Re: [squid-users] https to http translation

From: purgat <purgatio_at_gmail.com>
Date: Wed, 15 Dec 2010 16:44:58 +0330

On Tue, 2010-12-14 at 10:55 +0300, Peter Vereshagin wrote:
> Any time of year you can find me here purgat.
> 2010/12/13 22:23:48 +0330 purgat <purgatio_at_gmail.com> => To squid-users_at_squid-cache.org :
> p> This definitely is too complicated for me. Getting all these working
> p> together doesn't seem an easy task for someone who have never used any
> p> of these for anything before. From what I could understand from your
> p> diagram and explanation, I would say this is an option that works as I
> p> need but that's it.
> p> I'll try to see if I can find easier options. I am starting to think I
> p> need to spend a few months and loads of caffeine to write something
> p> myself (though it is sort of life/death scenario involved, and time
> p> matters so much).
> p> Options are running out fast...
> p> :(
> p>
> p>
> p> On Mon, 2010-12-13 at 13:20 +0300, Peter Vereshagin wrote:
> p> > You know St. Peter won't call my name, purgat!
> p> > 2010/12/13 00:20:23 +0330 purgat <purgatio_at_gmail.com> => To squid-users_at_squid-cache.org :
> p> > p> On Sun, 2010-12-12 at 14:19 -0600, Luis Daniel Lucio Quiroz wrote:
> p> > p> > Le dimanche 12 d??cembre 2010 11:00:43, guest01 a ??crit :
> p> > p> > > Maybe not exactly what you are looking for, but have you thought of
> p> > p> > > using IPSec? You could deploy IPSec and encrypt every connection from
> p> > p> > > your clients to the Proxy.
> p> > p> > > I don't know what you are trying to achieve, but if your objective is
> p> > p> > > to encrypt connections from the Clients to the proxy, IPSec would be
> p> > p> > > perfectly transparent and scalable.
> p> > p> > >
> p> > p> > > On Sunday, December 12, 2010, purgat <purgatio_at_gmail.com> wrote:
> p> > p> > > > Hi
> p> > p> > > > I have seen similar discussions in the list in the past but none exactly
> p> > p> > > > answers my question.
> p> > p> > > > This is the setup I am looking for:
> p> > p> > > > a server somewhere out there runs one or more instances of squid.
> p> > p> > > > user at home sets up the browser to use the proxy.
> p> > p> > > > whenever user puts an address in their browser address bar, request, is
> p> > p> > > > encrypted with ssl and sent to squid. Instances (if more than one is
> p> > p> > > > necessary) of squid then request the page through normal http from the
> p> > p> > > > Internet and send the response through ssl back to the client.
> p> > p> > > > Unfortunately the answers I have seen to this question in past seem to
> p> > p> > > > ignore the fact that the user may want to use different websites. I
> p> > p> > > > don't want just a couple of addresses to be accelerated by squid and
> p> > p> > > > sent through ssl. What I am looking for is not a normal reverse proxy,
> p> > p> > > > glorified with ssl. Unfortunately there is no example of such a setup in
> p> > p> > > > wiki though I know a lot of people would want this set up for securing
> p> > p> > > > data in their unsecure local network. The explanations on the web about
> p> > p> > > > how to set this up come short of explaining a lot of things about an
> p> > p> > > > already complex matter.
> p> > p> > > > Is Squid able to help me with this?
> p> > p> > > > By the way... ssh tunnelling is not an option for me.
> p> > p> > > >
> p> > p> > > > Regards
> p> > p> > > > purgat
> p> > p> > As far as I know, this is impossible with squid
> p> > p> > buth there is a mod_ for apache that does that, just look for it
> p> > p> >
> p> > p> > LD
> p> > p>
> p> > p> Thanks for the info. I'll check that mod.
> p> > p> Anyone else can confirm this?
> p> >
> p> > I don't know what apache's particular module is this about.
> p> > I can confirm I use the fcgiproxy, the fatscgi'zed CGIProxy in the how I named
> p> > it the transp[arent mode. The diagram is as follows:
> p> >
> p> > http://gitweb.vereshagin.org/fcgiproxy/blob_plain/HEAD:/doc/fcgiproxy-06.png
> p> >
> p> > This means that having ssl enabled on a hosting you can use any of your url,
> p> > say, scheme://host.tld/path?params into this:
> p> >
> p> > https://your.ssl.host/yourpath/scheme/host.tld/path?params
> p> >
> p> > Furthermore, I convert any of the URLs I ask in my browser into this url by
> p> > mean of somewhat complicated stuff which involves ( optionally privoxy ) squid
> p> > with URL rewrite, 3proxy is only used for its fake_resolve feature, and nginx
> p> > with URL rewrite, again. URL is being rewritten only once: in a squid for http
> p> > urls and inside the nginx for https urls.
> p> > I use it because I hate any of my ISPs to know what I use to google out about
> p> > and what pictures I see. As a fact, I have much more multiple choice about SSL
> p> > hosting with a Perl.
> p> > The main disadvantage of such an approach is that I can't verify certificate of
> p> > a site to be visited ( by means of a perl on a hosting, it's a code yet to be
> p> > written as well as certificates manager, including exceptions, saved x.509
> p> > certificates and many more stuff like basic auth and content filters ) AND the
> p> > certificate of the fcgiproxy's web server as well ( nginx is not able yet to
> p> > check the https uplinks' certificates by CAs or any other way, Russian
> p> > explanation is: http://forum.nginx.org/read.php?21,83157,85692#msg-85692 ).
> p> > I think such a stuff can be useful not only for a personal use to satisfy a
> p> > suspicity, but for a corporate environment, too. At the least you can use the
> p> > web-served fcgiproxy part on a corporate proxy side and the client side,
> p> > currently implemented by means of squid, 3proxy and an nginx proxy, to avoid
> p> > information leaks and a viruses spyware including the contents of the bypassing
> p> > https, too.
> p> > Commercially I see the service as an anonymizer with commercials on a sidebar.
> p> > Client side setup is still a complication yet, but it can be implemented as a
> p> > system-tray application or standalone system service since its only intention
> p> > is to rewrite the URL as it is mentioned above. I have no idea if such a thing
> p> > can be made as a browser pluginn but it's obvious to try with a javascript in
> p> > hand.
> p> > Also, things like that may happen to be possible without anything other than
> p> > just squid, but not with versions older than 2+years from now.
> p> >
>
> Why do you try with application IP layer anyway?
> I think that encrypted Layer3 solution, something like openvpn with ssl and a
> NAT ( and/or Squid ) should suit your needs and is pretty simple.
> The appropriate VPS plans I know for this use to cost about $2/month. I'm not
> sure but there are cloud providers who supply even hourly-rated virtual
> machines ( $0.0X/hour ). And, it's nothing supernatural to ask whoever to set
> up such a thing for one-time fee.
>
> 73! Peter pgp: A0E26627 (4A42 6841 2871 5EA7 52AB 12F8 0CE1 4AAC A0E2 6627)
> --
> http://vereshagin.org

Thanks Peter
The suggestion is right. It does suit my needs. I encountered difficulty
setting it up though. May be when I am more experienced I will seek your
guidance to try this solution too. For the time being I found something
else.
Received on Wed Dec 15 2010 - 13:15:12 MST

This archive was generated by hypermail 2.2.0 : Wed Dec 15 2010 - 12:00:03 MST