Re: [squid-users] Why use Transparent Proxy?

From: Henrik Nordstrom <hno@dont-contact.us>
Date: Tue, 11 Jun 2002 20:03:23 +0200

Robert Adkins wrote:

> 1. If the gateway/proxy is the only machine to access the internet and
> it doesn't forward any internal IP traffic to the internet, do any SSL
> connections work through the proxy? (This server is not a NAT or IP
> Masquerading server, it simply sits on a network with two NICs, one
> attached to the internet, one attached to the extranet and disallowing
> all traffic to run between the two NICs.)

If the box just sits there, is not running a proxy, there is no NAT or
Masquerading, and not forwarding (as one side is using private
addresses, and your are not masquerading), then nothing makes it thru.
SSL included.

If the box is forwarding IP traffic and running a transparent HTTP
proxy, then only HTTP will be intercepted by the proxy, the rest will be
forwarded as usual. Such setups where one side is using private
addresses almost certainly also run NAT / Masquerading. SSL is not HTTP
so it falls into the category "the rest".

> 2. If the SSL connections still work, but "lose" the SSL component, is
> setting up a transparent proxy with squid really worth it? (I mean what
> happens when the boss has his/her banking account opened up by someone
> listening to your internet connected server?)

SSL is endpoint-to-endpoint. All the proxy or routers see is garbage and
the certificate of the server talked to.

It is possible by installing a fake root certificate in your browser to
use a SSL intercepting proxy, but such setups is only recommendable when
you must do what is described above (inspect your boss banking account
when he does online banking, on the order of your boss).

> 3. Would it not be wiser and much more secure to simply spend the 30 to
> 45 seconds each, that it would take one to configure something like 15 to
> 30 workstations, if a Domain Controller is unavailable? (If you have more
> then 10 workstations, a site really should consider some kind of
> centrally controlled DC or NIS+ Running Server.)

Proxy settings can also be configured using DHCP in some cases.. (WPAD)

Having the proxy settings configured is always recommended in favor of
"transparent" solutions. There is a number of subtle problems with
"transparent" HTTP proxying. Not the problems with SSL you are worried
about however, more in the area of TCP/IP disturbance and some off
applications using port 80 for other purposes than HTTP, and HTTP
servers using other ports than 80..

Regards
Henrik
Received on Tue Jun 11 2002 - 12:01:36 MDT

This archive was generated by hypermail pre-2.1.9 : Tue Dec 09 2003 - 17:08:38 MST