Bug #3128
Proxy http doesn't allow http traffic when set in SSL transparent mode
| Status: | CLOSED | Start date: | ||
|---|---|---|---|---|
| Priority: | High | Due date: | ||
| Assignee: | - | % Done: | 100% | |
| Category: | nethserver-squid | |||
| Target version: | v6.6 | |||
| Security class: | Resolution: | |||
| Affected version: | v6.6-final | NEEDINFO: | No |
Description
The http proxy when set in ssl transparent mode block all the http traffic, only the https traffic is properly handled by squid.
Associated revisions
squid.conf: enable port 3129 when ssl transparent mode is enabled. Refs #3128
History
#1
Updated by Davide Marini over 6 years ago
In the squid.conf there are only configurations for manual proxy and https proxy, this fragment seems to be missing:
# Enable transparent proxy http_port 3129 transparent
#2
Updated by Davide Marini over 6 years ago
- Priority changed from Normal to High
#3
Updated by Giacomo Sanchietti over 6 years ago
- Category set to nethserver-squid
- Status changed from NEW to TRIAGED
- Target version set to v6.6
- % Done changed from 0 to 20
- Affected version set to v6.6-final
The bug is confirmed.
Workaround
Create a template custom /etc/e-smith/templates-custom/etc/squid/squid.conf/40ports:
{
use esmith::NetworksDB;
my $ndb = esmith::NetworksDB->open_ro();
my $green_mode = $squid{'GreenMode'} || "manual";
my $blue_mode = $squid{'BlueMode'} || "manual";
$OUT.="\n# Always enable manual proxy\n";
$OUT.="http_port 3128\n";
if ($green_mode =~ /transparent/ || (defined($ndb->blue()) && $blue_mode =~ /transparent/)) {
$OUT.="\n# Enable transparent proxy\n";
$OUT.="http_port 3129 transparent\n";
}
if ($green_mode eq 'transparent_ssl' || (defined($ndb->blue()) && $blue_mode eq 'transparent_ssl')) {
$OUT.="\n# Enable SSL transparent proxy
https_port 3130 transparent ssl-bump generate-host-certificates=on cert=/etc/pki/tls/certs/NSRV.crt key=/etc/pki/tls/private/NSRV.key
acl https_proto proto https
always_direct allow https_proto
ssl_bump none localhost
ssl_bump none bypass_ssl
ssl_bump server-first all
sslproxy_cert_error allow all
sslproxy_flags DONT_VERIFY_PEER";
}
}
#4
Updated by Giacomo Sanchietti over 6 years ago
- Status changed from TRIAGED to ON_DEV
- Assignee set to Giacomo Sanchietti
- % Done changed from 20 to 30
#5
Updated by Giacomo Sanchietti over 6 years ago
- Status changed from ON_DEV to MODIFIED
- % Done changed from 30 to 60
#6
Updated by Giacomo Sanchietti over 6 years ago
- Status changed from MODIFIED to ON_QA
- Assignee deleted (
Giacomo Sanchietti) - % Done changed from 60 to 70
Package in nethserver-testing:
- nethserver-squid-1.3.3-1.1.gbe9c2f2.ns6.noarch.rpm
- Check the bug is not reproducible
#7
Updated by Nicola Rauso over 6 years ago
- Assignee set to Nicola Rauso
#8
Updated by Nicola Rauso over 6 years ago
- Status changed from ON_QA to VERIFIED
- Assignee deleted (
Nicola Rauso) - % Done changed from 70 to 90
Tested: OK
#9
Updated by Giacomo Sanchietti over 6 years ago
- Status changed from VERIFIED to CLOSED
- % Done changed from 90 to 100
Released in nethserver-updates:
- nethserver-squid-1.3.4-1.ns6.noarch.rpm