Re: [squid-users] Tunneling https (with proxy chaining)

From: Leonardo <leonardodiserpierodavinci_at_gmail.com>
Date: Thu, 3 Mar 2011 14:57:48 +0100

On Wed, Mar 2, 2011 at 11:02 PM, Amos Jeffries <squid3_at_treenet.co.nz> wrote:
> On Wed, 2 Mar 2011 17:50:20 +0100, Leonardo wrote:
>>
>> Hi all,
>>
>> I have successfully set up a bridge on my Debian 5.0.5 with Squid
>> 3.1.7 to tunnel http traffic.
>
> ? these two concepts do not overlap.
>
> Do you have a bridge server with intercepting proxy on it?
>  OR a regular forward proxy doing tunneling?

Sorry, forgot to specify. It's a transparent (=intercepting) proxy on
a bridge server, built as described in
http://freshmeat.net/articles/configuring-a-transparent-proxywebcache-in-a-bridge-using-squid-and-ebtables
. (The article refers to an older version of Squid; I adapted
squid.conf for my newer version.)

>
>>  Through proxy chaining, my Squid
>> connects to another non-Squid proxy.
>> Would it be possible to do the same with https, or there are security
>> issues related to Squid acting as a MITM?
>
> With HTTP tunneling this is not a problem. Set "nonheirarchichal_direct off"
> in squid.conf. The tunnel will be diverted through the peer same as it goes
> through the local Squid.
>
> With bridging+intercept this is not possible.
>
> MITM would be a bridge+intercept. So no, not possible with HTTPS.
>
> We are slowly building squid towards an architecture where non-HTTP traffic
> is not broken in intercept mode. But this is going to take a lot more work
> and time to achieve.
>
> Amos

That's too bad, but thanks a lot anyway for your answer. I look
forward for this new coming-not-so-soon feature.

L.
Received on Thu Mar 03 2011 - 13:58:11 MST

This archive was generated by hypermail 2.2.0 : Thu Mar 03 2011 - 12:00:02 MST