Re: [squid-users] redirecting FTP and SSL

Hi Henrik,

what I don't understand is: where exactly is the difference between
transparent proxying and manually setting the proxy in the browser? Is that
a different type of request, or why does transparent proxying not work?

My problem is as follows: I have a Internet router/gateway, but want to
block things like KaZaa and other programs, so I only open port 80 and 443.
When I just NAT it, KaZaa and Co. can still be used, as they also hook on
port 80. However, they (yet?) cannot deal with proxies, so I can keep them
out by transparent proxying.

When I have to open port 443 for SSL connections, like webmail, I have a
hole in the network. Is there any good link you can provide me where to find
out more about possibilities of tunneling SSH (and that "transparent TCP
plug", which I never heard of :-)?

Thanks so much!
Florian

----- Original Message -----
From: "Henrik Nordstrom" <hno@squid-cache.org>
To: "Florian Effenberger" <floeff@arcor.de>
Cc: <squid-users@squid-cache.org>
Sent: Sunday, April 13, 2003 11:27 PM
Subject: Re: [squid-users] redirecting FTP and SSL

Florian Effenberger wrote:

> my HTTP connections get redirected to Squid (transparent proxying) with
>
> iptables -t nat -A PREROUTING -i $ETH_INTERNAL -s $LOCALNET -d !
> $LOCALNET -p tcp --dport 80 -j REDIRECT --to-port 3128
>
> which works fine. However, I would like to automatically redirect FTP and
> SSL as well. Some said this works, some said, this does not work.

You can't, not with Squid at least.

Squid is a HTTP proxy. Neither SSL or FTP is HTTP and won't be
understood by Squid if you attempt to intercept these and redirect them
to Squid...

There is other proxies which may work for the purpose. For example FROX
is a FTP proxy which supposedly is capable of handling transparent
interception, and is also rumored to have some integration with Suqid
for caching.

For SSL you need a transparent TCP plug, but most use NAT instead..
(cheaper). SSL is never proxied, only tunelled. (SSL employs end-to-end
encryption and identification, which makes proxying impossible)

> What's true now? :-) Does it work with iptables, or do I have to use a
> proxy.pac File for the browsers to manually set the proxy server?

Strongly recommended for many reasons.

See WPAD for a simple way to simplify the browser configuration to use
proxy.pac..

Regards
Henrik

--
Free Squid-users support provided by Henrik Nordström
<hno@squid-cache.org>
Donations welcome if you consider my Free Squid support helpful.
https://www.paypal.com/xclick/business=hno%40squid-cache.org
If you need commercial Squid support or cost effective Squid or
firewall appliances please refer to MARA Systems AB, Sweden
http://www.marasystems.com/, info@marasystems.com