 possible internal network
acl localnet src fc00::/7 # RFC 4193 local private network range
acl localnet src fe80::/10 # RFC 4291 link-local (directly plugged) machines
acl SSL_ports port 443
acl Safe_ports port 80 # http
acl Safe_ports port 21 # ftp
acl Safe_ports port 443 # https
acl Safe_ports port 70 # gopher
acl Safe_ports port 210 # wais
acl Safe_ports port 1025-65535 # unregistered ports
acl Safe_ports port 280 # http-mgmt
acl Safe_ports port 488 # gss-http
acl Safe_ports port 591 # filemaker
acl Safe_ports port 777 # multiling http
acl CONNECT method CONNECT
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
http_access allow localhost manager
http_access deny manager
http_access allow localnet
http_access allow localhost
http_access deny all
include "/opt/qlproxy/etc/squid/squid.acl"
http_port 3128
http_port 3129 intercept
http_port 3130 intercept ssl-bump generate-host-certificates=on dynamic_cert_mem_cache_size=4MB cert=/opt/qlproxy/etc/myca.pem
acl mylocalnet src 0.0.0.0/0.0.0.0
http_access allow mylocalnet
sslcrtd_program /usr/lib/squid3/ssl_crtd -s /var/spool/squid3_ssldb -M 4MB
forward_max_tries 25
cache_mem 1024 MB
maximum_object_size_in_memory 1024 KB
coredump_dir /var/spool/squid3
refresh_pattern ^ftp: 1440 20% 10080
refresh_pattern ^gopher: 1440 0% 1440
refresh_pattern -i (/cgi-bin/|\?) 0 0% 0
refresh_pattern (Release|Packages(.gz)*)$ 0 20% 2880
refresh_pattern . 0 20% 4320
shutdown_lifetime 3 seconds
visible_hostname qlproxy
always_direct allow all
icap_enable on
icap_service_failure_limit -1
icap_preview_enable on
icap_persistent_connections on
adaptation_send_client_ip on
adaptation_send_username on
icap_service qlproxy1 reqmod_precache icap://127.0.0.1:1344/reqmod bypass=0
icap_service qlproxy2 respmod_precache icap://127.0.0.1:1344/respmod bypass=0
acl qlproxy_icap_edomains dstdomain "/opt/qlproxy/etc/squid/icap_exclusions_domains.conf"
acl qlproxy_icap_etypes rep_mime_type "/opt/qlproxy/etc/squid/icap_exclusions_contenttypes.conf"
adaptation_access qlproxy1 deny qlproxy_icap_edomains
adaptation_access qlproxy2 deny qlproxy_icap_edomains
adaptation_access qlproxy2 deny qlproxy_icap_etypes
acl icap_bypass_to_localnet dst 10.0.0.0/8 # RFC1918 possible internal network
acl icap_bypass_to_localnet dst 172.16.0.0/12 # RFC1918 possible internal network
acl icap_bypass_to_localnet dst 192.168.0.0/16 # RFC1918 possible internal network
adaptation_access qlproxy1 deny icap_bypass_to_localnet
adaptation_access qlproxy2 deny icap_bypass_to_localnet
adaptation_access qlproxy1 allow all
adaptation_access qlproxy2 allow all
dns_nameservers 8.8.8.8 4.2.2.2
dns_v4_first on
The firewall has a NAT rule on it to set to dst-nat all traffic destined for port 80, 443 TCP to forward to the proxy server on port 3128.
Can anyone spot where I've gone wrong?
EDIT : It should be worth noting that I am attempting to do this with a Single NIC on the proxy. The web traffic is redirected via a NAT rule on a MikroTik (which serves as primary firewall) to the proxy, and from the proxy it should go the internet.
Best Answer
If you are using policy based routing to get the traffic to the proxy server then something like the following will redirect HTTP & HTTPS traffic to the right squid ports:
If you want to maintain the client's original IP address for squid to filter on, rather than have all traffic's src appear to be the router's IP, then you would need rules like:
I'm not sure how well this last approach works with policy based routing to squid. I've only tested w/ squid configured as the network's gateway via DHCP.