squid with iptables bypass https

Question

I just want make internet anonymous transparent proxy that bypass traffic just want hide client ip but its not work for https ..

I dont want to use sslbump or etc just want to bypass traffic

I search a lot in google and serverfault.com and stackoverflow.com and test these solution for bypass https traffic:

Bypass Transparent Squid With IPTables

Squid problems with iptables

https://stackoverflow.com/questions/2601400/squidiptables-how-do-i-allow-https-to-pass-through-and-bypassing-squid

my squid configuration is:

acl SSL_ports port 443
acl Safe_ports port 80          # http
acl Safe_ports port 21          # ftp
acl Safe_ports port 443         # https
acl Safe_ports port 70          # gopher
acl Safe_ports port 210         # wais
acl Safe_ports port 1025-65535  # unregistered ports
acl Safe_ports port 280         # http-mgmt
acl Safe_ports port 488         # gss-http
acl Safe_ports port 591         # filemaker
acl Safe_ports port 777         # multiling http
acl CONNECT method CONNECT

http_access allow manager localhost
http_access deny manager
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports

http_access deny CONNECT !SSL_ports

http_access allow localhost
http_access allow all

short_icon_urls on

http_port 0.0.0.0:13128 accel vhost
always_direct allow all

refresh_pattern ^ftp:           1440    20%     10080
refresh_pattern ^gopher:        1440    0%      1440
refresh_pattern .           0   20%     4320
coredump_dir /var/spool/squid

forwarded_for off

and my iptables conf is now just:

iptables -t nat -A PREROUTING -p tcp --dport 80 -j REDIRECT --to-port 13128
iptables -t nat -A PREROUTING -p tcp --dport 443 -j REDIRECT --to-port 13128

I try to use these command but not work:

iptables -t filter -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -I FORWARD -p tcp --dport 443 -j ACCEPT
iptables -I INPUT -i lo -j ACCEPT

iptables -t nat -A PREROUTING -d x.x.x.x -j ACCEPT

iptables -t nat -A PREROUTING -i eth0 -p tcp -s x.x.x.x -m tcp --dport 443 -j REDIRECT --to-ports 13128

That x.x.x.x is my valid internet ip

and my client config for using proxy is like this:

added somedomain.com in /etc/hosts x.x.x.x somedomain.com

and i want browse https://somedomain.com in my browser

you can find a lot of ip port proxy that work like this for example using this ip 173.161.0.227

if i add a line in to my client /etc/hosts

173.161.0.227 www.iplocation.net

i can browse https://www.iplocation.net

my server is CentOS 7

Answer 1

The words "anonymous transparent" are contradicting each other.

Anonymous proxy is when the client details are hidden and the server sees only the proxy. Transparent means the proxy details are hidden and the client details are sent to the server.

So the short answer to your question is that what you ask for is not possible. You cannot have both at the same time. Especially when TLS is involved (as HTTPS).

The /etc/hosts examples you mention are not transparent proxy. They might be anonymous proxies. They are definitely "open proxies". Look that up.

Your squid.conf is for a reverse-proxy which has been turned into an open proxy (by the always_direct line). The NAT rules are pointless with this proxy configuration.

• If you want to use the /etc/hosts way, then erase your NAT rules and make your Squid use http_port 80 instead of 13128.

• If you want to use NAT interception proxy, then erase the always_direct line and change the "accel vhost" options to "intercept".

Port 80 and port 443 have very different traffic syntaxes. The http_port you are NAT'ing to only accepts port 80 syntax. Which is the first reason why NAT'ing port 443 there is not working.

To receive HTTPS syntax into Squid you need an https_port to receive it. However, TLS prevents the /etc/hosts way of doing things from working. Receiving HTTPS for domains you do not own means SSL-Bump. Even transparently relaying NAT'ed port 443 requires SSL-Bump to be configured to "splice".

BUT, when NAT'ing the only reason your proxy is receiving port 443 traffic in the first place is because you are NAT'ing port 443 to it. To "bypass" you simply need to erase your NAT rules containing port 443.