sniproxy icon indicating copy to clipboard operation
sniproxy copied to clipboard

Published 20 hours ago verified publisher icon dlundquist

proxy dosent proxy tls traffic

Open en1cc opened this issue 5 years ago • 1 comments
trafficstars

Hey folks, my proxy stage setup dosent work at all. can you please help me what i've done wrong?

/etc/sniproxy.conf


# sniproxy example configuration file
# lines that start with # are comments
# lines with only white space are ignored

user daemon

# PID file
pidfile /var/run/sniproxy.pid

error_log {
    # Log to the daemon syslog facility
    #syslog daemon

    # Alternatively we could log to file
    filename /var/log/sniproxy/sniproxy.log

    # Control the verbosity of the log
    priority notice
}

# blocks are delimited with {...}
listen 80 {
    proto http
    table http_hosts
    source client

    access_log {
        filename /var/log/sniproxy/http_access.log
        priority notice
    }
}

listen 443 {
    proto tls
    table https_hosts

    access_log {
        filename /var/log/sniproxy/https_access.log
        priority notice
    }
}

# named tables are defined with the table directive
table http_hosts {
    pb.domain.de        192.168.223.225
}

table https_hosts {
    pb.domain.de        192.168.223.225
}

When i use curl now for testing with

curl -v https://pb.domain.de/.well-known/test.txt

then i get

* About to connect() to pb.domain.de port 443
*   Trying 62.117.12.98... * connected
* Connected to pb.domain.de (62.117.12.98) port 443
* error setting certificate verify locations:
  CAfile: /usr/share/curl/curl-ca-bundle.crt
  CApath: none

* Closing connection #0
curl: (60) error setting certificate verify locations:
  CAfile: /usr/share/curl/curl-ca-bundle.crt
  CApath: none

More details here: http://curl.haxx.se/docs/sslcerts.html

curl performs SSL certificate verification by default, using a "bundle"
 of Certificate Authority (CA) public keys (CA certs). The default
 bundle is named curl-ca-bundle.crt; you can specify an alternate file
 using the --cacert option.
If this HTTPS server uses a certificate signed by a CA represented in
 the bundle, the certificate verification probably failed due to a
 problem with the certificate (it might be expired, or the name might
 not match the domain name in the URL).
If you'd like to turn off curl's verification of the certificate, use
 the -k (or --insecure) option.

And tail -f /var/log/sniproxy/*.log says 2020-10-27 21:57:13 [::ffff:213.22.37.226]:52621 -> [::ffff:192.168.223.220]:443 -> NONE [] 0/0 bytes tx 0/0 bytes rx 0.004 seconds

Whats happening?

en1cc avatar Oct 27 '20 21:10 en1cc

Original sniproxy.conf states:

    # Use "source client" to enable transparent proxy support. This requires
    # running sniproxy as root ("user root").

Are you trying to run it as a transparent proxy? If so, you need to run it as user root.

oldium avatar Nov 06 '20 19:11 oldium