Re: [squid-users] https to http translation

From: purgat <purgatio_at_gmail.com>
Date: Mon, 13 Dec 2010 22:23:48 +0330

This definitely is too complicated for me. Getting all these working
together doesn't seem an easy task for someone who have never used any
of these for anything before. From what I could understand from your
diagram and explanation, I would say this is an option that works as I
need but that's it.
I'll try to see if I can find easier options. I am starting to think I
need to spend a few months and loads of caffeine to write something
myself (though it is sort of life/death scenario involved, and time
matters so much).
Options are running out fast...
:(

On Mon, 2010-12-13 at 13:20 +0300, Peter Vereshagin wrote:
> You know St. Peter won't call my name, purgat!
> 2010/12/13 00:20:23 +0330 purgat <purgatio_at_gmail.com> => To squid-users_at_squid-cache.org :
> p> On Sun, 2010-12-12 at 14:19 -0600, Luis Daniel Lucio Quiroz wrote:
> p> > Le dimanche 12 d??cembre 2010 11:00:43, guest01 a ??crit :
> p> > > Maybe not exactly what you are looking for, but have you thought of
> p> > > using IPSec? You could deploy IPSec and encrypt every connection from
> p> > > your clients to the Proxy.
> p> > > I don't know what you are trying to achieve, but if your objective is
> p> > > to encrypt connections from the Clients to the proxy, IPSec would be
> p> > > perfectly transparent and scalable.
> p> > >
> p> > > On Sunday, December 12, 2010, purgat <purgatio_at_gmail.com> wrote:
> p> > > > Hi
> p> > > > I have seen similar discussions in the list in the past but none exactly
> p> > > > answers my question.
> p> > > > This is the setup I am looking for:
> p> > > > a server somewhere out there runs one or more instances of squid.
> p> > > > user at home sets up the browser to use the proxy.
> p> > > > whenever user puts an address in their browser address bar, request, is
> p> > > > encrypted with ssl and sent to squid. Instances (if more than one is
> p> > > > necessary) of squid then request the page through normal http from the
> p> > > > Internet and send the response through ssl back to the client.
> p> > > > Unfortunately the answers I have seen to this question in past seem to
> p> > > > ignore the fact that the user may want to use different websites. I
> p> > > > don't want just a couple of addresses to be accelerated by squid and
> p> > > > sent through ssl. What I am looking for is not a normal reverse proxy,
> p> > > > glorified with ssl. Unfortunately there is no example of such a setup in
> p> > > > wiki though I know a lot of people would want this set up for securing
> p> > > > data in their unsecure local network. The explanations on the web about
> p> > > > how to set this up come short of explaining a lot of things about an
> p> > > > already complex matter.
> p> > > > Is Squid able to help me with this?
> p> > > > By the way... ssh tunnelling is not an option for me.
> p> > > >
> p> > > > Regards
> p> > > > purgat
> p> > As far as I know, this is impossible with squid
> p> > buth there is a mod_ for apache that does that, just look for it
> p> >
> p> > LD
> p>
> p> Thanks for the info. I'll check that mod.
> p> Anyone else can confirm this?
>
> I don't know what apache's particular module is this about.
> I can confirm I use the fcgiproxy, the fatscgi'zed CGIProxy in the how I named
> it the transp[arent mode. The diagram is as follows:
>
> http://gitweb.vereshagin.org/fcgiproxy/blob_plain/HEAD:/doc/fcgiproxy-06.png
>
> This means that having ssl enabled on a hosting you can use any of your url,
> say, scheme://host.tld/path?params into this:
>
> https://your.ssl.host/yourpath/scheme/host.tld/path?params
>
> Furthermore, I convert any of the URLs I ask in my browser into this url by
> mean of somewhat complicated stuff which involves ( optionally privoxy ) squid
> with URL rewrite, 3proxy is only used for its fake_resolve feature, and nginx
> with URL rewrite, again. URL is being rewritten only once: in a squid for http
> urls and inside the nginx for https urls.
> I use it because I hate any of my ISPs to know what I use to google out about
> and what pictures I see. As a fact, I have much more multiple choice about SSL
> hosting with a Perl.
> The main disadvantage of such an approach is that I can't verify certificate of
> a site to be visited ( by means of a perl on a hosting, it's a code yet to be
> written as well as certificates manager, including exceptions, saved x.509
> certificates and many more stuff like basic auth and content filters ) AND the
> certificate of the fcgiproxy's web server as well ( nginx is not able yet to
> check the https uplinks' certificates by CAs or any other way, Russian
> explanation is: http://forum.nginx.org/read.php?21,83157,85692#msg-85692 ).
> I think such a stuff can be useful not only for a personal use to satisfy a
> suspicity, but for a corporate environment, too. At the least you can use the
> web-served fcgiproxy part on a corporate proxy side and the client side,
> currently implemented by means of squid, 3proxy and an nginx proxy, to avoid
> information leaks and a viruses spyware including the contents of the bypassing
> https, too.
> Commercially I see the service as an anonymizer with commercials on a sidebar.
> Client side setup is still a complication yet, but it can be implemented as a
> system-tray application or standalone system service since its only intention
> is to rewrite the URL as it is mentioned above. I have no idea if such a thing
> can be made as a browser pluginn but it's obvious to try with a javascript in
> hand.
> Also, things like that may happen to be possible without anything other than
> just squid, but not with versions older than 2+years from now.
>
> 73! Peter pgp: A0E26627 (4A42 6841 2871 5EA7 52AB 12F8 0CE1 4AAC A0E2 6627)
> --
> http://vereshagin.org
Received on Mon Dec 13 2010 - 18:54:00 MST

This archive was generated by hypermail 2.2.0 : Tue Dec 14 2010 - 12:00:03 MST