Mikio Kishi wrote:
> Hi, Amos
>
>> What exactly are you trying to achieve with this?
>
> I'm really sorry... It's a little bit difficult to explain...
> The following is the more detail.
>
> -----------------------
> The Internet
> ---+------------
> |
> --------+-+-------------
> |
> +-----+-------+
> | squid | (1)
> | (tcp/8080) |
> +-----+-------+
> |.2
> --------+-+---------------- 10.0.0.0/24
> |.1
> +--+--+
> | R |
> +--+--+
> |.1
> -------+--+---------------- 192.168.0.0/24
> |.2
> +----+--------+
> | squid + |
> | tproxy | (2)
> | (tcp/8080) |
> +----+--------+
> |.2
> -------+--+---------------- 192.168.1.0/24
> |.3
> +--+-----+
> | client |
> +--------+
>
> - The demand
> - The client must use proxy(2) using tcp/8080
> - by browser settings
> HTTP -> proxy(2) (192.168.1.2:8080)
> HTTPS -> proxy(2) (192.168.1.2:8080)
> - proxy(2) don't have to be "transparent"
> - The proxy(2)'s parent proxy must be proxy(1)
> using cache_peer
> - Both proxy(1) and proxy(2) must record
> "client original source address" in access log for security action
> !!! It's most important !!!
>
> I think that I have to use tproxy(not transparent)
> to achieve above demands... what do you think ?
Ah, you need the follow_x_forwarded_for feature on Proxy(1).
proxy(2) will always be trying to set X-Forwarded-For header indicating
the client IP. Which gets passed to proxy(1).
By enabling follow_x_forwarded_for and log_uses_indirect_ip. proxy(1)
should log the original client IP.
http://www.squid-cache.org/Doc/config/follow_x_forwarded_for/
http://www.squid-cache.org/Doc/config/log_uses_indirect_client/
Amos
>
> Sincerely,
> --
> Mikio Kishi
>
> On Thu, Apr 9, 2009 at 4:54 PM, Amos Jeffries <squid3_at_treenet.co.nz> wrote:
>> Mikio Kishi wrote:
>>> Hi, Amos
>>>
>>>> HTTPS encrypted traffic cannot be intercepted.
>>> Yes, I know that. but, in this case, not "transparent".
>>>
>>>> (1) (2)
>>>>
>>>> | |
>>>> +------+ | +------------+ | +---------+
>>>> |WWW +---+ | | +----+ WWW |
>>>> |Client|.2 | .1| squid |.1 | .2| Server |
>>>> +------+ +-----+ + tproxy +----+ |(tcp/443)|
>>>> | | (tcp/8080) | | |(tcp/80) |
>>>> | +------------+ | +---------+
>>>> 192.168.0.0/24 10.0.0.0/24
>>>>
>>>> (1) 192.168.0.2 ------> 192.168.0.1:8080
>>>> ^^^^^
>>>> (2) 192.168.0.2 ------> 10.0.0.2:443
>>>> ^^^
>>> Just only thing I'd like to do is "source address spoofing"
>>> using tproxy.
>>>
>>> Does that make sense ?
>> No. Squid is perfectly capable of making HTTPS links outbound without
>> tproxy. The far end only knows that some client connected.
>>
>> HTTPS cannot be spoofed, its part of the security involved with the SSL
>> layer.
>>
>> What exactly are you trying to achieve with this?
>>
>> Amos
>> --
>> Please be using
>> Current Stable Squid 2.7.STABLE6 or 3.0.STABLE13
>> Current Beta Squid 3.1.0.6
>>
-- Please be using Current Stable Squid 2.7.STABLE6 or 3.0.STABLE13 Current Beta Squid 3.1.0.6Received on Sun Apr 12 2009 - 03:25:23 MDT
This archive was generated by hypermail 2.2.0 : Wed Apr 22 2009 - 12:00:02 MDT