Bug #3128

Proxy http doesn't allow http traffic when set in SSL transparent mode

Added by Davide Marini over 6 years ago. Updated over 6 years ago.

Status:CLOSEDStart date:
Priority:HighDue date:
Assignee:-% Done:

100%

Category:nethserver-squid
Target version:v6.6
Security class: Resolution:
Affected version:v6.6-final NEEDINFO:No

Description

The http proxy when set in ssl transparent mode block all the http traffic, only the https traffic is properly handled by squid.

Associated revisions

Revision be9c2f2b
Added by Giacomo Sanchietti over 6 years ago

squid.conf: enable port 3129 when ssl transparent mode is enabled. Refs #3128

History

#1 Updated by Davide Marini over 6 years ago

In the squid.conf there are only configurations for manual proxy and https proxy, this fragment seems to be missing:

# Enable transparent proxy
http_port 3129 transparent

#2 Updated by Davide Marini over 6 years ago

  • Priority changed from Normal to High

#3 Updated by Giacomo Sanchietti over 6 years ago

  • Category set to nethserver-squid
  • Status changed from NEW to TRIAGED
  • Target version set to v6.6
  • % Done changed from 0 to 20
  • Affected version set to v6.6-final

The bug is confirmed.

Workaround

Create a template custom /etc/e-smith/templates-custom/etc/squid/squid.conf/40ports:

{
   use esmith::NetworksDB;
   my $ndb = esmith::NetworksDB->open_ro();
   my $green_mode = $squid{'GreenMode'} || "manual";
   my $blue_mode = $squid{'BlueMode'} || "manual";

   $OUT.="\n# Always enable manual proxy\n";
   $OUT.="http_port 3128\n";

   if ($green_mode =~ /transparent/ || (defined($ndb->blue()) && $blue_mode =~ /transparent/)) {
       $OUT.="\n# Enable transparent proxy\n";
       $OUT.="http_port 3129 transparent\n";
   } 
   if ($green_mode eq 'transparent_ssl' || (defined($ndb->blue()) && $blue_mode eq 'transparent_ssl')) {
       $OUT.="\n# Enable SSL transparent proxy
https_port 3130 transparent ssl-bump generate-host-certificates=on cert=/etc/pki/tls/certs/NSRV.crt key=/etc/pki/tls/private/NSRV.key
acl https_proto proto https
always_direct allow https_proto
ssl_bump none localhost
ssl_bump none bypass_ssl
ssl_bump server-first all
sslproxy_cert_error allow all
sslproxy_flags DONT_VERIFY_PEER";
   }
}

#4 Updated by Giacomo Sanchietti over 6 years ago

  • Status changed from TRIAGED to ON_DEV
  • Assignee set to Giacomo Sanchietti
  • % Done changed from 20 to 30

#5 Updated by Giacomo Sanchietti over 6 years ago

  • Status changed from ON_DEV to MODIFIED
  • % Done changed from 30 to 60

#6 Updated by Giacomo Sanchietti over 6 years ago

  • Status changed from MODIFIED to ON_QA
  • Assignee deleted (Giacomo Sanchietti)
  • % Done changed from 60 to 70
Package in nethserver-testing:
  • nethserver-squid-1.3.3-1.1.gbe9c2f2.ns6.noarch.rpm
Test case
  • Check the bug is not reproducible

#7 Updated by Nicola Rauso over 6 years ago

  • Assignee set to Nicola Rauso

#8 Updated by Nicola Rauso over 6 years ago

  • Status changed from ON_QA to VERIFIED
  • Assignee deleted (Nicola Rauso)
  • % Done changed from 70 to 90

Tested: OK

#9 Updated by Giacomo Sanchietti over 6 years ago

  • Status changed from VERIFIED to CLOSED
  • % Done changed from 90 to 100
Released in nethserver-updates:
  • nethserver-squid-1.3.4-1.ns6.noarch.rpm

Also available in: Atom PDF