Setup a secure web proxy using SSL encryption

Hi All,

I follow the steps on these tutorial:

http://www.jeffyestrumskas.com/index.php/how-to-setup-a-secure-web-proxy-using-ssl-encryption-squid-caching-proxy-and-pam-authentication/

how to configure to connect to squid using a stunnel, but I'm using centos 5 and the iptables line doesn't works neither the chown nobody.nobody /var/run/stunnel

anyone have any idea? I'm having only a white screen when I tried to connect,

and

here is the log of the stunnel client:

2011.04.09 00:58:55 LOG5[7148:6052]: Service proxy accepted connection from 127.0.0.1:63142
2011.04.09 00:58:55 LOG3[7148:6052]: SSL_accept: 1407609C: error:1407609C:SSL routines:SSL23_GET_CLIENT_HELLO:http request
2011.04.09 00:58:55 LOG5[7148:6052]: Connection reset: 0 bytes sent to SSL, 0 bytes sent to socket
luis_chiangAsked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

BlazCommented:
> -A RH-Firewall-1-INPUT -m state –state NEW -m tcp -p tcp –dport 8080 -j ACCEPT

This is a valid iptables command - the chain "RH-Firewall-1-INPUT" in non-standard but should be available in centos unless you have configured custom rules and chains - in that case replace only the chain part of the rule. What error does it report?

> chown nobody.nobody /var/run/stunnel

Again this is a valid command in centos (works for me). What error does it report?
0
luis_chiangAuthor Commented:
Hi,

thanks for your reply here is the output:

[root@xs1 ~]# iptables -A RH-Firewall-1-INPUT -m state -state NEW -m tcp -p tcp -dport 8080 -j ACCEPT
Bad argument `NEW'
Try `iptables -h' or 'iptables --help' for more information.

and if I write it in the file I get:

[root@xs1 ~]# service iptables restart
Flushing firewall rules:                                   [  OK  ]
Setting chains to policy ACCEPT: nat mangle filter         [  OK  ]
Unloading iptables modules:                                [  OK  ]
Applying iptables firewall rules: iptables-restore: line 1 failed
                                                           [FAILED]

And my iptables file is:

[root@xs1 ~]# more /etc/sysconfig/iptables
ACCEPT
# Generated by webmin
*filter
-A INPUT -p udp -m udp --dport ftp-data -j ACCEPT
-A INPUT -p udp -m udp --dport ftp -j ACCEPT
-A INPUT -p udp -m udp --dport domain -j ACCEPT
-A INPUT -p tcp -m tcp --dport 20000 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 10000 -j ACCEPT
-A INPUT -p tcp -m tcp --dport https -j ACCEPT
-A INPUT -p tcp -m tcp --dport http -j ACCEPT
-A INPUT -p tcp -m tcp --dport imaps -j ACCEPT
-A INPUT -p tcp -m tcp --dport imap -j ACCEPT
-A INPUT -p tcp -m tcp --dport pop3s -j ACCEPT
-A INPUT -p tcp -m tcp --dport pop3 -j ACCEPT
-A INPUT -p tcp -m tcp --dport ftp-data -j ACCEPT
-A INPUT -p tcp -m tcp --dport ftp -j ACCEPT
-A INPUT -p tcp -m tcp --dport domain -j ACCEPT
-A INPUT -p tcp -m tcp --dport smtp -j ACCEPT
-A INPUT -p tcp -m tcp --dport ssh -j ACCEPT
COMMIT
# Completed
# Generated by webmin
*mangle
:FORWARD ACCEPT [0:0]
:INPUT ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:PREROUTING ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
COMMIT
# Completed
# Generated by webmin
*nat
:OUTPUT ACCEPT [0:0]
:PREROUTING ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
COMMIT
# Completed
0
BlazCommented:
Two things:
- you are missing double hypen infront of state NEW: "--state NEW"

- you don't have default chains (webmin changed them) - you should use INPUT chain instead of RH-Firewall-1-INPUT, so:
iptables -A INPUT -m state --state NEW -m tcp -p tcp -dport 8080 -j ACCEPT

You might try to add this rule via webmin - to make sure it will not be deleted in the future. You must only set tcp, port 8080. The state NEW part of the rule is not so important.
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
VPN

From novice to tech pro — start learning today.