On Mon, Dec 11, 2006, Shaun Skillin (home) wrote:
> Thanks Adrian, I understand. Could you expand at on "hacking up squid"?
> I have an immediate need for access control of all web requests,
> including SSL. I know that if I set it in the browser, squid handles
I'd implement in two parts - the first part, for the transparent, non parent
case, is to use a TCP tunnel between client and server. tproxy will ensure
that the client thinks its talking direct to server and server talks directly
to client. There might be other stuff you can do for ACL matching on the
SSL stream before things get nastily encrypted (eg match on the negotiation
phase) but I haven't looked into it in that much depth.
The second part, as Henrik replied, is in the case of a parent proxy.
In this case its not going to be end-to-end transparent anyway so you might
be able to get away with Squid issuing a CONNECT to the upstream proxy and
handing back the unencrypted data.
In both cases you'll only be able to build ACLs that use src/destination IP
(and stuff like time, etc.)
> all connections, including web, ssl, and ftp without a problem. So my
> real question is, if squid can (obviously) handle this traffic, can it
> be done in a transparent way instead of having to modify the browser. I
> think I need more education on how the packets are presented to squid in
> transparent vs. browser-based mode - browser-based sends everything via
> 3128, so squid gets it on port 3128 - couldn't I just do another NAT
> using iptables for this, and point 443 and 21 to 3128 as well as the
> current 80?
I've thought about transparently proxying FTP but it would require a little
bit of hackery to do it with WCCPv2 without breaking clients.
test-2(config)#wccp ?
custom-web-cache Custom web caching service
dns Caching Domain Name Service
flow-redirect Redirect moved flows
ftp Transparent FTP proxy caching service
Apparently the old cisco cache engines implemented -something- to do with
transparent FTP proxying but I've been concentrated on the web cache service
stuff.
I'd be happy to do the feasability work required but I can't say if/when
I'm going to get a chance to implement this. Of course, if someone wanted to hire
myself or Henrik to implement it in a short period of time I'm sure one of us
could take care of it pretty quickly. It'd definitely help me finish off my
WCCPv2 test lab as mask assignment-capable switch routers aren't cheap and
I doubt anyone's going to donate one.. :)
Adrian
-- - Xenion - http://www.xenion.com.au/ - VPS Hosting - Commercial Squid Support -Received on Mon Dec 11 2006 - 17:11:34 MST
This archive was generated by hypermail pre-2.1.9 : Mon Jan 01 2007 - 12:00:01 MST