Re: [squid-users] CONNECT method support(for https) using squid3.1.0.6 + tproxy4

From: Mikio Kishi <mkishi_at_104.net>
Date: Thu, 9 Apr 2009 13:15:21 +0900

Hi, Amos

>HTTPS encrypted traffic cannot be intercepted.

Yes, I know that. but, in this case, not "transparent".

> (1) (2)
>
> | |
> +------+ | +------------+ | +---------+
> |WWW +---+ | | +----+ WWW |
> |Client|.2 | .1| squid |.1 | .2| Server |
> +------+ +-----+ + tproxy +----+ |(tcp/443)|
> | | (tcp/8080) | | |(tcp/80) |
> | +------------+ | +---------+
> 192.168.0.0/24 10.0.0.0/24
>
> (1) 192.168.0.2 ------> 192.168.0.1:8080
> ^^^^^
> (2) 192.168.0.2 ------> 10.0.0.2:443
> ^^^

Just only thing I'd like to do is "source address spoofing"
using tproxy.

Does that make sense ?

Sincerely,

--
Mikio Kishi
On Thu, Apr 9, 2009 at 10:52 AM, Amos Jeffries <squid3_at_treenet.co.nz> wrote:
>> Hi, all
>>
>> Now, I evaluate the squid3.1.0.6 + tproxy4 environment like the
>> following network.
>>
>>             (1)                     (2)
>>
>>              |                       |
>>   +------+   |     +------------+    |    +---------+
>>   |WWW   +---+     |            |    +----+ WWW     |
>>   |Client|.2 |   .1| squid      |.1  |  .2|  Server |
>>   +------+   +-----+   + tproxy +----+    |(tcp/443)|
>>              |     | (tcp/8080) |    |    |(tcp/80) |
>>              |     +------------+    |    +---------+
>>        192.168.0.0/24          10.0.0.0/24
>>
>>   (1) 192.168.0.2 ------>  192.168.0.1:8080
>>   (2) 192.168.0.2 ------>  10.0.0.2:80
>>
>> HTTP communication is completely OK !
>> but in HTTPS(using CONNECT method) case
>>
>>   (1) 192.168.0.2 ------>  192.168.0.1:8080
>>   (2) 192.168.0.2 ------>  10.0.0.2:443
>>                                     ^^^^
>> the following error occurred.
>>
>>> commBind: Cannot bind socket FD 12 to 192.168.0.2: (99) Cannot
>>>           assign requested address
>>
>> I think that tunnelStart()#tunnel.cc don't support "COMM_TRANSPARENT"
>>
>>> tunnelStart(ClientHttpRequest * http, int64_t * size_ptr, int*
>>> status_ptr)
>>> {
>>>  ... snip ...
>>>    sock = comm_openex(SOCK_STREAM,
>>>                       IPPROTO_TCP,
>>>                       temp,
>>>                       COMM_NONBLOCKING,  // need COMM_TRANSPARENT
>>>                       getOutgoingTOS(request),
>>>                       url);
>>>  ... snip ...
>>
>> What do you think ?
>
> HTTPS encrypted traffic cannot be intercepted.
>
> Amos
>
>
>
Received on Thu Apr 09 2009 - 04:15:27 MDT

This archive was generated by hypermail 2.2.0 : Thu Apr 09 2009 - 12:00:02 MDT