I have the proxy running in the BLUE zone. The proxy config is distributed via DNS and wpad. OK
The (Smart)Phone is set to use the proxy, browsing is OK. But there are some apps that does not use the proxy and try to do a direct connection. But there is ipFire 
it drops such packets. So, some apps does not run via WLAN.
Is there a way to redirect all packets from the BLUE zone (ports 80 and 443) to the BLUE proxy?
BTW: this https://wiki.ipfire.org/configuration/firewall/dns
does not work:
Source: Standard network (BLUE)
Destination NAT: automatic
Destination: Firewall ALL
Service Group: http(s) {means 80,443}
Yes (80), no (443). That’s called transparent proxy. There is a checkbox on the configuration page of Squid in IPFire.
Did you install the proxy configuration at the APN level in the phone? In my experience with that setting all the app used the proxy. But of course, my usage of app for smartphone is very limited.
Yes (80), no (443). That’s called transparent proxy.
There is a checkbox on the configuration page of Squid in IPFire
OK, this is enabled now. and I add a rule:
Source: Standard Network: BLUE
DNAT: Automatic
Destination: Firewall (ALL)
Protocol: TCP Dest:3128/Ext:443
Now I get for each https request of a WLAN client the message:
error:invalid-request
in the Proxy-Log.
I assume that the app in a mob.-phone, if it does not use the configured proxy, try to send direct to the target. But ipFire redirects it to a (set to automatic) ipAddr of the ipFire itself. Port 443 is changed to 3128. So the packet reach the proxy. But then the proxy can not handle the request.(I tested 8080 insteed 3128, too. same result.)
Did you install the proxy configuration at the APN level in the phone? In my experience with that setting all the app used the proxy.
No, this proxy should work in WLAN mode only. So I do not modify the APN-Settings.
Btw: the configured proxy at the phone (which seems to be related to the browser only) is provided via wpad and the browser uses this proxy for port 443! So I think the ipfire proxy at port 8080 can handle both http and https.
you cannot do transparent proxy on port 443. If you think about it, in order for the transparent proxy to work on an encrypted connection, it is not enough to take the encrypted packets and repackage them to a different ip and port. They have to be decrypted and re-encrypted. Basically a man in the middle kind of “attach”. Because that module of Squid was a source of continuous exploits, the developers have removed entirely the option.
This is different when the traffic is destined from the beginning to the proxy, because in this case, squid does not need to decrypt/re-encrypt. It will just forward the traffic as it is back and forth.
Simply, you cannot do transparent proxy on 443. Only port 80 will go.
2 Likes