search

dlundquist / sniproxy

Proxies incoming HTTP and TLS connections based on the hostname contained in the initial request of the TCP session.
BSD 2-Clause "Simplified" License
2.57k stars 398 forks source link

proxy dosent proxy tls traffic #365

Open en1cc opened 4 years ago

en1cc commented 4 years ago

Hey folks, my proxy stage setup dosent work at all. can you please help me what i've done wrong?

/etc/sniproxy.conf


# sniproxy example configuration file
# lines that start with # are comments
# lines with only white space are ignored

user daemon

# PID file
pidfile /var/run/sniproxy.pid

error_log {
    # Log to the daemon syslog facility
    #syslog daemon

    # Alternatively we could log to file
    filename /var/log/sniproxy/sniproxy.log

    # Control the verbosity of the log
    priority notice
}

# blocks are delimited with {...}
listen 80 {
    proto http
    table http_hosts
    source client

    access_log {
        filename /var/log/sniproxy/http_access.log
        priority notice
    }
}

listen 443 {
    proto tls
    table https_hosts

    access_log {
        filename /var/log/sniproxy/https_access.log
        priority notice
    }
}

# named tables are defined with the table directive
table http_hosts {
    pb.domain.de        192.168.223.225
}

table https_hosts {
    pb.domain.de        192.168.223.225
}

When i use curl now for testing with

curl -v https://pb.domain.de/.well-known/test.txt

then i get

* About to connect() to pb.domain.de port 443
*   Trying 62.117.12.98... * connected
* Connected to pb.domain.de (62.117.12.98) port 443
* error setting certificate verify locations:
  CAfile: /usr/share/curl/curl-ca-bundle.crt
  CApath: none

* Closing connection #0
curl: (60) error setting certificate verify locations:
  CAfile: /usr/share/curl/curl-ca-bundle.crt
  CApath: none

More details here: http://curl.haxx.se/docs/sslcerts.html

curl performs SSL certificate verification by default, using a "bundle"
 of Certificate Authority (CA) public keys (CA certs). The default
 bundle is named curl-ca-bundle.crt; you can specify an alternate file
 using the --cacert option.
If this HTTPS server uses a certificate signed by a CA represented in
 the bundle, the certificate verification probably failed due to a
 problem with the certificate (it might be expired, or the name might
 not match the domain name in the URL).
If you'd like to turn off curl's verification of the certificate, use
 the -k (or --insecure) option.

And tail -f /var/log/sniproxy/*.log says 2020-10-27 21:57:13 [::ffff:213.22.37.226]:52621 -> [::ffff:192.168.223.220]:443 -> NONE [] 0/0 bytes tx 0/0 bytes rx 0.004 seconds

Whats happening?

oldium commented 4 years ago

Original sniproxy.conf states:

    # Use "source client" to enable transparent proxy support. This requires
    # running sniproxy as root ("user root").

Are you trying to run it as a transparent proxy? If so, you need to run it as user root.