Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    How to apply https transparent proxy by ip range

    Cache/Proxy
    3
    7
    5.5k
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • G
      genesislubrigas
      last edited by

      Is there a way that I can apply the https transparent by ip range?  Like i want the employees to pass that https transparent proxy but not the public user under certain ip range.  but I want them all to be under http transparent proxy.

      1 Reply Last reply Reply Quote 0
      • K
        Kababayan
        last edited by

        Yes use Nat redirector

        1 Reply Last reply Reply Quote 0
        • G
          genesislubrigas
          last edited by

          Can you please tell me how. I dont know how to create the nat redirector.

          1 Reply Last reply Reply Quote 0
          • K
            Kababayan
            last edited by

            Enable http and https transparent then create a rule for ip range that will not be  transparent. say 192.168.1-128-254 will not be transparent and 192.168.1.1 - 127 will be transparent. create Nat check no redirect proto tcp source network 192.168.1.128 subnet 25 (that will 192.168.1.128-254) . destination any port 443. description no transparent 192.168.1.128.
            Note you can also use alias for source. create list of ranges you want to disable transparent proxy for https. then in the nat rule use single and put the alias name.

            or make a list of ip that will be transparent. in thjis case check the invert box of the source. so all source that is not in the list will not be transparent.

            1 Reply Last reply Reply Quote 0
            • G
              genesislubrigas
              last edited by

              I am confused with "create a rule for ip range that will not be  transparent. say 192.168.1-128-254 will not be transparent and 192.168.1.1 - 127".

              I dont understand how do you make a rule for ip range to be transparent and not. Can you kindly make it more easier for me.  Thanks for replying.

              1 Reply Last reply Reply Quote 0
              • C
                chris4916
                last edited by

                Transparent proxy will definitely NOT work unless you configure SSL-bump (AKA MITM).
                This is the starting point.
                Then as transparent proxy works redirecting (transparently) flow at default gateway level toward proxy listener interface, goal is to add some rules to not redirect IP range you don't want to be redirected and redirect only what you want.

                Be aware that enabling SSL6Bump is not as transparent as you may think, especially because it breaks the HTTPS tunnel.  :-\

                Jah Olela Wembo: Les mots se muent en maux quand ils indisposent, agressent ou blessent.

                1 Reply Last reply Reply Quote 0
                • K
                  Kababayan
                  last edited by

                  OP wants to know how to transparent only selected IPs. ssl bumb is already added in the new squid config. including this one ssl_bump server-first all.

                  Yes he can add to donnot proxy source address using alias on the Bypass Proxy for These Source IPs if he does not want to use th NAT. It will be added in the NAT eventualy. But if you want to enable http to all client while only selected client will have https transparent to avoid certificate confussion then use the nat posted above. use destination port 443 to not redirect if not selected client.

                  1 Reply Last reply Reply Quote 0
                  • First post
                    Last post
                  Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.