Help on Proxy Server Configuration

[bluegrass]

I need help on the configuration of me Proxy Server with Firewall. I am trying to configure it to work as a transparent proxy.

My problem is that I can't access any https: sites transparently, only http:
https: sites can be access only if proxy is configured manually at the user's pc.

Server Configuration:

OS - Debian Etch 2.6
Proxy - Squid 2.6
Firewall - Shorewall 3.2

Here are my shorewall files and squid configuration

/etc/shorewall/interfaces

Code:

#ZONE	INTERFACE	BROADCAST	OPTIONS
net	eth0		detect
loc	eth1		detect		routeback,blacklist

/etc/shorewall/zones

Code:

#ZONE	TYPE		OPTIONS		IN			OUT
#					OPTIONS			OPTIONS
fw	firewall
net	ipv4
loc	ipv4

/etc/shorewall/masq

Code:

#INTERFACE		SUBNET		ADDRESS		PROTO	PORT(S)	IPSEC
eth0			eth1
eth1			eth1		192.168.0.1

/etc/shorewall/policy

Code:

#SOURCE		DEST		POLICY		LOG		LIMIT:BURST
#						LEVEL

loc		net		ACCEPT		info
loc		$FW		ACCEPT		info

$FW		all		ACCEPT		info

net		all		REJECT		info

all		all		DROP		info

/etc/shorewall/rules

Code:

#ACTION	SOURCE		DEST		PROTO	DEST	SOURCE		ORIGINAL	RATE		USER/
#						PORT(S)	PORT(S)		DEST		LIMIT		GROUP
#SECTION ESTABLISHED
#SECTION RELATED
SECTION NEW
ACCEPT:info	loc		net		tcp	443

REDIRECT 	loc		3128		tcp	www	-	!192.168.0.1/23
ACCEPT		$FW		net		tcp	www

ACCEPT:info	net		$FW		tcp	443
ACCEPT:info	$FW		loc		tcp	443
ACCEPT:info	$FW		net		tcp	443

DROP	net		$FW		tcp	22
DROP	loc		net		tcp	25

/etc/squid/squid.conf

Code:

http_port 3128 transparent
hierarchy_stoplist cgi-bin ?
acl QUERY urlpath_regex cgi-bin \?
cache deny QUERY
acl apache rep_header Server ^Apache
broken_vary_encoding allow apache
access_log /var/log/squid/access.log squid
hosts_file /etc/hosts
url_rewrite_program /usr/bin/squidGuard
url_rewrite_children 5
refresh_pattern ^ftp:		1440	20%	10080
refresh_pattern ^gopher:	1440	0%	1440
refresh_pattern .		0	20%	4320
acl all src 0.0.0.0/0.0.0.0
acl manager proto cache_object
acl localhost src 127.0.0.1/255.255.255.255
acl to_localhost dst 127.0.0.0/8
acl SSL_ports port 443		# https
acl SSL_ports port 563		# snews
acl SSL_ports port 873		# rsync
acl Safe_ports port 80		# http
acl Safe_ports port 21		# ftp
acl Safe_ports port 443		# https
acl Safe_ports port 70		# gopher
acl Safe_ports port 210		# wais
acl Safe_ports port 1025-65535	# unregistered ports
acl Safe_ports port 280		# http-mgmt
acl Safe_ports port 488		# gss-http
acl Safe_ports port 591		# filemaker
acl Safe_ports port 777		# multiling http
acl Safe_ports port 631		# cups
acl Safe_ports port 873		# rsync
acl Safe_ports port 901		# SWAT
acl purge method PURGE
acl CONNECT method CONNECT
http_access allow manager localhost
http_access deny manager
http_access allow purge localhost
http_access deny purge
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
acl our_networks src 192.168.0.1-192.168.15.255
http_access allow our_networks
http_access allow localhost
http_access deny all
http_reply_access allow all
icp_access allow all
cache_effective_group proxy
coredump_dir /var/spool/squid

[Ziplock]

Hi,

You can't cache SSL traffic. You need to forward it through your firewall directly, only NAT'ing on the way. Not sure how to do that in shorewall.