D
D
dmierm2018-08-11 17:52:53
openvpn
dmierm, 2018-08-11 17:52:53

How to forward ports 80 and 443 to squid located on a remote server?

The essence of the problem:
There is a vps with a configured OpenVpn ip tunnel interface tun1 10.10.1.1
There is an OpenWrt router (10.55.44.1) it has an OpenVpn client (in site-to-site mode) configured with the address tun1 10.10.1.3
Behind the router there is a subnet 10.55.44.0 /24. Traffic goes to vps, there are no problems here. The vps has squid installed and set to transparent proxy mode. How to forward ports 80 and 443 from subnet 10.55.44.0/24 to squid?
Rules that I write on OpenWrt:
iptables -t nat -A PREROUTING -s 10.55.44.0/24 -p tcp --dport 80 -j DNAT --to-destination 10.10.1.1:3128
iptables -t nat -A PREROUTING -s 10.55 .44.0/24 -p tcp --dport 443 -j DNAT --to-destination 10.10.1.1:3129
Squid config:
acl localnet src 10.10.1.1/32
acl homenet src 10.55.44.0/24
acl SSL_ports port 443
acl Safe_ports port 80 # http
acl Safe_ports port 21 # ftp
acl Safe_ports port 443 # https
acl Safe_ports port 70 # gopher
acl Safe_ports port 210 # wais
acl Safe_ports port 1025-65535 # unregistered ports
acl Safe_ports port 280 # http-mgmt
acl Safe_ports port 488 # gss-http
acl Safe_ports port 591 # filemaker
acl Safe_ports port 777 # multiling http
acl CONNECT method CONNECT
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
http_access allow localhost manager
http_access deny manager
http_access allow all CONNECT
http_access allow all
http_access allow localnet
http_access allow localhost
http_access allow homenet
http_access deny all
http_port 3128 intercept options=NO_SSLv3:NO_SSLv2
http_port 3130 options=NO_SSLv3:NO_SSLv2
https_port 3129 intercept ssl-bump options=ALL:NO_SSLv3:NO_SSLv2 connection-auth=off cert= /etc/squid/ssl_cert/myCA.pem
cert=/etc/squid/ssl_cert/myCA.pem key=/etc/squid/ssl_cert/myCA.pem
cert=/etc/squid/ssl_cert/myCA.pem
always_direct allow all
sslproxy_cert_error allow all
sslproxy_flags DONT_VERIFY_PEER
check_hostnames off
dns_nameservers 10.10.1.1
acl step1 at_step SslBump1
ssl_bump peek step1
ssl_bump splice all
sslcrtd_program /usr/lib64/squid/ssl_crtd -s /var/lib/ssl_db -M 4MB
coredump_dir /var/spool/squid
refresh_pattern ^ftp: 1440 20% 10080
refresh_pattern ^gopher: 1440 0% 1440
refresh_pattern -i ( /cgi-bin/|\?) 0 0% 0
refresh_pattern . 0 20% 4320
cache_swap_low 90
cache_swap_high 95
access_log /var/log/squid/access.log
cache_store_log /var/log/squid/store.log
cache_log /var/log/squid/cache.log
memory_replacement_policy lru
logfile_rotate 6

Answer the question

In order to leave comments, you need to log in

Didn't find what you were looking for?

Ask your question

Ask a Question

731 491 924 answers to any question