Re: [squid-users] Transparent proxying of https from Amos Jeffries on 2010-12-02 (squid-users)

From: Amos Jeffries <squid3_at_treenet.co.nz>
Date: Thu, 02 Dec 2010 20:16:53 +1300

On 02/12/10 17:17, Alex King wrote:
> I'm wanting to know whether this is a capability of squid, or if anyone
> knows another FOSS product that can do it.
>
> The scenario:
>
> I have an upstream firewall and proxy that I do not control, and the
> only access to the internet is via the proxy, which uses proxy basic
> authentication (and is probably running squid).
>
> I am running my own copy of squid on the network, passing through proxy
> authentication credentials to the upstream proxy.
>
> Some devices (android phones mostly) on the local network don't have a
> facility to specify a proxy server. For these devices, I intercept the
> http traffic at my squid box and send it to the upstream proxy with
> squid supplying a generic proxy password to the upstream proxy.

Check if IPv6 traffic is placed under such harsh limits as IPv4 on your
network. I have clients using Android which use IPv6 when their IPv4 is
blocked.

If you are lucky they will have new enough Android versions which rumour
has it support zero-conf WPAD/PAC instead of manual configuration.

>
> The upstream proxy is represented by two different cache_peer lines in
> the config; the one used is selected by ACLs.
>
> This all works very well for http. However, I would like to do the same
> for https traffic. This should be quite do-able, but as far as I can
> tell squid can't do this?
>
> HTTPs traffic could be intercepted by iptables and sent to a port on
> which squid listens. Squid can find the original intended destination IP
> via a syscall, then supply the generic password to the upstream proxy
> and use a CONNECT to connect through to that address. Squid would not
> need to be "in the middle" and deal with decryption/encryption, it would
> simply pass through the data as it does when set as an https proxy in
> the normal case.

Interesting. That might actually be doable. As long as there is
absolutely zero touching of the internal encrypted traffic.

My experience with SSL indicates that the IPs and maybe even the TCP
ports are included in the actual transfer though, so there may be
problems when the upstream proxy IP connects to the server with an
(encrypted) client certificate containing the clients real IP.

Amos

-- 
Please be using
   Current Stable Squid 2.7.STABLE9 or 3.1.9
   Beta testers wanted for 3.2.0.3

Received on Thu Dec 02 2010 - 07:16:58 MST

This archive was generated by hypermail 2.2.0 : Thu Dec 02 2010 - 12:00:01 MST