Bug #3128
Proxy http doesn't allow http traffic when set in SSL transparent mode
Status: | CLOSED | Start date: | ||
---|---|---|---|---|
Priority: | High | Due date: | ||
Assignee: | - | % Done: | 100% | |
Category: | nethserver-squid | |||
Target version: | v6.6 | |||
Security class: | Resolution: | |||
Affected version: | v6.6-final | NEEDINFO: | No |
Description
The http proxy when set in ssl transparent mode block all the http traffic, only the https traffic is properly handled by squid.
Associated revisions
squid.conf: enable port 3129 when ssl transparent mode is enabled. Refs #3128
History
#1 Updated by Davide Marini over 6 years ago
In the squid.conf there are only configurations for manual proxy and https proxy, this fragment seems to be missing:
# Enable transparent proxy http_port 3129 transparent
#2 Updated by Davide Marini over 6 years ago
- Priority changed from Normal to High
#3 Updated by Giacomo Sanchietti over 6 years ago
- Category set to nethserver-squid
- Status changed from NEW to TRIAGED
- Target version set to v6.6
- % Done changed from 0 to 20
- Affected version set to v6.6-final
The bug is confirmed.
Workaround
Create a template custom /etc/e-smith/templates-custom/etc/squid/squid.conf/40ports
:
{ use esmith::NetworksDB; my $ndb = esmith::NetworksDB->open_ro(); my $green_mode = $squid{'GreenMode'} || "manual"; my $blue_mode = $squid{'BlueMode'} || "manual"; $OUT.="\n# Always enable manual proxy\n"; $OUT.="http_port 3128\n"; if ($green_mode =~ /transparent/ || (defined($ndb->blue()) && $blue_mode =~ /transparent/)) { $OUT.="\n# Enable transparent proxy\n"; $OUT.="http_port 3129 transparent\n"; } if ($green_mode eq 'transparent_ssl' || (defined($ndb->blue()) && $blue_mode eq 'transparent_ssl')) { $OUT.="\n# Enable SSL transparent proxy https_port 3130 transparent ssl-bump generate-host-certificates=on cert=/etc/pki/tls/certs/NSRV.crt key=/etc/pki/tls/private/NSRV.key acl https_proto proto https always_direct allow https_proto ssl_bump none localhost ssl_bump none bypass_ssl ssl_bump server-first all sslproxy_cert_error allow all sslproxy_flags DONT_VERIFY_PEER"; } }
#4 Updated by Giacomo Sanchietti over 6 years ago
- Status changed from TRIAGED to ON_DEV
- Assignee set to Giacomo Sanchietti
- % Done changed from 20 to 30
#5 Updated by Giacomo Sanchietti over 6 years ago
- Status changed from ON_DEV to MODIFIED
- % Done changed from 30 to 60
#6 Updated by Giacomo Sanchietti over 6 years ago
- Status changed from MODIFIED to ON_QA
- Assignee deleted (
Giacomo Sanchietti) - % Done changed from 60 to 70
Package in nethserver-testing:
- nethserver-squid-1.3.3-1.1.gbe9c2f2.ns6.noarch.rpm
- Check the bug is not reproducible
#7 Updated by Nicola Rauso over 6 years ago
- Assignee set to Nicola Rauso
#8 Updated by Nicola Rauso over 6 years ago
- Status changed from ON_QA to VERIFIED
- Assignee deleted (
Nicola Rauso) - % Done changed from 70 to 90
Tested: OK
#9 Updated by Giacomo Sanchietti over 6 years ago
- Status changed from VERIFIED to CLOSED
- % Done changed from 90 to 100
Released in nethserver-updates:
- nethserver-squid-1.3.4-1.ns6.noarch.rpm