Using the proxy for SSH (SFTP) and other protocols

[Jürgen Garbe]

Hi,
I succesfully enabled the squid based proxy (as a transparent one), so HTTP(S) access from a browser works fine.
Now I want to use this proxy (or another?) for SSH, SFTP and maybe other protocols to be able to log these connections and maybe block some of them in future.
I am using Putty on my Windows client and configured the proxy settings in Putty like I did before using the (good) old AVM Ken! proxy (use HTTP proxy) without success. I tried to use ports 80, 443, 3128 and 3129.
Anyone any ideas?
Thank you in advance!

[fabian]

You just need to write a custom ACL to allow that

[Jürgen Garbe]

Ok, after some reading I added the both lines:
acl SSL_ports port 22
acl Safe_ports port 22
in a new file ssl.conf in /usr/local/etc/squid/pre-auth but still have no success.
Squid is configured as transparent proxy.
Therefor I added a port forward rule to NAT and firewall LAN rules (please see appended screenshots).
I tried using putty to connect using "none" proxy and got "Server unexpectedly closed network connection".
I tried using to connect using HTTP proxy using port 22 and got "Proxy error: HTTP response was absent".
Using HTTP proxy port 3128: got "Server unexpectedly closed network connection".
Using HTTP proxy port 1212: got "Network error: Connection timed out".
Any further hints?

[fabian]

Try it on the normal port with an http proxy and forget FTP over squid that way, you need the http proxy plugin.

[Jürgen Garbe]

Dear fabian, thanks for replying.
Please excuse my rookie question, but I was not able to identify the http proxy plugin in the list of plugins.
Maybe you could tell me the exact name of it so that I can find it in the list?

[fabian]

That is not an own plugin. That is the non-transparent mode of squid. It is called HTTP proxy bacause it is using HTTP Connect. For that, you connect directly to the proxy and not transparently.

[Jürgen Garbe]

Dear Fabian,

that's what I originally tried (please have a look to my first post in this thread). I tried FileZilla and Putty too setting the proxy to http on port 3128 in connect mode (which works perfectly using AVM KEN!) but it didn't work at all
So I don't have any further idea.

Another strange aspect of this Squid implementation I don't understand I saw testing:
If I disable the checkbox "Enable transparent HTTP proxy", and set the correct Proxy address (OPNsense) and ports (HTTP: 3128, HTTPS: 3129) than only HTTP access works, HTTPS not any further.
Enabling the transparent mode again and using "direct, no proxy" in the browser, both are working again
What's my mistake/misunderstanding?

Please find all needed screenshots appended.

[Jürgen Garbe]

Final Attachment (was not allowed to post more than 4 at once)...

[fabian]

filezilla will not work, you need the os-ftp-proxy plugin for that. SSH should work if it is in the safe ports ACL. Have you stored the squid config and applied it? Do the NAT rules have associated filter rules? Why is HTTPS failing. Are you missing a CA or did you miss to install it on the client?

[Jürgen Garbe]

1. What I learned about Squid as HTTP proxy in conjunction with HTTPS (which explaines my former statement, that there is a problem with HTTPS, which is not true [solved]:

1.1. Squid configured as transparent:

1.1.1. Browser direct:
works for both HTTP and HTTPS

1.1.2. Browser direct, NAT 443->3128 instead of NAT 443->3129:
Fehlercode: SSL_ERROR_RX_RECORD_TOO_LONG
-> so in transparent mode, HTTPS over port 3128 doesnt work per NAT if using Browser in direct mode

1.1.3. Browser Proxy auf HTTP 3128, HTTPS 3129 (not expected, which led to my wrong statement before):
HTTP works, HTTPS fails with timeout

1.1.4. Browser Proxy auf HTTP 3128, HTTPS 3128 too:
HTTP works, HTTPS works

1.2. Squid not in transparent mode:

1.2.1. Browser Proxy auf HTTP 3128, HTTPS 3129 (not expected, which led to my wrong statement before):
HTTP works, HTTPS fails with timeout

1.2.2. Browser Proxy auf HTTP 3128, HTTPS 3128 too:
HTTP works, HTTPS works

1.3. Conclusion for HTTPS (if transparent mode is used or not): If Proxy is configured, HTTPS port is 3128, not 3129. -> [Understood and solved]. 
Side note: I do not use a CA, because I do not want to break the SSL connection.


2. Trying hard to be able to use SSH through Squid
For instance I used hints found on https://www.seniorlinuxadmin.co.uk/ssh-over-proxy.html to configure Squid and also Putty for my tests.
Firewall rules should be fine, because all ports are tested during my HTTP/HTTPS tests above.
Both lines:
acl SSL_ports port 22
acl Safe_ports port 22
should do the job...

2.1. In nontransparent mode I attempted without success to
* include both lines in a new file in /usr/local/etc/suid/pre-auth (and restarted Squid)
* include both lines directly in /usr/local/etc/suid/squid.conf (and restarted Squid)
using the proxy settings HTTP, <address of my OPNsense>, port 3128.
The message I got was "Server unexpectedly closed network connection.

2.2. In transparent mode I repeated attempting without success to
* include both lines in a new file in /usr/local/etc/suid/pre-auth (and restarted Squid)
* include both lines directly in /usr/local/etc/suid/squid.conf (and restarted Squid)
using the proxy settings HTTP, <address of my OPNsense>, port 3128 the fault message I got was "Server unexpectedly closed network connection".
using the proxy settings HTTP, <address of my OPNsense>, port 80 the fault message I got was "Proxy error 405. Method not allowed".

2.3. So unfortunately this topic is still unsolved
I very much appreciate your efforts to help me, but still couldn't find my mistake...