Squid routing SSL traffic - linux

Good day,
I have a setup in which I am routing my received packets at my Mikrotik router to a squid server.
I also can see the incoming traffic with Tcpdump that it is actually ariving # the correct port (443) on Squid Proxy server.
On the next step I have
iptables -t nat -A PREROUTING -p tcp --dport 443 -j DNAT --to 10.0.2.51:3127
(that is all I have on iptable rules)
Which routes the received 443 traffic to port 3127 which is my squid SSL port.
I am getting page not found error on my browser.
Now I know that my Squid is setup correctly, because when I input the proxy server adress manually 10.0.2.51:3127 for SSL in the Mozilla browser all is working great, all SSL pages are logged with SSLbump.
Could someone please help with figuring out why this isn't working correctly, I am quite new to proxies?

You are DNATing packets going to the proxy.
But are you SNATing the packets coming back from the proxy ?

Related

Open ports only on specific domains

I am looking for the right command to open ports only to specific domains. The domain and its subdomain, go to the same server (CentOS)
However, for security reasons, I only want to open the posts on specific subdomains.
On the other domains the ports should not be reachable, so the ftp port 21 should only be open on ftp.domain.com and not on e.g. ssh.domain.com or mysql.domain.com
So I want to block everything (exclude port 80 and 443) and only allow specific ports to specific domains.
example
21 on ftp.domain.com
22 on ssh.domain.com
3306 on mysql.domain.com
I know it should work with iptables, but unfortunately I have trouble finding the right command.
I have found this only but i will only accept incoming ports.
iptables -A OUTPUT -p udp --sport 53 -m string --string "google.com" --algo bm -j ACCEPT
Maybe you have a more elegant solution than iptables.
You can do this by using some reverse proxy server. The proxy server can filter the desired traffic to the actual service.
So how it will work is -
Let all your request come to reverse proxy server. eg. HAPROXY or nginx (both work at Layer 4 and 7)
Put a rule for the hostname in the proxy server config.
Forward the desired traffic to the actual host.

Redirect Port via iptables on AWS EC2 Ubuntu instance

I have a running AWS EC2 instance on an Ubuntu machine running a Nodejs server.
Everything works fine then opening the website via its public ip on port 3000 likes this:
http://XX.XXX.XXX.XXX:3000
Now I want to redirect all requests from port 80 to this port 3000 via iptables like described in this video: https://www.youtube.com/watch?v=WxhFq64FQzA via
sudo iptables -A PREROUTING -t nat -i eth0 -p tcp --dport 80 -j REDIRECT --to-port 3000.
Unfortunately I am getting this error: http://prntscr.com/lja6hx when opening the site like this: http://XX.XXX.XXX.XXX (without port 3000 specified)
P.S.: I'm not really sure if my approach is correct. I am open to other ways of achieving a redirect from port 80 (http) to port 3000
As #Vorsprung suggested I should use an Application Load Balancer. I did this but it's still not working. Here is my setup:
My Application Load Balancer Listener
The Target Group I'm forwarding to in my ALB
My hosted zone (I've added the alias for the ALB here)
Please let me know if something is missing
either use nginx see https://nodebb.readthedocs.io/en/latest/configuring/proxies/nginx.html
or
you are on AWS! Use an ALB.. see https://docs.aws.amazon.com/elasticloadbalancing/latest/application/application-load-balancer-tutorials.html

Run node app with SSL on 443 port (on 80 is working)

It's my first time when I try configure a server running on Amazon EC2.
I figured out how run my node app on 80 port but now I'm trying to run on 443 port with Letsencrypt SSL. Before to work on 80 port I added
sudo iptables -t nat -A PREROUTING -p tcp --dport 80 -j REDIRECT --to-ports 3000
and
sudo iptables -t nat -A OUTPUT -p tcp --dport 80 -j REDIRECT --to-ports 3000
and everything worked fine. But now after install Letsencrypt I try to do same thing but with 433 port instead 80 and it's not working.
Letsencrypt config automatically for me all files so now redirect from http to https is working fine and when my iptable is empty on https:// I see ubuntu default website. When I run lines mentioned above with 443 port app is still not working (browser can't even load anything). It's only working with http:/...:3000
I've added 443 port to Security Groups on EC2.
What I can do? Thanks.
You need to check your security group Inbound/Outbound rules, you need to see if port 443 is assigned to which host. A valid but dangerous configuration, just for testing, is allow everything on Inbound and Outbound, to see if its a problem on your Security Group.
Beyond that, you need to be sure if the binding port is listening. Are you using Amazon Linux?

imap.domain.com - how to forward to port?

I'm trying to make an imap server from scratch in node.js (primarily to learn about node.js and imap protocol).
How do I direct traffic from the imap subdomain (imap.mydomain.com) to port 143 on the server (where my server code is listening). I've updated iptables with this rule:
-A INPUT -p tcp -m tcp --dport 143 -j ACCEPT
But it still doesn't work.
My DNS is like this:
A record - mydomain.com => 1.1.1.1 (my example ip address)
CNAME record - mail.mydomain.com => mydomain.com
mydomain.com redirects and is handled by apache. Could apache be overruling it? Maybe I need to add a host in /etc/hosts for the sub-domain?
Also, when doing telnet:
telnet 1.1.1.1 143
I get a "no route to host" error. So that tells me the route direct via the ip from the sub-domain doesn't work either...
I've checked out dovecot and postfix and it seems like they handle the port listening internally, so I couldn't see any clues from their install / config instructions.
It would be great if anyone could offer instructions on how to make sure the imap.mydomain.com subdomain properly forwards to the imap server.
Thanks!!!
There is no redirection or forwarding. IMAP is simply a different protocol than HTTP (i.e. "web") and to use IMAP the server has to listen on port 143 and the client has to connect to this port. Just look at the settings of your mail client.

Redirect a domain to a ip and port

I have a node.js server listening on port 4000
how can I redirect my domain name: www.mydomain.com to a ip and port? The domain provider only allows an ip address without a portnumber in the redirection field. If I do a URL redirect, then the name of my side is not shown.
Please let me know how can I redirect it to my domain?
121.12.12.123:4000 redirect to www.mydomain.com
HTTP requests usually come in on port 80. When you type in a domain and do not specify a port, it automatically connects to port 80. You have a few options. You can run your Node.js server as root and have it listen on port 80, but it's not recommended.
You can also setup a Nginx on port 80 and use it to reverse proxy requests to your Node.js process which is listening on port 4000, but this introduces another component in your stack to manage and introduces a little bit of overhead for each request.
The way I prefer to handle this is to setup a redirect in iptables (assuming you're using Linux).
sudo iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 80 -j REDIRECT --to-port 4000
That will redirect all traffic from port 80 to port 4000, where you're listening Node.js process is.
That allows you to run your Node.js process as an unprivileged user, but still answer requests on port 80.
Once you've done that than you can simply point your domain to the IP address of the server and normal web requests should work. Just be sure you have port 80 open on any firewalls first.
try this code
var httpProxy = require('http-proxy');
httpProxy.createProxyServer({target:'http://localhost:4000'}).listen(80);

Resources