Squid transparent mode not listening on SSL Proxy Port

[DavidSte1]

Hi all,

I'm working on getting squid running as a transparent proxy for both HTTP and HTTPS traffic (in order to avoid having to configure clients individually and to enable usage reporting from the logs).

I have it setup as per the OPNSense docs and it works OK if i manually configure the proxy in a browser, and tick the box to use the single port (3128) for both HTTP and HTTPS. Inspection and filtering works with a proxy set in the browser (and of course a trusted certificate) although this is not a requirement.

However I can't work out how to make it work as a transparent proxy with the NAT rules.  If I send traffic for both HTTP and HTTPS to 3128 or separately to 3128 and 3129, the HTTPS traffic doesn't work in both cases.

It looks like although the port is defined in the Web GUI, it doesn't actually create a listener. I do see traffic on 3129 allow through the firewall rules, so it appears to be something in squid itself.  Indeed in squid.conf I only see listeners for 3128.  Is this a bug in the WebGUI or have I missed some other setting?

This is the squid config for listeners:

Code Select Expand

# Setup transparent mode listeners on loopback interfaces
http_port 127.0.0.1:3128 intercept
http_port [::1]:3128 intercept

# Setup regular listeners configuration
http_port 192.168.11.251:3128
http_port 127.0.0.1:3128
http_port [::1]:3128

I've tried what feels like every combination of options and got nowhere so any help would be appreciated.

[droumanet]

On my version 24.7.11_2, I could find these lines in /usr/local/etc/squid/squid.conf

Code Select Expand

# Setup transparent mode listeners on loopback interfaces
http_port 127.0.0.1:3128 intercept ssl-bump cert=/var/squid/ssl/ca.pem dynamic_cert_mem_cache_size=10MB generate-host-certificates=on
http_port [::1]:3128 intercept ssl-bump cert=/var/squid/ssl/ca.pem dynamic_cert_mem_cache_size=10MB generate-host-certificates=on
https_port 127.0.0.1:3129 intercept ssl-bump cert=/var/squid/ssl/ca.pem dynamic_cert_mem_cache_size=10MB generate-host-certificates=on
https_port [::1]:3129 intercept ssl-bump cert=/var/squid/ssl/ca.pem dynamic_cert_mem_cache_size=10MB generate-host-certificates=on

# Setup regular listeners configuration
http_port 172.31.0.1:3128  ssl-bump cert=/var/squid/ssl/ca.pem dynamic_cert_mem_cache_size=10MB generate-host-certificates=on
The file should not be manually modified, you should follow the documentation: https://docs.opnsense.org/manual/how-tos/proxytransparent.html (especially check SSL inspection in "Forward proxy" tabs)
Hope this could help you...

[ashfsd]

@DavidSte1

I came across this thread today with the same issue as you.

What I observed is that if you tick the "Enable Transparent HTTP proxy" option while "Enable SSL inspection" is enabled you will get a /usr/local/etc/squid/squid.conf which includes entries like this:

Code Select Expand

# Setup transparent mode listeners on loopback interfaces
http_port 127.0.0.1:3128 intercept ssl-bump cert=/var/squid/ssl/ca.pem dynamic_cert_mem_cache_size=10MB generate-host-certificates=on
http_port [::1]:3128 intercept ssl-bump cert=/var/squid/ssl/ca.pem dynamic_cert_mem_cache_size=10MB generate-host-certificates=on
https_port 127.0.0.1:3129 intercept ssl-bump cert=/var/squid/ssl/ca.pem dynamic_cert_mem_cache_size=10MB generate-host-certificates=on
https_port [::1]:3129 intercept ssl-bump cert=/var/squid/ssl/ca.pem dynamic_cert_mem_cache_size=10MB generate-host-certificates=on

# Setup regular listeners configuration
http_port 192.168.50.1:3128  ssl-bump cert=/var/squid/ssl/ca.pem dynamic_cert_mem_cache_size=10MB generate-host-certificates=on
http_port [2407:8800:bcc2:7700::1]:3128  ssl-bump cert=/var/squid/ssl/ca.pem dynamic_cert_mem_cache_size=10MB generate-host-certificates=on
http_port 192.168.52.1:3128  ssl-bump cert=/var/squid/ssl/ca.pem dynamic_cert_mem_cache_size=10MB generate-host-certificates=on
http_port 192.168.50.24:3128  ssl-bump cert=/var/squid/ssl/ca.pem dynamic_cert_mem_cache_size=10MB generate-host-certificates=on

Notably a listener gets added to localhost on 3129 for the first time. I created a NAT rule to redirect traffic for 3129 to opnsense and it seems to progress. yet to get it 100% working.