Re: [squid-users] WCCP transparent proxy

On 12/10/11 17:33, nipun_mlist Assam wrote:
> This may be relevant to this question.
> While trying to use squid for transparent proxy (tproxy ) on linux
> (kerne 2.6.39 with centos 6.0), I noticed the following
>
> 1. Client IP spoofing doesn't work (but for our work, this requirement
> was a must).

In what way?

> 2. Squid with tproxy doesn't work with HTTPS traffic.

In what way?

HTTP:
   http_port 1 tproxy ...

HTTPS:
   https_port 2 tproxy ...

>
> I made fixes for both the issues and then above problems were solved.
> I made an assumption that traffic with destination port 443 will be
> always used for HTTPs, and, that I used as an indication to switch
> to SSL on squid side. Squid will transparently listen on two ports,
> one of this port will be used for port 80 traffic and the other for
> port 443 traffic.

You cannot make this assumption. The system administrator has configured
the port (http_port vs https_port) to match the traffic arriving. Both
in Squid and in the firewall. Replacing this manual configuration
automatically with a possibly wrong assumption is not a good thing to do.

Also, Squid does not correctly handle the SSL when it arrives via
interception. Due to not having the SSL security keys which are
installed on the destination web server the client was contacting.
  Do not confuse this with a TPROXY failure.

>
> I made the changes in squid 3.2.0.10 code base. I am wondering if
> those fixes are already available somewhere.
>
> Regards,
> Nipun
>

Please first re-check your solution to #2 in light of the https_port
directive and comments above.

Please check that the changes will still apply easily on the latest 3.2
series or 3.HEAD series code.

Then please submit to squid-dev mailing list for review. The submission
guidelines can be found at:
  http://wiki.squid-cache.org/MergeProcedure

Amos

-- 
Please be using
   Current Stable Squid 2.7.STABLE9 or 3.1.15
   Beta testers wanted for 3.2.0.12