Re: [squid-users] HTTPS interception and proxy to origin server clear traffic / FTP Proxy from Amos Jeffries on 2012-07-16 (squid-users)

From: Amos Jeffries <squid3_at_treenet.co.nz>
Date: Mon, 16 Jul 2012 20:16:14 +1200

On 16/07/2012 7:54 p.m., Abdessamad BARAKAT wrote:
> Hi amos,
>
> 2012/7/14 Amos Jeffries:
>> On 14/07/2012 3:22 a.m., Abdessamad BARAKAT wrote:
>>> Hi,
>>>
>>> 1) HTTPS Interception
>>>
>>> I try to setup https transparent configuration with squid 3.1.20
>>>
>>> The traffic was correctly forwarded to the proxy port 3129 via WCCP
>>> (Cisco ASA GW) , but the proxy doesn't use ssl connection to join the
>>> final server but a clear http connection with port 80
>>>
>>> The flow client --> squid proxy use correctly ssl with the squid's
>>> certificate
>>>
>>> Any idea why the squid don't use a https connection to join the final
>>> server ?
>>
>> Squid-3.1 is not designed for HTTPS interception. You require features only
>> available in the 3.2 series.
>>
>>
> But I can understand why squid can intercept the https connection from
> the client, and after that doesn't make a https session but a http
> session to the final server
>
>>> 2) FTP Interception
>>>
>>> If I understand correctly, squid can handle FTP transparent use with
>>> browser's use (FTP native client not suppported)
>>
>> There is nothing transparent about that. The browser tells Squid what URL to
>> fetch from FTP parts of the Internet. Squid produces an HTTP object for the
>> browser.
>>
>>
>>> I have configured only WCCP stuff, nothing about FTP on squid and I
>>> can see the 3-way handshake was established correctly between the
>>> client and the proxy, but after that nothing...
>>
>> What proxy? Not Squid, because Squid would be sending HTTP erorr codes, not
>> FTP handshake codes.
> Yes with squid, but I use a http browser (with a url like
> ftp://ftp.toto.com), the tcp connection was established but after
> that, nothing

This means little. The browser could be passing HTTP request for ftp://
to Squid or it could be passing FTP traffic to ftp.toto.com.

Squid *cannot* intercept the FTP traffic port(s).

>
> Squid can't handle ftp connections with a web browser ? I know he
> can't handle native ftp client

When the browser is using FTP protocol there is no difference between it
and a native FTP client.

When it is sending ftp:// URL to a HTTP proxy it uses HTTP protocol.

Amos
Received on Mon Jul 16 2012 - 08:16:32 MDT

This archive was generated by hypermail 2.2.0 : Mon Jul 16 2012 - 12:00:02 MDT