Ports used by Squid 3128/3129

[ruggerio]

Hi,

Can anybody tell me, on which port SNI is called? Is it still 3128 for non-https, or is it on Port 3129 for ssl? I wanted to disable 3129, as i don't do ssl-inspection, but its needed for sni, correct?

Also, i have all NAT- and Firewallrules für transparent proxy, but i still get often drops to 127.0.0.1:3129, i have no explanation for this.

[Northguy]

Hi,

Can anybody tell me, on which port SNI is called? Is it still 3128 for non-https, or is it on Port 3129 for ssl? I wanted to disable 3129, as i don't do ssl-inspection, but its needed for sni, correct?

You define the ports yourself in Services: Web Proxy: Administration. Per default 3128 is http and 3129 is https.

If you don't want to do ssl-inspection then you also don't need to tick the SNI checkbox as SSL-inspection needs to be enabled for the SNI tick box to have any effect in your configuration. In this case you need to remove the port forward for https.

[ruggerio]

ahaaaaa, the last one on port forwarding is the ugly one. if have it enabled.

Perhaps, this needs a quote within the documentation.

Thx!

[ruggerio]

i have one further question: to make sni work properly, it seems that i have to enter on the browsers setting making https use of the same proxy as http. Then it works.

But how can i handle this with android? I cannot indicate an explicit ssl proxy. btw. the proxy is transparent.

[Northguy]

Maybe I don't understand your question, or your setup, but for transparent proxy with SNI on SSL and NAT port forwarding you do not need to alter browser settings or upload certificates on clients.

[Northguy]

ahaaaaa, the last one on port forwarding is the ugly one. if have it enabled.

Perhaps, this needs a quote within the documentation.

Thx!

Pull request with fix has been submitted.

[ruggerio]

What i've also seen, is a difference in handling between transparent and normal proxy (distributed by wpad.dat)

Normal: Proxy gives tcp denied on both http and https
Transparent: Proxy gives tcp denied on http, but a certificate error on https.

Whats the difference? Is the whole traffice in both cases not handled by http-port (3128) and then proofed by 3129? There is neither a forwarding on 3129 nor a rule in the firewall for 3129.

Thx!
Ruggerio

[Northguy]

Opnsense howto's are quite clear on transparent fw. You should create port forward yourself. Please also look at advance help in Opnsense as links are present to create forwarding rules. Make sure that you are on latest firmware. There was an issue with header forgery that has been fixed in 19.1.3

Verstuurd vanaf mijn Moto G (5) Plus met Tapatalk

[ruggerio]

I 1st created everything according to the 2 manuals for the caching and the transparent proxy, including the rules. All i have corrected now is disabling the forwarding rule for port 3129 (the ssl one).

All the rest is the same, that's why i do not understand it's not working in transparent mode. It's working flawlessy in non-transparent mode, using wpad.

But still, i would prefer transparent mode...