HTTP Transparent Proxy

[VSpike]

Hi!

I enabled HTTP transparent proxy, and it worked fine except as per the warning, HTTPS did not work.  I tried to resolve this by:-

• Creating a service type for HTTPS with source any and destination 443
• Going to Packet Filter ▸ Internal networks where I have "ANy/Any/POP3" and "Any/Any/Any" and add "Any/Any/HTTPS"

This didn't seem to help.

I then disabled the transparent proxy, and most machines on the network lost the ability to access the web via HTTP and HTTPS.  Strangely, one still worked and I can't work out why.  Turned transparent proxy back on, and HTTP is back but of course no HTTPS.

Ideally I'd like to fix HTTPS access and use transparent proxying so could anyone please advise me the correct way to do it?

Thanks!

[Christophe]

hello Vpike,

i had the same question

http://forum.zentyal.org/index.php/topic,7506.msg29721.html#msg29721

[VSpike]

I've done some more investigating and fired up some more machines.  The strange thing is that the Linux machines on the network can access HTTP and HTTPS fine with the current arrangement (note that I deleted my HTTPS firewall rule, but I have an any/any rule which should permit it anyway, as far as I can tell).  The Windows 7 machines cannot access HTTPS.

Why on earth should this be?

[Christophe]

ok.

if i understand you want use proxy tranparent to filter some url in transparent mode ?
in this case, https will not be filter by the proxy.

IS it you want to do ?

[VSpike]

Hi Christophe. 

At the moment, I'd like all my machines to access HTTP and HTTPS somehow!

But my ideal scenario is to use transparent proxying for HTTP only.  I'm not really interesting in filtering - just the benefits of the squid cache.

Transparent proxying works OK.
HTTP access is good for all machines.
HTTPS access only works for Linux machines!

John

[Christophe]

Ok john,

did you put firewall rules you modified in initial config ?

to start with a fresh install, just disabled and enable proxy module.

[VSpike]

When I disable the HTTP transparent proxy, the Windows machines lose access to HTTP as well!  But the Linux machines are still fine.

I know the Linux machines were using the proxy because I did a tail -f on the Squid log and opened web pages on a Linux box.

What could be so different about the packets from Windows?

[VSpike]

OK, the proxy is a red herring!  Sorry...

The Win 7 machines have no TCP access to the internet.  Although ping works OK.

The transparent proxying allowed them to access HTTP and nothing else.

[Christophe]

When I disable the HTTP transparent proxy, the Windows machines lose access to HTTP as well!

Normally if you disable transparent mode, you web acces sould be continue to get internet acces, but without cache !

Did you set a proxy in windows machine ?
in transparent mode, you dont need to set anything. All http request will be redirect to the proxy
if not , your proxy dont work properly or you miss disable a manual config

[Christophe]

everything works now as you want ?

[VSpike]

Hi Christophe-

No, I set no proxy setup on any clients.

There is a problem with my network config, and I think I know what.  I have a single LAN with a single IP subnet. The gateway on the LAN is my ISP's router.  I've set the Zentyal box as a the gateway for clients via DHCP, and told Zentyal to use the router as a gateway.

I suspect outgoing packets are going:

Client -> Zentyal -> Router -> Internet

But incoming packets are going:

Internet -> Router-> Client

I think Windows' firewall is probably dropping packets because of the route change or something similar.

I probably need to run two subnets on the same physical LAN - one for Zentyal and the clients, and one for Zentyal and the router.

Next question - which should be the "Virtual" interface, or does it not matter?  And will Zentyal enable routing between the primary IP and Virtual IPs on the same adapter?

[stuartiannaylor]

I don't seem to have any probs with windows 7 and transparent proxy mode. I can't remember now as its been working well for over a year now.
I would just enable the https service on all connections not just internal to zentyal and see how you go. Then step by step disable it and see when it stops.
The Zentyal service I work with is in a community centre with a drop computer access and a youth club. So the only problems I have is with authentication. That does work but it seems only by basic authentication plain text.
Going back to transparent mode and https and my understanding is that the encryption is between the client and web provider. If squid did proxy https it would still have to open "a tunnel" for each client anyway so there would be little point in transparent mode.
If you wanted to authenticate and filter then https through squid would be advantageous. In fact group filters are really important for my installation. The youth club needs to be filtered strictly, registered users need a certain level but admins can be carte blanche.
This works for http with a plain text logon dialog but https is bypassed and there are undesirable sites out there that do make use of this bypass.

I get the feeling that windows 7 and Microsoft are the main problem to this and until Samba4 we are stuck with NT4 methods and some problems with authentication.

Then again saying all that apart from setting up Zentyal via the webadmin gui. I have got quite lost with squid authentication. If any squid guru or zentyal staff fancies knocking together a community guide to squid and authentication I am sure it would be of much use.

Stuart

 

[Christophe]

There is a problem with my network config, and I think I know what.  I have a single LAN with a single IP subnet. The gateway on the LAN is my ISP's router.  I've set the Zentyal box as a the gateway for clients via DHCP, and told Zentyal to use the router as a gateway.

Transparent will only work if Zentyal is your internet gateway.
could you set your box in bridge mode ? if not, you should use none trasnparent proxy mode.

please tell us all your config, because we can't help you if you dont tell us everything